Evan Ricafort

About

I'm Evan Ricafort, a cybersecurity consultant based in the Philippines with a specialized focus on web application security testing. Born and raised in Ipil, a little town of Zamboanga Sibugay. I studied computer networking and analysis at Ateneo de Zamboanga University. Currently, I work as an Offensive Security Engineer for a cybersecurity firm based in Chicago, Illinois, where I conduct in-depth security assessments and penetration tests for organizations across various industries. With over a decade of experience in the cybersecurity field, I have honed my expertise in identifying and exploiting vulnerabilities in web applications. I have been actively contributing to the bug bounty community since 2013. Throughout my career, I have successfully disclosed high-impact vulnerabilities for prominent companies, including Microsoft, Google, and Twitter, among others. Outside of my professional life, I maintain a balanced lifestyle, enjoying activities like mountain biking, trail riding, trail running, video games, and other outdoor adventures. If you're looking to strengthen the security of your platform, I’d be happy to collaborate. Feel free to reach out via email or direct message on Twitter/X (@evanricafort). I am committed to providing thorough and impactful security research to help safeguard your digital assets.

Languages

• Visayan

• Tagalog

• English

Technical Skills

• Web Application Assessment

• Network Penetration Testing

• Network Segmentation Testing

Work Experience

• Offensive Security Engineer (Junior) at VikingCloud - https://www.vikingcloud.com (April 2022 - April 2025)

• Offensive Security Engineer III at VikingCloud - https://www.vikingcloud.com (April 2025 - present)

• Security Researcher at Invalid Web Security - https://www.invalidwebsecurity.info (October 2013 - present)

• Security Researcher at AegisOne Cyberdefense Corporation - https://aegisonesecure.com (June 2019 - 2022)

• Security Researcher at Finalify Ltd., - https://www.spectrocoin.com (February 2019 - March 2019)

• Security Researcher at Synack Red Team - https://www.synack.com/red-team/ (November 2016 - August 2022)

Badge & Certificate

• Cyber Security and Privacy Foundation Pte Ltd - Certified Whitehat Hacker v1 (CWHH) - Certificate ID. UC-SD45SNW8

• Ben Sadeghipour (@NahamSec) - Intro to Bug Bounty Hunting and Web Application Hacking - Certificate ID. UC-d8e7bc7d-d3eb-4646-9a06-3c09d1bbf5f5

• TCM Security Inc. - Practical Ethical Hacking - The Complete Course PEH - The Complete Course

• The SecOps Group - Certified AppSec Practitioner (CAP) - Certificate ID. 8860312

• The SecOps Group - Certified Network Security Practitioner (CNSP) - Certificate ID. 8907719

• PentesterLab - PentesterLab's Introduction Badge - Badge ID. PTLN9552

• PentesterLab - PentesterLab's Essential Badge - Badge ID. PTLE2521

News & Press

Featured in SecurityWeek (Google Nest Findings)

• Security Week — http://www.securityweek.com/vulnerabilities-found-website-google-owned-nest

Featured in Pinoy Hack News (XSS Vulnerabilities)

• Pinoy Hack News — http://www.pinoyhacknews.com/xss-in-natgeo-playstation-and-barack-obama (Archived)

Featured in CKEditor (4.4.6 Security Patch Released)

• CKEditor — http://ckeditor.com/blog/CKEditor-4.4.6-Released (Archived)

Featured in Blesta Security Advisory (XSS Vulnerabilities)

• Blest Security Advisory (Core-931) — http://www.blesta.com/2013/12/20/security-advisory-cross-site-scripting-vulnerabilities-2/

Featured in MIT Technology Review

• Life as a bug bounty hunter — https://www.technologyreview.com/s/611896/life-as-a-bug-bounty-hunter/

Featured in Peerio (Security Patch Released)

• Security Patch Released — https://github.com/PeerioTechnologies/peerio-desktop/releases/tag/v2.98.7 (Archived)

Featured in Synack Red Team Calendars (2018 & 2019)

• The Places You Go with the Synack Red Team (2018 SRT Calendar)

• Hacker-to-Hacker (2019 SRT Calendar)

Featured in Bugcrowd (Inside the Mind of a Hacker)

• Inside the Mind of a Hacker (2019 Edition [Page 16]) — https://dochub.com/P0B76b3K6dd453kwn2y1Gg/itmoah2019-pdf

Featured in Wordfence Intelligence

• Wordfence Intelligence Vulnerability Researchers Profile — https://www.wordfence.com/threat-intel/vulnerabilities/researchers/evan-ricafort

Featured in Wordpress (WordPress 5.2.4 and 5.4.1 Security Patch Release)

• WordPress 5.2.4 - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/

• WordPress 5.4.1 - https://wordpress.org/news/2020/04/wordpress-5-4-1/

• WPVulnhub - https://wpvulndb.com/vulnerabilities/9908

• SecurityWeek - https://www.securityweek.com/wordpress-524-patches-six-vulnerabilities

• Rapid7 - https://www.rapid7.com/db/vulnerabilities/freebsd-vid-459df1ba-051c-11ea-9673-4c72b94353b5

• MITRE (CVE-2019-17674) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17674

• MITRE (CVE-2020-11025) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11025

• NIST (CVE-2019-17674) - https://nvd.nist.gov/vuln/detail/CVE-2019-17674

• NIST (CVE-2020-11025) - https://nvd.nist.gov/vuln/detail/CVE-2020-11025

Featured in Wordpress (WordPress 5.8.1 Security Patch Release)

• WordPress 5.8.1 - https://wordpress.org/news/2021/09/wordpress-5-8-1-security-and-maintenance-release/

• SoMag News - https://www.somagnews.com/security-focused-wordpress-5-8-1-is-live-heres-whats-new/

• WPMainline - https://wpmainline.com/2021/09/09/wordpress-5-8-1-released-squashes-60-bugs-and-patches-three-security-vulnerabilities/

• Paradox Digital (UK) - https://paradoxdigital.uk/blog/wordpress-5-8-1-security-update/

• MITRE (CVE-2021-39202) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39202

• NIST (CVE-2021-39202) - https://nvd.nist.gov/vuln/detail/CVE-2021-39202

Featured in Apple (Apple Security Update - Fall 2022)

• Apple - macOS Ventura 13 (CVE-2022-32918 - Photos Privacy Issue) - https://support.apple.com/en-us/HT213488

• SecList - https://seclists.org/fulldisclosure/2022/Oct/39

• Center for Internet Security - https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-apple-products-could-allow-for-arbitrary-code-execution_2022-127

• MITRE (CVE-2022-32918) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32918

• NIST (CVE-2022-32918) - https://nvd.nist.gov/vuln/detail/CVE-2022-32918

Project

Lazymap

• NMAP Equipped Network Penetration Testing Tool — https://github.com/evanricafort/lazymap

SegIt

• Automated Network Segmentation Testing Kit — https://github.com/evanricafort/segit

Testimonials

• Dominic Yeadon - Managing Director at Data Harvesting U.K

"Evan helped us by identifying a vulnerability in our public website, and thanks to Evan's professional standards he did so in accordance with our Responsible Disclosure Policy. Evan is one of the good guys."

• Corina Mansueto - Director of Social Media & Customer Service at Lavasoft

"Evan assisted in identifying a vulnerability on our website. He was extremely easy to work with to have this issue resolved in a timely and professional manner. Thanks for all your help Evan, we greatly appreciate it."

• Max Hunter - Web Development Team Lead at Electronic Frontier Foundation (EFF)

"Evan's responsible disclosure helped keep our nonprofit's servers secure."

• Hipmunk - Hipmunk Security Team

"Thank you Evan for helping us uncover a hidden vulnerability issue in our account management flow. We couldn't have found it without your help! Now our team can work to fix this issue and give more protection to our customers accounts. Thanks!"

Achievements

I reported valid security vulnerability to the following companies. (Last Update June 21, 2025)

• Bandcamp — https://get.bandcamp.help/hc/en-us
• Barracuda Labs — https://barracudalabs.com/research-resources/bug-bounty-program/bug-bounty-hall-of-fame-2/
• Base CRM — https://getbase.com/security/
• Blackberry — http://ca.blackberry.com/business/enterprise-mobility/mobile-security/incident-response-team/collaborations.html (2014)
• Blackboard — https://bugcrowd.com/blackboard
• Blesta — http://www.blesta.com/responsible-disclosure/(CORE-931)
• Bidmail — http://www.bidmail.com/index.php/contact/
• Big Commerce — http://www.bigcommerce.com/about-us/
• BigParser — https://www.bigparser.com/security
• Birst — http://www.birst.com/security-reporting
• Bitcasa — https://support.bitcasa.com/hc/en-us/articles/202210658-How-To-Responsibly-Report-Security-Concerns
• Bitcurex — https://bitcurex.com/page/1485694-bezpieczenstwo
• Bitdefender — http://www.bitdefender.com/site/view/bug-bounty-hall-of-fame.html
• Bitvavo — https://bitvavo.com/en/responsible-disclosure
• Braintree Payment Solutions — https://www.braintreepayments.com/developers/disclosure
• Brand and Sign — http://www.brandandsign.com/privacy/responsible-disclosure-policy/
• BoardGameGeek — https://boardgamegeek.com/responsible_disclosure_policy
• Bonusly — https://bonus.ly/security
• Box — https://www.box.com/about-us/security
• Bufferapp — https://bufferapp.com/security
• Bugcrowd — https://bugcrowd.com/bugcrowd/hall-of-fame
• Bugherd — http://bugherd.com/security
• Bugify — https://bugify.com/security
• Calameo — http://en.calameo.com/content/about_calameo-about-calameo.htm
• Calendar Budget — https://calendarbudget.com/support2/open.php
• Changetip — https://www.crowdcurity.com/changetip/hall-of-fame/all
• Cisco — http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
• CKEditor — http://ckeditor.com/blog/CKEditor-4.4.6-Released (CKEditor 4.4.6 Critical Patch)
• Clause I/O — https://clause.io/security
• Cloudflare — https://hackerone.com/cloudflare/thanks
• Cloudsmith — https://help.cloudsmith.io/docs/exploits-hall-of-fame
• Colupon — https://bugcrowd.com/c028
• Commando IO — https://commando.io/security.html#hall-of-fame-section
• Compilr — https://compilr.com/forum/security-thanks
• Comodo Dragon — http://www.comodo.com/contact-comodo/contact-us.php
• Coinbase — https://hackerone.com/coinbase/thanks
• Constant Contact — http://www.constantcontact.com/about-constant-contact/security/report-vulnerability.jsp
• Crowdcurity — https://www.crowdcurity.com/crowdcurity/hall-of-fame/all
• Crowdrise — http://www.crowdrise.com/UnitedRelief-ARC (Reward ($100) Donated to Typhoon Haiyan Victims in the Philippines [2013])
• Cozy — https://cozy.co/security-and-privacy/
• Dell Secureworks — http://www.secureworks.co.uk/contact/disclosure/
• Deskera — https://www.deskera.com/blog/deskera-responsible-disclosure-reward-program
• Detectify — https://detectify.com/responsible_disclosure/hall_of_fame
• Deutsche Telekom — http://www.telekom.com/security/acknowledgements
• Digital Fire — http://digitalfire.com/services/contact.php
• Dropbox — https://www.dropbox.com/special_thanks
• Dropcam — https://www.dropcam.com/security
• DuckDuckGo — https://duck.co/feedback/bug/-
• Duke University — https://security.duke.edu/policies/responsible-disclosure
• Duo Security — https://www.duosecurity.com/security
• Eco Home — https://www.ecohome.net/bug-reward-disclosure-program/
• Ecstasy Data — http://www.ecstasydata.org/contact.php
• Edmodo — https://www.edmodo.com/contact
• Electronic Frontier Foundation — https://www.eff.org/security/hall-of-fame
• Email On Acid — http://www.emailonacid.com/contact/
• EMC Corporation — http://www.emc.com/contact-us/contact/product-security-response-center.htm
• ESET Nod32 (Russia) — https://club.esetnod32.ru/about/
• Europa (CERT-EU) — https://cert.europa.eu/cert/newsletter/en/latest_HallOfFame_.html
• File Pigeon — http://www.filepigeon.com/faq/
• Ford Motor Company (Fleet Department) — http://www.fleet.ford.com/contact-us/
• Form Assembly — http://www3.formassembly.com/blog/formassembly-vulnerability-and-security-reporting/
• FoxyCart — http://www.foxycart.com/security-contact/
• Freelancer — https://www.freelancer.com/about/security/hall-of-fame
• Friendster — http://www.friendster.com/contact_us
• Game Institute — https://www.gameinstitute.com/contact.php
• Gapminder — http://www.gapminder.org/about-gapminder/contact/
• Gearbest — https://www.gearbest.com/about/report-security-issue.html
• Gemini — https://exchange.gemini.com/security
• Geonode — https://github.com/GeoNode/geonode/commit/f48b14e26894c21006c165beb62a9a13265dba0e
• GetJobber — https://getjobber.com/security/bug-bounty/
• GF Overflow — http://www.gfoverflow.com/contact.php
• GitBook — https://www.gitbook.com/security
• GitLab — https://about.gitlab.com/vulnerability-acknowledgements/ (2014)
• Gizmo Host — http://www.gizmohost.com/contact
• Gizmo Quip — http://gizmoquip.com/#contact
• Gli.PH — https://gli.ph/security.html
• Globe Telecom — https://www.globe.com.ph/privacy-policy.html
• Google — https://www.google.com/about/appsecurity/hall-of-fame (Q3 - 2014 Reward Receipient & Honorable Mention & Q3 - 2017 Reward Receipient)
• Guidebook — https://guidebook.com/security/
• Hackerearth — http://www.hackerearth.com/recruit/faq/
• HackForCause — http://hackforcause.com/hall-of-fame/
• Hackerone — https://hackerone.com/security/thanks
• Halodoc — https://www.halodoc.com/security
• Harvard University — http://about.worldmap.harvard.edu/sponsors
• Hash — https://hash.ai/security
• Hipmunk — https://www.hipmunk.com/about
• Honeybadger — http://docs.honeybadger.io/article/181-security
• Hotgloo — http://www.hotgloo.com/security/hall-of-fame
• HTC — http://www.htc.com/us/terms/product-security/
• Huawei — http://www.huawei.com/en/security/psirt/report-vulnerabilities/index.htm
• Hubspot — https://bugcrowd.com/hubspot
• Hubdia — https://hackerone.com/hubdia/thanks
• Hunter I/O — https://blog.hunter.io/security-bounty-program/
• IBM Corporation — http://www-03.ibm.com/security/secure-engineering/report.html
• iBuildApp — http://ibuildapp.com/about-us/
• Icecoder — https://bugcrowd.com/icecoder/hall-of-fame
• iDevAffiliate — http://www.idevdirect.com/contact.php
• Intel — https://www-ssl.intel.com/content/www/us/en/forms/webmaster-contact-us.html
• Internetwache — https://en.internetwache.org/security/
• Invision — https://bugcrowd.com/invision/hall-of-fame
• Jumpshare — https://jumpshare.com/security
• Joomlart — http://www.joomlart.com/joomlart/contact-us
• JotForm — http://www.jotform.com/about/
• Juniper Networks — https://www.juniper.net/us/en/security/report-vulnerability/
• Kayako — https://classichelp.kayako.com/hc/en-us/articles/360006380700-Security-Vulnerabilities-in-Kayako
• Khan Academy — https://hackerone.com/khanacademy/thanks
• Lark Technologies — https://hackerone.com/lark_technologies
• Lavasoft — http://lavasoft.com/mylavasoft/company/about.php
• Lleida — http://www.lleida.net/en/company/about-us
• LG Developers — http://developer.lge.com/footer/footer/RetrieveContactInfo.dev
• LinkedIn — http://help.linkedin.com/app/safety/answers/detail/a_id/37022
• Logentries — https://logentries.com/doc/security/
• Loginradius — https://www.loginradius.com/bug-bounty/
• Magix AG — http://research.magix.com/(May 2014)
• MailChimp — http://mailchimp.com/about/security-response/
• MailRU — https://hackerone.com/mailru/thanks
• Mastercoin Foundation — https://bugcrowd.com/mastercoin/hall-of-fame
• MaxCDN — http://www.maxcdn.com/company/security/
• Meldium — https://www.meldium.com/security
• Memberful — https://memberful.com/help/general/security/
• Metrodeal — http://www.metrodeal.com/about-us
• Microsoft — http://technet.microsoft.com/en-us/security/cc308575#0114 (January 2014 and July 2016)
• Mixmax — https://hackerone.com/mixmax/thanks
• Moment.Me — http://www.moment.me/
• Motorola — http://www.motorolasolutions.com/US-EN/About/Security%20Vulnerability
• Movember — https://bugcrowd.com/movember/hall-of-fame
• My News Desk — http://www.mynewsdesk.com/about
• Narrative Science — https://bugcrowd.com/narrativescience
• National Cyber Security Center (Netherlands) — https://www.ncsc.nl/security
• Niteflirt — https://support.niteflirt.com/hc/en-us/articles/216991547-Security-Exploit-Bounty-Program
• Nitrous I/O — http://help.nitrous.io/admin-security-response/ (2014)
• Nucivic — http://nucivic.com/security/
• Oculus VR — https://www.oculusvr.com/bug-submission/
• oDesk — https://bugcrowd.com/odesk/hall-of-fame
• Omnialert — https://www.omnilert.com/company/security
• OpenDrive — https://www.opendrive.com/security
• OpenText — http://www.opentext.com/Who-We-Are/Copyright-Information/Security-Acknowledgements
• Oracle — http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/2367958.xml (April 2015)
• OutSystems Inc. — https://hackerone.com/outsystems_bbp/thanks
• Pagerduty — http://www.pagerduty.com/security/disclosure/
• Pandora Media, Inc. — https://bugcrowd.com/pandora
• Panorama9 — http://www.panorama9.com/security
• Patreon Technology — https://www.patrontechnology.com/security-vulnerability-program
• Paysa — https://www.paysa.com/security/whitehat
• PayPal — https://www.paypal.com/webapps/mpp/security-tools/wall-of-fame-honorable-mention (Quarter 2 of 2014)
• Peerio — https://www.peerio.com/bug.html (https://github.com/PeerioTechnologies/peerio-desktop/releases/tag/v2.98.7)
• Perfectcloud — https://www.perfectcloud.io/about.html
• Pleio — https://www.pleio.nl/#support
• PhpNuke — https://downloads.phpnuke.org/en/email/contact_us.htm
• Poll Everywhere — https://www.polleverywhere.com/security
• PowerSchool: School Spring 2021 — https://www.bugcrowd.com/powerschool-ss-2021
• Pwnie Express — https://www.pwnieexpress.com/contact-us/
• Quantopian — https://www.quantopian.com/security
• Quora — https://bugcrowd.com/quora/hall-of-fame
• Rackspace — http://www.rackspace.com/information/legal/rsdp
• Rainedout — http://www.rainedout.com/contact
• Rapid7 — https://www.rapid7.com/disclosure.jsp
• Rebelmouse — https://about.rebelmouse.com/company
• RelateIQ — https://hackerone.com/relateiq/thanks
• Retool — https://docs.retool.com/docs/security
• Ribose — https://www.ribose.com/security/hall_of_fame
• Rietta — http://rietta.com/contact/security/
• Risk I/O — https://www.risk.io/security
• Robocoin — https://hackerone.com/robocoin/thanks
• Samsung — https://samsungtvbounty.com/HallOfFame.aspx
• Sendcloud — https://www.sendcloud.com/bug-bounty-program/
• Scroll — https://scroll.help/en/articles/3344853-does-scroll-have-a-bug-bounty-or-responsible-disclosure-program
• Search on Zippy — http://www.searchonzippy.com/contact
• Sellfy — https://sellfy.com/security/
• Senate (GOV) — https://www.senate.gov/general/content_responsibility.htm
• Shaukk — http://shaukk.com/developers.php
• Site Liner — http://www.siteliner.com/contact
• Silent Circle — https://bugcrowd.com/silentcircle
• Slack — https://hackerone.com/slack/thanks
• SmartQ — http://www.getsmartq.com/support.php
• Sony — https://secure.sony.net/hallofthanks
• Sophos — https://bugcrowd.com/sophos/hall-of-fame
• Sourceforge Japan — http://sourceforge.jp/docs/SourceForge.JP%E3%81%AE%E9%80%A3%E7%B5%A1%E5%85%88
• SoundCloud — http://help.soundcloud.com/customer/portal/articles/439715-responsible-disclosure
• Splitwise — http://blog.splitwise.com/about/responsible-disclosure-special-thanks/
• StarHub — http://www.starhub.com/personal/support/contact-us.html
• Survey Gizmo — http://surveygizmo.helpgizmo.com/help/contact-us
• Spectrocoin — https://www.crowdcurity.com/spectrocoin/hall-of-fame/all
• Spotify — https://www.spotify.com/us/bounty/
• Sprout Social — http://sproutsocial.com/responsible-disclosure-policy
• SSLMate — https://sslmate.com/security
• Steam — https://support.steampowered.com/index.php
• StoptheHacker — https://hackerone.com/stopthehacker/thanks
• Stripe — https://stripe.com/docs/security
• Strivewire — https://strivewire.com/security
• Student CRM - Data Harvesting U.K — http://www.student-crm.co.uk/about/security/
• Swipe Identity — https://bugcrowd.com/c030/hall-of-fame
• Tagged — http://safety.tagged.com/security/
• The Email Laundry — https://www.theemaillaundry.com/responsible-disclosure/
• Thumbr — http://www.thumbr.io/tos
• TikTok — https://hackerone.com/tiktok/thanks/2022?type=team
• Trend Micro — http://esupport.trendmicro.com/en-us/business/pages/vulnerability-response.aspx#acknowledgement
• Tresorit — https://tresorit.com/hacking-challenge
• Tumblr — http://www.tumblr.com/security
• Twitch TV — http://www.twitch.tv/p/security
• Twilio — https://bugcrowd.com/twilio/hall-of-fame
• Twitter — https://about.twitter.com/company/security (2013, 2014, 2016, 2018)
• Typo3 — https://typo3.org/community/teams/security/bug-bounty-program
• Uber — https://www.uber.com/security
• uShip — https://help.uship.com/hc/en-us
• United States Naval Academy — http://www.usna.edu/About/
• UK Secure Web Hosting — http://www.uksecurewebhosting.co.uk/contact.php
• Upstox — https://upstox.com/bug-bounty/
• Upwork — https://bugcrowd.com/upwork
• US Unlocked — https://www.usunlocked.com/contact_us.php
• U.S Department of Defense — https://hackerone.com/deptofdefense/thanks
• Valve Software — http://www.valvesoftware.com/security/
• Veridu — https://veridu.com/wiki/Security_Procedures#Vulnerability_Reward_Program
• Via Forensics — https://viaforensics.com/company/contact/
• VidaXL — https://www.vidaxl.com.au/security
• Visa Incorporation — http://www.visa.com/globalgateway/
• Vox Analytics — https://www.voxanalytics.com/contact
• Wattpad — https://support.wattpad.com/hc/en-us
• WePay — https://hackerone.com/wepay/thanks
• Western Union — https://bugcrowd.com/westernunion/hall-of-fame
• Winni — https://www.winni.in/bug-bounty#bbHOF
• Wizehive — https://www.wizehive.com/security/
• Wordpress — https://hackerone.com/wordpress/thanks
• World Vision Philippines — http://worldvision.org.ph/contact-us
• WPEngine — http://wpengine.com/contact/
• Yahoo! — https://hackerone.com/yahoo/thanks
• Yamaha Club Philippines — https://www.yamahaclub.com.ph/contact/
• Yandex — http://company.yandex.com/security/hall-of-fame.xml (March 2014)
• YCombinator — https://www.ycombinator.com/security/
• Yesware — http://www.yesware.com/security/
• YiiFramework — http://www.yiiframework.com/security/
• Zendesk — http://www.zendesk.com/company/responsible-disclosure-policy
• Zynga — http://company.zynga.com/security/whitehats (2014)

Write Ups

To read my write ups, just click here!