This is the Trace Id: fd7602f8dab7657106bdaa6cf841432a
Skip to main content
MSRC

How Asem Eleraky went from a shared family PC to finding critical vulnerabilities

MSRC
/ By MSRC /
Asem Elaraky

In the world of vulnerability research, origin stories are rarely linear. For Asem Eleraky, the path to becoming a Microsoft MVR began not in a SOC lab or a university classroom, but with a single family PC and a short daily window to explore his growing interest in cybersecurity.

Asem’s early years were rich in creativity and curiosity. Growing up in Damietta, Egypt, he was inspired at an early age by his father, a graphic designer who was one of the first in their area to own a personal computer, back when PCs were still rare locally. Asem taught himself to use graphic design software, as well as taking apart and rebuilding hardware, driven by an innate desire to understand how systems worked at their core. 

His first introduction to cybersecurity was in high school. Hearing of friends finding security flaws in platforms such as Facebook, Google, and Microsoft ignited a pivotal realization: "applications could be exploited.” If he could understand how they worked, he could play a role in improving them for everyone. 

Asem’s passion grew and he set his sights on university. He found ways to level up his skill and knowledge, was admitted to his university’s computer engineering department, and began competing in local and regional CTFs. He placed as high as 2nd across the Middle East, an early signal of aptitude in identifying non-obvious attack paths and prioritizing iterative testing over surface exploration.  

His transition into paid vulnerability research was equally impressive. While working with public vulnerability disclosure programs, Asem submitted a report detailing an escalated XSS vulnerability that enabled full account takeover. The strength of the finding earned him an invitation into a private bug bounty program, where it was formally rewarded. That first payout marked a meaningful milestone, enabling him to invest in a new laptop and phone and signaling that his skills could support a growing career in vulnerability research.

During his university years, Asem became deeply involved in bug bounty research alongside his studies. What began as late-night experimentation gradually turned into consistent, disciplined research across multiple programs, earning him recognition within the community. In parallel, he expanded his role within the security community by moving from solving CTF challenges to designing them, contributing to competitive events such as the first edition of the BlackHat MEA CTF.

In his final year at university, Asem secured a full-time role as a cybersecurity engineer — a milestone that reflected years of self-directed learning and hands-on practice. Just as his professional path was beginning to take shape, however, another obligation intervened. Military conscription loomed, bringing this chapter of momentum to a temporary pause and setting the stage for one of the most formative transitions of his journey.

Asem’s military conscription in Egypt, lasting near one and a half years, presented one of his most defining pivots. While he wasn’t able to study cybersecurity as diligently, he gained military structure and discipline: tasks are completed, even when solutions are uncertain. He returned from service with a renewed commitment to rebuilding his skills and set his sights squarely on what he believed was one of the hardest targets to reach: "Microsoft".

What followed was close to an obsession. He chose a single target and committed to understanding it end to end, favoring hands-on, manual testing over automated tools, exploring every edge case, logging every request, mapping every interaction. That relentless focus paid off. His first Microsoft submission uncovered a complex flaw in the main login portal’s authentication flow, ultimately enabling full account takeover. A result that validated not just the finding, but the process behind it.

Soon after, his research surfaced a second major vulnerability in the same domain—this one far more severe. It allowed an attacker to take over any user’s account with a single click, bypassing all restrictions and even defeating additional security layers like multi-factor authentication. The impact was staggering: "No account was safe." This discovery earned him his first five-figure payout—the largest he had received to date—and reinforced his belief that sustained focus and iteration were key to uncovering high-impact vulnerabilities.

In addition, Asem has received multiple Microsoft research acknowledgments across identity and authentication surfaces, some of which he later shared on his public blog to contribute to the wider security community.  

Today, Asem continues full-time bug bounty research while deepening his source code review skills. He has qualified for Microsoft’s Zero Day Quest live hacking event, where he looks forward to collaborating with researchers in person. His goals remain clear: continue iterating on major targets such as Microsoft, contribute to the security research community, and ultimately join a collaborative, team-based penetration testing environment.

In reflecting on his career to date, Asem considers these his proudest milestones:  

  • His first paid Vulnerability Disclosure Program bounty, validating his cybersecurity dreams.

  • Identifying and submitting Microsoft flaws in flows many assumed too complex or “unbreakable.”  

  • Being recognized as a Microsoft Valuable Researcher (MVR) and qualifying for the Zero Day Quest live hacking event, marking a major personal and professional milestone.

Asem’s advice for new researchers is grounded in realism:

  • Focus deeply on one application or attack surface.  

  • Test every function as a normal user first to understand behavior before diving into exploits.

  • Log every request and iteration, you will return to them and they will guide you back to hidden opportunities. 

  • One vulnerability unlocks many more. The first is the hardest, iteration makes the next ones easier.

  • When you find a bug, show its impact, escalate it as far as responsibly possible.

From a shared family computer to high‑impact findings across some of Microsoft’s most critical systems, Asem’s story reflects the power of sustained curiosity and disciplined research. As he continues to iterate, collaborate, and push deeper into complex attack surfaces, his impact on the security community is only set to grow.