- Dhaka
Md Shariar Shanaz Shuvon, a 17-year-old self-taught ethical hacker from Bangladesh, has made headlines after discovering a major security flaw in NASA's system. In recognition of his work, the US space agency sent him an official letter of appreciation.
Shuvon, who hails from Jhenaigati in Sherpur, completed his SSC from Jhinaigati Govt Model Pilot High School and is currently studying for a diploma in Information Technology at the University of Cyberjaya in Malaysia. Alongside his studies, he works as an Information Security Analyst at ERTH (Blue Bee Technologies Sdn. Bhd.), a company focused on cybersecurity.
His journey into the world of ethical hacking started back in Class 7 when he began exploring programming using free online resources like YouTube tutorials, eBooks, and PDFs. By the time he reached Class 8, he had developed a deep interest in cybersecurity, bug hunting, and hackathons. Although he dabbled in SEO, graphic design, and video editing, his real passion lay in cybersecurity.
On June 11, 2024, Shuvon discovered a privacy-related vulnerability in NASA’s system. He initially tested common techniques but found no success. Then, using a combination of IDOR (Insecure Direct Object Reference) and SSRF (Server-Side Request Forgery), he identified a serious bug that exposed personal data from NASA’s Earth systems. If misused, the data could have led to phishing attacks or unauthorized sales. He responsibly reported the issue through NASA’s Vulnerability Disclosure Policy, and the agency confirmed the fix and appreciated his ethical conduct with a letter in February 2025.
Shuvon has also reported bugs in global tech giants like Sony and Meta. At Sony, he found an IDOR bug that allowed unauthorized data access. At Meta, he discovered a privacy flaw that exposed hidden reactions on profiles through code manipulation. He focuses mainly on IDOR and information disclosure bugs, which he calls his specialties.
He also achieved the global top rank on TryHackMe, a platform used by over two million people for cybersecurity learning and testing. His tools of choice include Burp Suite, Nuclei, and Google Dorks, and he often works through platforms like HackerOne and Bugcrowd. Still, Shuvon believes a hacker’s mindset is more valuable than any tool—it's all about logic and spotting what others miss.
Despite gaining international recognition, Shuvon wants to contribute to cybersecurity development in Bangladesh. He believes most local companies don’t take digital threats seriously and lack proper systems for bug reporting. He hopes to raise awareness and help build a secure bug-reporting framework for major organizations in the country.
Looking ahead, Shuvon plans to keep learning, help others, and possibly build his own cybersecurity tools or company. For him, “bug hunting is just the beginning.”
Write your opinion