Identified a Broken Access Control issue in the invitation workflow that allowed manipulation of user-role parameters, resulting in disrupted invite management for workspace administrators. Discovered an access control bypass exposing restricted workspace data to member-level users.

Reported an XSS vulnerability allowing arbitrary script execution via crafted URL parameters.

Identified a logic flaw in the document-signing workflow that allowed unauthorized modification of signer permissions after a document was approved.

Identified an IDOR issue in the WebSocket-based commenting flow that enabled posting comments as another user. Identified an IDOR issue in the comment system that allowed unauthorized deletion of another user’s comments.

Reported a server-side access control flaw that allowed members to retrieve signature image URLs from password-protected documents via an exposed GraphQL query.

Reported a business logic issue in workspace ownership and user-management flows that enabled users to rejoin in a state where the true owner could no longer delete them.

Identified an OAuth state-handling weakness allowing attackers to force a victim’s account to integrate with an attacker-controlled Slack workspace.

Identified that document access tokens were publicly discoverable and could be used to view documents and associated user information without authentication.

Identified an API key mismanagement issue that allowed former admins to retain and use organization-level API keys after being removed from the workspace.