Private bug bounty researcher · Bohol, Philippines

Judel Palaca

Private bug bounty researcher focused on web security, practical testing, and automation.

I work primarily on private bug bounty engagements, study web application behavior, and build simple workflows that improve the quality and efficiency of my research.

GitHub Security Audits Open Source Email

Web Security

Testing web applications and understanding real attack surfaces.

Private Bounty

Focused on private programs, practical attack paths, and high-signal testing.

Automation

Building lightweight workflows that make security research more efficient.

About

Professional focus

I am a full-time private bug bounty researcher with a strong interest in web application security, practical analysis, and continuous learning through hands-on work. I enjoy understanding how systems behave, identifying meaningful security issues, and refining my workflows over time.

Focus Areas

What I look at closely

Authentication

Login, reset flows, session handling, identity checks, and account recovery paths.

Access Control

Permission boundaries, role checks, tenant separation, and IDOR-style issues.

Business Logic

Application workflows, trust assumptions, and practical high-impact logic flaws.

Security Audits

Scoped web application reviews

I am available for limited-scope web application security reviews with a focus on practical testing, authentication and access control, and business logic issues.

Engagements are scoped carefully and handled with a practical, manual-testing approach.

What I can review

Authentication flows, authorization and access control, account management, invitation flows, file access, application logic, and other web application attack surfaces.

How I work

Small, clearly scoped engagements with manual testing, practical findings, reproducible reports, and straightforward remediation notes.

Typical scope

Web applications, user flows, account roles, permission boundaries, and business logic reviews.

Open Source Contributions

Selected merged public work

I contribute practical improvements to open-source projects, with recent merged work spanning accessibility, frontend performance, configuration, and code quality updates.

Merged PR Code Quality

Rapina

Cleaned up singularize-related dead code warnings and aligned the change with the project’s feature-gated build requirements after review feedback.

View PR
Merged PR Configuration

AegisFlow

Added configurable max_body_size support to server configuration and documented the setting for cleaner request size control.

View PR
Merged PR Performance

SurfSense

Improved markdown rendering performance by lazy-loading the syntax highlighter only when fenced code blocks are actually rendered.

View PR
Merged PR Accessibility

SurfSense

Improved accessibility by adding proper aria-label and aria-pressed support to the web search toggle for assistive technology.

View PR
GitHub Public Work

Profile

More public work, experiments, small utilities, and contributions are available on my GitHub profile.

Visit GitHub
Approach Engineering

Contribution Style

I prefer small, reviewable changes that improve usability, maintainability, performance, and implementation quality in real codebases.

Contact

Get in touch

Available for private security work, research discussions, and security-related inquiries.

pal0x · Web security research and scoped application reviews · © 2026