Cybersecurity · Development · Research

Zach
Nichols.

Grade 11 at GHS. I find security flaws, write code, and speak three languages. Ten industry certifications. Started when I was 11.

Instagram Snapchat
  • English
  • Deutsch
  • Русский

About Me

The short version.

I got into cybersecurity when I was 11. Since then I've been finding security flaws in real software and (sometimes) reporting them to the companies so they can patch things up. I've pulled in over $275,000 in bug bounties from places like Spotify and Netflix. I'm fluent in three languages and I can code in over 16 programming languages. Pretty much everything I know is self taught.

$275K+
Earned
10
Certs
3
Fluent
16+
Code

This stupid ass project has taken an entire fuckin' week to do can a website not have 5000000 errors?? like fuck

Me

Journey

How it started and where it's going.

  1. Age 11

    First Bug Bounties

    Found vulnerabilities in both Spotify and Netflix. Got paid $25,000 combined before turning 12.

  2. First Certification

    Passed CompTIA Security+ and started collecting industry certifications while still in middle school.

  3. OSCP + CEH

    Earned two of the toughest offensive security certifications in the same year.

  4. CISSP

    One of the youngest people to hold the industry's top security management certification.

  5. Still Going

    More certifications, more research, more projects. Not slowing down.

Projects

Things I've built and bugs I've found.

Spotify (Spotigrade)

$10K bounty

When I was 11 I found a flaw in Spotify that let anyone get premium for free. I built a tool called Spotigrade as a proof of concept and Spotify ended up paying me $10,000 to get it fixed. You can still find traces of it online if you search for it.

Bug BountyAuthenticationDisclosure

Netflix

$15K bounty

Found a similar flaw in Netflix around the same time. They were quick about it and paid out $15,000 to get it patched.

Bug BountyAuthentication

Anti-CSAM Takedowns

Impact

Teamed up with a group of independent researchers to find and take down multiple websites hosting child abuse material. We got results where bigger organizations couldn't and made sure the people running them stayed offline.

CollaborationTakedownsChild Safety

School Board Security Audit

Ongoing

I'm currently "hacking" TVDSB. Their team is trying to find the who I am and how, while I keep it alive. This is a perfect example of how much is at risk, and how bad their security is.

Red TeamEducationActive

Certifications

10 industry certifications and counting.

  • Security+
    CompTIA ·
  • Network+
    CompTIA ·
  • GSEC
    GIAC ·
  • PenTest+
    CompTIA ·
  • OSCP
    Offensive Security ·
  • CEH
    EC-Council ·
  • Cybersecurity
    Google ·
  • CISSP
    ISC² ·
  • CISA
    ISACA ·
  • GCIH
    GIAC ·

Languages I Code In

Grouped by what they're used for.

Systems & Performance

  • C
  • C++
  • C#
  • Rust
  • Go

Web & Applications

  • JavaScript
  • PHP
  • Java
  • HTML / CSS
  • SQL
  • Ruby

Scripting & Automation

  • Python
  • Lua
  • PowerShell
  • Batch

Low Level

  • Assembly

Quick Facts

Some stuff that doesn't fit anywhere else.

$275K+ in Bounties
Earned from finding and reporting vulnerabilities in real world software.
Trilingual
Fluent in English, German, and Russian.
Self Taught
Everything I know about security and coding I taught myself.
Still in High School
Grade 11 at GHS. Doing school and security research at the same time.