The Bounty Chef logo
Security Researcher · Bug Bounty Hunter

Jerry Luong

Security Researcher
Mobile Reverse Engineer
Automation Engineer

I reverse engineer Android APKs and iOS IPAs to study their authentication flows and build a unified, all-in-one login platform with a seamless payment management system across all platforms. Beside that, I hunt bugs and research vulnerabilities responsibly.

Published research: “Dollar-Quote Desync” — a novel PostgreSQL blind SQLi technique
Get in TouchLinkedInGitHub
Scroll to explore

Technical Expertise

Reverse engineering, vulnerability research, and the automation muscle behind it

Reverse Engineering

Android / APK Analysis
JEB Decompiler
IDA Pro
Frida
DEX & Smali
Native (ARM) Analysis
Protocol Replication
mitmproxy / HAR

Security Research & Bug Bounty

Vulnerability Research
SQL Injection
Auth / Token Analysis
API Security
Burp Suite
HackerOne
Responsible Disclosure
CVSS

Engineering & Platforms

Python
JavaScript / TypeScript
React.js
Next.js
FastAPI
Node.js
REST API
WebSocket
PostgreSQL
Redis

AI & Automation

LangChain
LLM Agent Architectures
RAG
Headless Browser Stealth
JA3+ Fingerprint Spoofing
CAPTCHA Evasion
Anti-Bot Bypass

Professional Journey

From reverse engineering and security research to intelligent automation systems

Security Researcher & Reverse Engineer

Confidential (FinTech)
2025 – Present
Remote
  • Reverse engineer Android merchant APKs (DEX/Smali, native ARM, Frida instrumentation) to fully model their authentication and login flows
  • Replicate proprietary login handshakes as pure API clients, defeating client-side encryption, signing, and anti-tamper checks
  • Deliver the reverse-engineered login implementations that power the company's all-in-one (AIO) login platform, covering dozens of merchants with card-switching support
  • Conduct vulnerability research and bug bounty hunting across web and API targets (HackerOne), with a focus on authentication and injection flaws
  • Authored published offensive-security research on a novel PostgreSQL dollar-quoting blind SQL injection technique

Independent AI/Automation Engineer

Freelancing
2022 – 2025
Remote
  • Developed custom web scraping tools with anti-bot bypass capabilities (Cloudflare, PerimeterX, reCAPTCHA v3)
  • Bypass Cloudflare Turnstile captcha with Pure HTTP requests by fully reverse engineer the heavy obfuscated captcha module
  • Designed and deployed LLM-powered React Agent systems for automating data research and enrichment
  • Built high-resilience browser automation systems with rotating fingerprints (JA3, canvas, audioContext)
  • Integrated LangChain, RAG pipelines, and knowledge graph APIs to power intelligent lead-gen and customer insight tools
  • Created stealth infrastructure to simulate human-like browsing across 50+ concurrent sessions

Machine Learning Agent Developer

Involio
2022 – 2022
Remote
  • Developed and trained NLP classification models to detect and filter inappropriate or harmful user-generated content
  • Built automated moderation pipelines using Python, Scikit-learn, and TensorFlow, reducing manual review workload by 70%
  • Fine-tuned transformer-based models (BERT, RoBERTa) for real-time sentiment and toxicity analysis on social media posts
  • Integrated content flagging API with front-end moderation dashboard for reviewer feedback loop

Software Developer

AdviNow Medical
2021 – 2022
Remote
  • Reversed engineered JavaScript-heavy platforms to automate complex UI-based interactions
  • Decrypted AES-based encrypted traffic to replicate secured browser sessions using raw HTTP requests
  • Successfully emulated entire user workflows with no browser dependencies, improving scraping speed by 300%

Restaurant Owner

Self-Employed
2019 – 2020
San Diego, CA
  • Founded and scaled a full-service restaurant, leading operations, finances, and marketing

Featured Projects

Advanced automation and security solutions built with cutting-edge techniques

Dollar-Quote Desync (Published Research)

Published

Original offensive-security paper presenting a blind SQL injection technique that abuses PostgreSQL dollar-quoting to evade application-level regex sanitizers, enabling zero-knowledge schema enumeration and data extraction through a boolean oracle.

Key Features:

Novel SQLi Technique
PostgreSQL / PL/pgSQL
Sanitizer Evasion
Blind Boolean Oracle

Technologies:

Vulnerability Research
SQL Injection
PostgreSQL
Security
Read the paper

ID / Driver License Scanner

Active

Document scanner that extracts structured fields from ID cards and driver licenses using one-shot Named Entity Recognition — generalizing to unseen layouts and formats from a single example, without per-template training.

Key Features:

One-Shot NER
Field Extraction
Layout Generalization
OCR Pipeline

Technologies:

Python
NER
Computer Vision
OCR
Transformers

Crexi Data Scraper

Production Ready

High-performance web scraper for commercial real estate data extraction from Crexi platform. Handles large-scale data collection with intelligent rate limiting and error handling.

Key Features:

Large-Scale Scraping
Rate Limiting
Error Handling
Data Extraction

Technologies:

Web Scraping
Python
Data Extraction
Automation

Data Enrichment Pipeline

Active

Automated data enrichment system that processes and enhances raw data with additional context, validation, and cross-referencing capabilities.

Key Features:

Data Processing
Enhancement
Validation
Cross-Referencing

Technologies:

Data Processing
Python
APIs
Machine Learning

Interested in learning more about these projects?

View on GitHubDiscuss Project

Let's Work Together

Open to security research collaborations, reverse engineering work, and bug bounty engagements. If you have a hard target or a tough automation problem, let's connect.

Send me an emailConnect on LinkedInView on GitHub

© 2025 Jerry Luong.