Disclosures

Security vulnerabilities I’ve reported through coordinated disclosure.

• CVE-2025-30154 - reviewdog/action-setup compromise
• GHSA-q4pp-j36h-3gqg - basti-cdk SSM IAM bypass (writeup)
• VSCode Extension Marketplace Secrets Leakage - 550+ secrets in extensions, 100+ leaked tokens enabling malicious updates to ~150K extensions (Microsoft)
• Gomboc VSCode Extension Key Leak - development API key in published extension
• RDS Snapshot Public Sharing - writeup (AWS)
• DocumentDB Snapshot Public Exposure - writeup (AWS)

Acknowledgements

• NVIDIA
• Open VSX
• SAP

Bug Bounty

HackerOne