// cybersecurity portfolio

Robbin Westerduin

IT Student

View disclosures Get in touch

visitor@packets.sh:~

$ whoami

Robbin Westerduin — IT Student

$ cat /etc/motd

Breaking things responsibly. Reporting them properly.

$ ls ~/portfolio

experience/ disclosures/ certifications/ skills/ cv.pdf

// core competencies

Skills overview

Networking

Network protocol analysis (Wireshark) 95%
Firewalling & segmentation 90%

Linux

Debian / Ubuntu administration 95%

Windows

Active Directory security 80%

Security

Vulnerability management 90%

Cloud

AWS security & IAM 80%

Programming

Python 85%

Penetration Testing

Web application pentesting (Burp Suite) 95%
Network pentesting 90%

cat skills --all →

// responsible disclosure

Recent security disclosures

Medium Open

IDOR exposing invoice PDFs of other customers

PCK-2026-0002 · Regional energy supplier

Sequential identifiers in the invoice download endpoint allowed authenticated customers to retrieve invoices belonging to other accounts. Vendor has acknowledged the report and is working on a fix; details will be published after remediation.

Reported Mar 5, 2026

Informational Informational

SPF/DMARC misconfiguration enabling exact-domain spoofing

PCK-2025-0011 · Municipal government

The primary domain published a permissive SPF record and no DMARC policy, allowing exact-domain spoofing of official email. Reported as a hardening advisory; a p=reject DMARC policy has since been deployed.

Reported Oct 30, 2025

High Resolved

Stored XSS in SaaS helpdesk attachment preview

PCK-2025-0007 · HelpDeskPro (SaaS vendor)

SVG attachments were rendered inline without sanitization, allowing stored cross-site scripting against helpdesk agents and session takeover. Fixed by serving attachments with a sandboxed content-disposition and CSP.

Reported Jun 20, 2025

ls disclosures/ →

Let's work together

Open to security engineering roles, penetration testing engagements and coordinated disclosure conversations.

Contact me