Offensive Security Researcher

Abdulaziz
Almadhi

Penetration tester & vulnerability researcher · Riyadh

I break the technology millions of people rely on, then help close the gaps before attackers do. Four published CVEs, two of them scoring a perfect CVSS 10.0, the highest severity a vulnerability can reach. My top two reports paid $30,500 and $25,000.

View research Get in touch
Role
Founder & CEO of Catchify
Based
Riyadh, Saudi Arabia
Focus
Pentesting · Bug bounty · Red team
Handle
@3zizme_
Portrait of Abdulaziz Almadhi, offensive security researcher
Offensive security researcherRiyadh · SA
4
Published CVEs
500+
Findings disclosed
8
Honors & awards
11
Certifications
01·About

Offensive security, end to end.

I help organizations find their weaknesses before attackers do, from a single overlooked parameter to a full-scope red-team operation.

I'm Aziz, a penetration tester and vulnerability researcher from Harmah, now based in Riyadh, and the founder of Catchify. I find the flaws others miss. My work covers web, API, mobile, and network penetration testing, full red-team engagements, and original research that has produced four NVD-published CVEs.

Two of those are maximum-severity CVSS 10.0 findings in Ubiquiti's UniFi platform, and a third is critical (9.9) in the UID Enterprise Agent. One UniFi Access disclosure earned a $25,000 maximum Ubiquiti bounty via HackerOne. A UniFi OS path traversal earned a $30,500 bounty, my highest so far. All of them are published, patched, and credited by the vendor.

I founded Catchify to bring focused, Saudi-led offensive security to organizations across the Kingdom. On a bounty, an engagement, or a report, I aim for one thing: a clear, prioritized path to closing the gaps that matter.

IdentityAbdulaziz Naif Almadhi
RoleFounder & CEO of Catchify
Research CVE · Ubiquiti, Ellucian
StationRiyadh, SA · Harmah حرمة
Record4 CVEs · 11 certifications
02·Research

Published CVEs & disclosures.

Real vulnerabilities with assigned CVE identifiers and public NVD records. Every one carries a CVSS severity score, and you can verify each.

CVE-2026-34909 Ubiquiti · UniFi OS
CWE-22UnauthCISA KEV$30,500

UniFi OS: Path Traversal

Unauthenticated path traversal in UniFi OS: a network attacker can read and manipulate files on the underlying system to take over a host account. Patched in UniFi OS Server 5.0.8 and the matching UDM / gateway builds; 31 device models were affected. Later added to CISA's Known Exploited Vulnerabilities catalog after confirmed exploitation in the wild. Credited to Abdulaziz Almadhi of Catchify in Ubiquiti's advisory; $30,500 bounty.

Patched 21 May 2026 · CISA KEV 23 Jun 2026 · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

NVD record CISA KEV Ubiquiti advisory
10.0
CVSS /10
Critical
CVE-2025-52665 Ubiquiti · UniFi Access
CWE-306RCE$25,000

UniFi Access: Unauthenticated RCE

An exposed management API in UniFi Access was reachable without authentication, leading to remote code execution. This Catchify disclosure earned Ubiquiti's $25,000 maximum bounty via HackerOne.

Patched in UniFi Access 4.0.21 · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

NVD record Ubiquiti advisory Catchify write-up
10.0
CVSS /10
Critical
CVE-2026-47367 Ubiquiti · UID Enterprise Agent
CWE-20Cmd InjectionRCE

UID Enterprise Agent: Command Injection

Improper input validation in the UID Enterprise Agent (< 1.61.4) lets a low-privileged network attacker run arbitrary commands on the host device, effectively remote code execution. Credited to Abdulaziz Almadhi of Catchify in Ubiquiti's advisory.

Patched in UID Enterprise Agent 1.61.4 · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

NVD record Ubiquiti advisory
9.9
CVSS /10
Critical
CVE-2023-49339 Ellucian · Banner 9.17
CWE-639IDORPublic PoC

Ellucian Banner: IDOR

Insecure direct object reference exposing other students' personal and academic records via a manipulated bannerId. This was my first CVE. It has a public proof-of-concept on GitHub and is tied to the Ellucian Hall of Fame.

Disclosed 2023 · Banner 9.17 endpoint · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

NVD record Public PoC Ellucian Hall of Fame
6.5
CVSS /10
Medium

Every record above is credited to Abdulaziz Almadhi and publicly listed on the U.S. National Vulnerability Database. Additional research & tooling: github.com/3zizme.

03·Honors

Recognition & highlights.

Vendor credits, a third-party hall of fame, top Ubiquiti bounties, and CTF placements. You can verify each one yourself.

2026 $30,500 Ubiquiti bounty for CVE-2026-34909Highest single bounty to date · UniFi OS, CVSS 10.0
2025 $25,000 maximum Ubiquiti bounty for CVE-2025-52665UniFi Access RCE, via HackerOne
2025 2nd place, CTF at AISC Conference (DEFCON edition)Bahrain
2024 1st place, Black Hat MEA Bug Bounty CupRiyadh, Saudi Arabia · region's largest cybersecurity event
2023 Ellucian Security Researcher Hall of FameListed by Ellucian for CVE-2023-49339 · third-party verified
2023 3rd place, Aramco CTF·3rd place, KSU CTFSaudi Aramco · King Saud University
2021 Best Quality Report, @Hack Bug BountyRiyadh · SAFCSP, in association with Black Hat
2021 11,500 SAR in one month on the Saudi Bug BountySAFCSP / BugBountySA platform

Bounties verifiable via Ubiquiti / HackerOne advisories; the Ellucian listing and competition placements are third-party records.

04·Work

How I work.

The offensive capabilities I bring to every engagement.

01

Bug Hunting

Hunting real, exploitable vulnerabilities across bug bounty programs and live targets, and reporting them so they get fixed.

02

Penetration Testing

Hands-on assessments of networks, APIs, web and mobile apps. Manual testing backed by Burp Suite and Kali, with a methodology I have refined over years of real findings.

03

Red Teaming

Full-scope, adversary-emulation engagements that test detection and response. The question isn't whether a box is patched. It's whether your defenses actually hold.

04

Reports & Insights

Clear, prioritized reporting that explains the real-world risk and the exact steps to fix it. Your team gets a plan, not a pile of noise.

05·Credentials

Verified certifications.

Eleven industry certifications across offensive security, infrastructure, and incident response. Each one lists its ID and a verification link.

HTB CBBH badge CBBHHTB Certified Bug Bounty HunterID 32A8778822 · Sep 2025 Certificate Verify
CAPen badge CAPenCertified AppSec Pentester · SecOps GroupID 8553068 · Apr 2025 Certificate Verify
CNSP badge CNSPCertified Network Security PractitionerID 8849310 · Jun 2024 Certificate Verify
eCPPT badge eCPPTCertified Professional Pentester · INEID 2529834 · Mar 2023 Certificate Verify
eWPTX badge eWPTXWeb App Pentest eXtreme · INEID 7955910 · Oct 2022 Certificate Verify
GIAC GCIH badge GCIHGIAC Certified Incident HandlerID 42433 · Apr 2022 Certificate Verify
eJPT badge eJPTJunior Penetration Tester · INEID 3739296 · Feb 2022 Certificate Verify
Red Hat RHCSA RHCSARed Hat Certified System AdminID 210-235-644 · Dec 2022 Certificate Verify
CompTIA Security+ badge Security+CompTIA Security+ID COMP001021974521 · Jan 2022 Certificate Verify
Cisco CCNA badge CCNACisco Certified Network AssociateID CSCO14068769 · Nov 2021 Certificate Verify
LogRhythm LRPA / LRSALogRhythm Analyst & AdminMar 2022 LRPA LRSA

Note. Open any card's Certificate link to view the certificate itself. The ID is listed on each card for verification. Some issuers (CompTIA, Cisco, HTB, SecOps Group) ask you to enter the ID, and sometimes the name, on their portal, which the Verify link opens. RHCSA verifies directly by ID.

06·Affiliation

Catchify

The Saudi-led offensive security company I founded and lead.

Founded & led by Abdulaziz

Security Testing, Simplified.

Offensive security led by experienced Saudi researchers. I founded Catchify to give organizations across the Kingdom continuous, results-driven penetration testing and a private bug bounty program of hand-selected researchers.

  • Pay-On-Catch. You only pay when we find real vulnerabilities. No findings, no fee.
  • PTaaS across web, mobile, API & network with real-time dashboards.
  • A private bug bounty program of vetted Saudi researchers.
  • Compliance-ready reporting aligned to national frameworks.
Reporting aligned to:
NCASAMAPDPL
Visit Catchify
Pricing model
Pay-On-CatchPay only for valid vulnerabilities, priced by severity.
Operations base
Riyadh, SAinfo@catchify.sa · +966 54 472 5681
Engagement
PTaaSContinuous testing, not a once-a-year snapshot.
07·Contact

Let's make something harder to break.

Need a penetration test or a red-team engagement? Have a security question you can't shake? Send me a message.

Email admin@3ziz.me