I am Evan Ricafort, A bug hunter from the Philippines interested in Web Application security testing. I was born in the Province of Ipil, Zamboanga Sibugay, Philippines on January 3, 1996. Studied Computer Networking at Ateneo De Zamboanga University. I'm a Security Researcher at Invalid Web Security, A startup security firm based in the Philippines. Since mid of 2013 I've been an active bug hunter in the bug bounty community reporting multiple different kinds of security vulnerabilities on popular websites such as Microsoft, Google, Twitter and etc. I spend my off-hours playing video games and riding bikes.
Visayan
Tagalog
English
Web Application Security
Music Production
Mobile Photography
Freelance Web Security Researcher at Finalify Ltd., - https://www.spectrocoin.com (February 2019 - March 2019)
Web Application Security Researcher at Invalid Web Security - https://www.invalidwebsecurity.info (October 2013 - present)
Cyber Security and Privacy Foundation Pte Ltd - Certified Whitehat Hacker v1 (CWHH) - Certificate ID. UC-SD45SNW8
PentesterLab - PentesterLab's Introduction Badge - Badge ID. PTLN9552
PentesterLab - PentesterLab's Essential Badge - Badge ID. PTLE2521
Featured in SecurityWeek (Google Nest Findings)
Security Week — http://www.securityweek.com/vulnerabilities-found-website-google-owned-nest
Featured in Pinoy Hack News (XSS Vulnerabilities)
Pinoy Hack News — http://www.pinoyhacknews.com/xss-in-natgeo-playstation-and-barack-obama
Featured in CKEditor (4.4.6 Security Patch Released)
Featured in Blesta Security Advisory (XSS Vulnerabilities)
Blest Security Advisory (Core-931) — http://www.blesta.com/2013/12/20/security-advisory-cross-site-scripting-vulnerabilities-2/
Featured in MIT Technology Review
Life as a bug bounty hunter: a struggle every day, just to get paid — https://www.technologyreview.com/s/611896/life-as-a-bug-bounty-hunter/
Featured in Peerio (Security Patch Released)
Security Patch Released — https://github.com/PeerioTechnologies/peerio-desktop/releases/tag/v2.98.7
Featured in Synack Red Team Calendars (2018 & 2019)
The Places You Go with the Synack Red Team (2018 SRT Calendar)
Hacker-to-Hacker (2019 SRT Calendar)
Featured in Wordpress (WordPress 5.2.4 and 5.4.1 Security Patch Release)
WordPress 5.2.4 - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
WordPress 5.4.1 - https://wordpress.org/news/2020/04/wordpress-5-4-1/
WPVulnhub - https://wpvulndb.com/vulnerabilities/9908
SecurityWeek - https://www.securityweek.com/wordpress-524-patches-six-vulnerabilities
Rapid7 - https://www.rapid7.com/db/vulnerabilities/freebsd-vid-459df1ba-051c-11ea-9673-4c72b94353b5
MITRE (CVE-2019-17674) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17674
MITRE (CVE-2020-11025) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11025
NIST (CVE-2019-17674) - https://nvd.nist.gov/vuln/detail/CVE-2019-17674
NIST (CVE-2020-11025) - https://nvd.nist.gov/vuln/detail/CVE-2020-11025
"Evan helped us by identifying a vulnerability in our public website, and thanks to Evan's professional standards he did so in accordance with our Responsible Disclosure Policy. Evan is one of the good guys."
"Evan assisted in identifying a vulnerability on our website. He was extremely easy to work with to have this issue resolved in a timely and professional manner. Thanks for all your help Evan, we greatly appreciate it."
"Evan's responsible disclosure helped keep our nonprofit's servers secure."
"Thank you Evan for helping us uncover a hidden vulnerability issue in our account management flow. We couldn't have found it without your help! Now our team can work to fix this issue and give more protection to our customers accounts. Thanks!"
I reported valid security vulnerability to the following companies. (Last Update January 3, 2020)
To read some of my write ups, just click here!