However, Shuvon chose the responsible path. He reported the issue through NASA’s official Vulnerability Disclosure Program. In February 2025, NASA officially thanked him with a letter of appreciation.
Shuvon, who is currently studying Information Technology at the University of Cyberjaya in Malaysia, is not new to success in cybersecurity. Along with his studies, he works as an Information Security Analyst at ERTH (Blue Bee Technologies Sdn. Bhd.) a tech company that provides cybersecurity services.
“I explored free courses, YouTube tutorials, books, and PDFs,” Shuvon recalls. “I worked in different tech sectors, like SEO, graphic design, and video editing. But cybersecurity is my true passion.”
On June 11, 2024, Shuvon discovered a serious bug in NASA’s system. He explained how he found the issue. “First, I studied recent vulnerabilities that others had found and tested them, but none worked. Then, I combined several vulnerabilities and tried an IDOR (Insecure Direct Object Reference) technique with SSRF (Server-Side Request Forgery).”
“By chaining these together, I discovered a bug that gave me access to Earth data containing personal information. With this access, someone could have done phishing attacks, sold the data, or used it unethically. I reported it to NASA, and they fixed it.”
He added, “Before finding NASA’s vulnerability, I researched many public reports about bugs. I practiced with those methods but couldn’t use them properly at first. Eventually, I found NASA’s domain where their Earth data was stored, which led to the discovery.”
Shuvon followed the legal process to report the issue by using NASA’s Vulnerability Disclosure Policy. His efforts were officially recognized in February 2025 when NASA sent him a letter of appreciation, thanking him for his ethical work as a security researcher.
NASA is not the only major organization where Shuvon has found security issues. He has also discovered bugs in Sony and Meta. At Sony, he found an IDOR bug that allowed access to unauthorized data. At Meta, he discovered a privacy issue where hidden reactions on profiles could be seen using code tricks.
“I mainly focus on two types of bugs – IDOR and information disclosure bugs. These are my specialties,” he said.
Shuvon has also made a name for himself globally. He was ranked number 1 in the world on TryHackMe, a popular platform used by cybersecurity learners and professionals. TryHackMe has over 2 million users worldwide, and Shuvon’s top position speaks volumes about his skill and dedication.
When talking about how he finds bugs, Shuvon shared that he uses tools like Burp Suite, Nuclei, and Google Dorks. He also uses platforms such as HackerOne and Bugcrowd to find and report security flaws.
“Tools help, but success comes from a hacker’s mindset – thinking logically and spotting what others miss,” he added.
According to Shuvon, many organizations in Bangladesh do not take digital threats seriously. He feels there is a need for a proper bug reporting system, and companies should hire skilled people to manage digital security issues.
“I want to spread awareness in Bangladesh of the damage bugs can cause. I also want to help develop a bug reporting system for major tech-dependent companies,” he said.
Shuvon also shared his long-term goals. “I want to keep learning, help others, and maybe build tools or a company someday. Bug hunting is just the beginning.”
