You're seeing this page as if you were . The main menu is still yours, though. Exit from immersion
Raphaël D.RD

Raphaël D.

Bug Hunter | Web and API Pentester

€540/day
Rouen, FR
3-7 years

Average response time: 1 hour

Freelancer profile translated to English.
Back to original language

About Raphaël

I'm Raphaël, an independent Bug Hunter and Web & API Pentester.

I specialize in the offensive security audit of your web platforms and APIs, the environments where high-impact vulnerabilities are concentrated: injections, IDOR, broken authentication, business logic bypasses, XSS, SSRF, and many others.

My approach is directly from the field. I actively participate in bug bounty programs on YesWeHack and Intigriti, with vulnerabilities identified on high-profile targets (CAC40 groups, government sites .gouv, e-commerce).

What I test:
  • Web applications (front and back-end)
  • REST and GraphQL APIs
  • Authentication and session management mechanisms
  • Business logic and access control
  • Sensitive data exposure
Who I target:SMEs, web agencies, SaaS publishers, local authorities, and administrations looking to validate the security of their platform before production, for an audit of an existing site, or following an incident.

I deliver a clear and actionable report with vulnerabilities classified by criticality, their proof of exploitation (PoC), and remediation recommendations.

Feel free to contact me if you have any questions.

I never disclose client names; our conversation remains strictly confidential.

My website: bughunter.pro
  • French

    Native or bilingual

Remote only
Primarily works remotely

Experience

  • Plateforme web
    CSRF - Email address change without confirmation
    June 2026 - June 2026
    Identification of a CSRF (Cross-Site Request Forgery) vulnerability on the email address change form. By tricking an authenticated user into opening a malicious link (web page, redirect, or email), the attacker could silently substitute the target account's email address with their own without confirmation of the old address and without validation of the new one. This flaw directly paved the way for account takeover.
    Classified as High.
    Security Audit Bug Bounty Penetration Testing Cybersecurity Awareness
  • Site e-commerce
    Business logic bypass of flawed purchase limit
    June 2026 - June 2026
    Identification of a business logic flaw allowing a user to order multiple units of an item normally limited to one unit per account. The constraint, applied only on the client-side, was bypassable through direct manipulation of HTTP requests. Potential impact on stock, sales fairness, and platform revenue.
    Classified as Medium.
    Security Audit Bug Bounty Web Penetration Testing Cybersecurity
  • Administration publique française
    Critical IDOR unauthorized access to all user data
    April 2026 - April 2026
    Discovery of an IDOR (Insecure Direct Object Reference) vulnerability on an official French government platform (.gouv.fr). The flaw allowed any authenticated user to access the complete profiles of other registered users, without server-side access control.
    Classified as Critical.
    Bug Bounty Security Audit Penetration Testing Cybersecurity

Recommendations

Be the first to recommend Raphaël

Help this freelancer shine by sharing your experience working together.

These freelancer profiles also match your criteria

AgathaA

Agatha Frydrych

Backend Java Software Engineer

4.7

(3)

2

BaptisteB

Baptiste Duhen

Fullstack developer

4.6

(4)

5

AmedA

Amed Hamou

Senior Lead Developer

4

(2)

7

AudreyA

Audrey Champion

Web developer

4.3

(3)

4

Skill set

Categories