Arkadiy Tetelman A security blog


My name is Arkadiy Tetelman - I live in San Francisco and work as a Security Architect at Chime. Previously I worked as:

  • Head of Application & Infrastructure Security at Chime
  • Head of Security at Lob
  • Application Security at Airbnb
  • Application Security at Twitter
  • Backend Engineer at CardSpring (acquired by Twitter)

I graduated from UC Berkeley with degrees in Computer Science and Applied Mathematics.

Conference Talks:

  • Security Paved Roads at Chime, Resourcely Podcast, 8/13/2023 (video)
  • What Does it Mean to Build a Proactive Security Culture in an Organization, BSides SF, 4/22/2023 (slides, video)
  • SecuriTEA & Crumpets Podcast, 4/29/2022 (video)
  • Accel Scholars: How to Grow Your Engineering Career, UC Berkeley, 4/13/2022
  • Comparative Prodsec Programs, Enigma, 2/2/2021 (video)
  • Security Culture, Tech Trek podcast, 11/24/2020 (audio)
  • Non-Political Security Learnings from the Mueller Report
  • Concrete Steps to Create a Security Culture, BSides SF, 3/4/2019 (slides, video)
  • Enlisting Ethical Hackers to Solve Cyber Risk, RIMS Cyber Risk Forum, 10/4/2018
  • Data Driven Bug Bounty, BSides SF, 4/15/2018 (slides, video)


Some of my currently active open source projects include:

  • protodump: a tool for extracting grpc/protobuf definitions from closed-source binaries
  • bounty-targets-data: an hourly-updated repo containing a list of all Hackerone/Bugcrowd in-scope domains
  • aws_public_ips: a tool for fetching all public IP addresses tied to an AWS account
  • zoom-redirector: a browser extension to open Zoom meetings using their hidden web client
  • ssrf_filter: a ruby gem for protecting against server side request forgery vulnerabilities
  • ddexport: a command line utility for downloading Datadog logs and spans via their API (their UI limits exports to 5000 rows of results)
  • chrome-extension-downloader: a command line utility for downloading and unpacking chrome extensions from the Chrome Web Store
  • free-ft: a Chrome extension to give free access to unlimited articles on the Financial Times
  • dftest: a small command line utility for testing server responses to domain-fronting requests

I also maintain a vulnerability disclosure program on Hackerone for my projects.


I’m available for security consulting and other inquiries. You can email me at:

  • hello{at} [PGP]

Or message me on Signal (@arkadiyt.01): Signal username: arkadiyt.01