Report a Vulnerability
Submit, help fixing, get kudos.
Start a Bug Bounty
Run your bounty program for free.
733,778 coordinated disclosures
435,682 fixed vulnerabilities
1141 bug bounties with 2,191 websites
20,549 researchers, 1254 honor badges

Leon | Security Researcher Profile

Security researcher Leon has already helped fix 260 vulnerabilities.

Researcher reputation:  370

Real name:
Aldo Moreno

About me:
Cybersecurity enthusiast.
Bug bounty hunter.

How to contact me:
English or Spanish communication.

[email protected]

If you want to pentest your website, contact me.

Alternative Contacts:
[email protected]

Experience in Application Security
1-3 years

Award / Bug Bounty I prefer:
This is only if you want to reward me.
Paypal, Transferwise, BTC, gifts.

Paypal: [email protected]
Transferwise: [email protected]
BTC: 33x6BpPjBiR7g5UeefGQQuZLW2BVAd3aQV

Halls of Fame:
Telefonica Germany

Follow me on:

Recommendations and Acknowledgements

@Downnotify     29 March, 2019
    Twitter Downnotify Marijn Otte from
Aldo found a big security issue in our application, using a creative way to exploit it.
@AsictSoc     18 November, 2020
    Twitter AsictSoc Security Operation Center from Politecnico di Milano:
Dear Leon,

the SOC of Politecnico di Milano would like to thank you for disclosing us a XSS vulnerability on our infrastructure.
@kevinBaseCom     21 February, 2020
    Twitter kevinBaseCom Kevin from Online Commerce Ltd:
Thanks for finding and alerting about an XSS issue with our newsletter.
@SecuriteInfoCom     10 February, 2020
    Twitter SecuriteInfoCom Arnaud Jacques from
Very good pentester.
Thank you Aldo !
@phdev6     12 September, 2019
    Twitter phdev6 ph-dev from Peter Hahn:
Leon found a XSS bug on our site. Thanks a lot!
@itsecop     23 April, 2019
    Twitter itsecop itsecop :
Thanks Geek_Pwn, for pointed out XSS vulnerabilities on our website!
Your input was very much appreciated!
@JimM97459222     17 February, 2019
    Twitter JimM97459222 Jim from GH:
Thank you for pointing out the XSS vulnerability in our site. We appreciate your work and quick response. Thank you!!
@HIGHFLYERS_WA     19 December, 2018
    Twitter HIGHFLYERS_WA Tom from WADC:
Thanks a lot for making our webserver more secure! Thums up!
@nietofarias     10 July, 2018
    Twitter nietofarias Ignacio Nieto from Despegar:
Thanks Aldo for reporting us some XSS vulnerabilities! It was very helpful!
@TucWebmaster     25 June, 2018
    Twitter TucWebmaster Frank Richter from TU Chemnitz:
Geek_Pwn discovered XSS bugs in my site. Thanks for reporting them to us and checking our fixes, your work is appreciated!

Shows the first 10 recommendations. See all.

Please login via Twitter to add a recommendation

Honor Badges

Number of Secured Websites

10+ Secured Websites Badge
50+ Secured Websites Badge
500+ Secured Websites Badge
Web Security Veteran Badge
10+ Websites
50+ Websites
500+ Websites
1000+ Websites

Advanced Security Research

WAF Bypasser Badge
CSRF Master Badge
AppSec Logic Master Badge
Fastest Fix Badge
WAF Bypasser
CSRF Master
30+ Reports
AppSec Logic Master
30+ Reports
Fastest Fix
Fix in 24 hours

Outstanding Achievements

Secured OBB Badge
OBB Advocate Badge
Improved OBB Badge
Secured OBB
OBB Advocate
Improved OBB

Commitment to Remediate and Patch

Patch Master Badge
Patch Guru Badge
Patch Lord Badge
Patch Master
55% Patched
Patch Guru
65% Patched
Patch Lord
75% Patched

Recommendations and Recognition

10+ Recommends
25+ Recommends
50+ Recommends

Distinguished Blog Author

Distinguished Blog Author Badge
Distinguished Blog Author Badge
Distinguished Blog Author Badge
1 Post
3 Posts
5+ Posts

Research Statistics

Total reports:370
Total reports on VIP sites:40
Total patched vulnerabilities:260
Recommendations received:17
Active since:20.09.2017

Open Bug Bounty Certificate

Researcher Certificate

18.09.2019  SSRF | Reading Local Files from DownNotifier server

Hello guys, this is my first write-up and I would like to share it with the bug bounty community, it’s a SSRF I found some months ago.

DownNotifier is an online tool to monitor a website downtime. This tool sends an alert to registered email and sms when the website is down.

DownNotifier has a BBP on Openbugbounty, so I decided to take a look on When I browsed to the website, I noticed a text field for URL and SSRF vulnerability quickly came to mind.

Reported Vulnerabilities

All Submissions VIP SubmissionsFeatured Submissions

  Latest Patched


  Latest Blog Posts

25.12.2020 by _Y000_
How to bypass mod_security (WAF)
10.12.2020 by _Y000_
sql injection to bypass Mod_Security
10.12.2020 by _Y000_
Create encoded sql payloads
26.10.2020 by _r00t1ng_
Bypass Addslashes using Multibyte Character
26.10.2020 by _r00t1ng_
One Payload to Inject them all - MultiQuery Injection

  Recent Recommendations

@smiteworks     15 January, 2021
    Twitter smiteworks:
Rajesh was very helpful in providing information and penetration testing on our site. With this information, we were able to harden our infrastructure.
@mhmitu     15 January, 2021
    Twitter mhmitu:
Hi Praveen,
Thanks for the help with the vulnerability. Very fast and friendly contact.
@matrixrewriter     15 January, 2021
    Twitter matrixrewriter:
We had no idea that this vulnerability existed in many PHP-based websites and you kindly reported it to us. Thanks for your help and all the best for your career!
@SilensStudio     14 January, 2021
    Twitter SilensStudio:
Thank you very much for informing us about our access vulnerability! The world needs more good guys like you! A+!
@JoseLev41970568     14 January, 2021
    Twitter JoseLev41970568:
Specialist in web application penetration tester, student and passionate about computer security and ethical hacking.