I'm Evan Ricafort, a security consultant/bug hunter from the Philippines who is interested in web application security testing. I was born and raised in the little town of Ipil, Zamboanga Sibugay. studied computer networking at Ateneo de Zamboanga University. I am currently working remotely as an Offensive Security Engineer for a Chicago, Illinois-based cybersecurity firm. I've been an active member of the bug bounty community since early 2013, disclosing many types of security vulnerabilities on famous websites such as Microsoft, Google, Twitter, and others. In my spare time, I enjoy biking, playing video games, and other outdoor activities. If you wish to include me in your bug bounty program, please contact me through email or direct message on Twitter (@evanricafort). I'll do my best to provide you with excellent research.
Visayan
Tagalog
English
Web Application Assessment
Network Penetration Testing
Network Segmentation Testing
Offensive Security Engineer at VikingCloud - https://www.vikingcloud.com (April 2022 - present)
Security Researcher at Invalid Web Security - https://www.invalidwebsecurity.info (October 2013 - present)
Security Researcher at AegisOne Cyberdefense Corporation - https://aegisonesecure.com (June 2019 - 2022)
Security Researcher at Finalify Ltd., - https://www.spectrocoin.com (February 2019 - March 2019)
Security Researcher at Synack Red Team - https://www.synack.com/red-team/ (November 2016 - August 2022)
Cyber Security and Privacy Foundation Pte Ltd - Certified Whitehat Hacker v1 (CWHH) - Certificate ID. UC-SD45SNW8
Ben Sadeghipour (@NahamSec) - Intro to Bug Bounty Hunting and Web Application Hacking - Certificate ID. UC-d8e7bc7d-d3eb-4646-9a06-3c09d1bbf5f5
TCM Security Inc. - Practical Ethical Hacking - The Complete Course PEH - The Complete Course
The SecOps Group - Certified AppSec Practitioner (CAP) - Certificate ID. 8860312
The SecOps Group - Certified Network Security Practitioner (CNSP) - Certificate ID. 8907719
PentesterLab - PentesterLab's Introduction Badge - Badge ID. PTLN9552
PentesterLab - PentesterLab's Essential Badge - Badge ID. PTLE2521
Featured in SecurityWeek (Google Nest Findings)
Security Week — http://www.securityweek.com/vulnerabilities-found-website-google-owned-nest
Featured in Pinoy Hack News (XSS Vulnerabilities)
Pinoy Hack News — http://www.pinoyhacknews.com/xss-in-natgeo-playstation-and-barack-obama (Archived)
Featured in CKEditor (4.4.6 Security Patch Released)
CKEditor — http://ckeditor.com/blog/CKEditor-4.4.6-Released (Archived)
Featured in Blesta Security Advisory (XSS Vulnerabilities)
Blest Security Advisory (Core-931) — http://www.blesta.com/2013/12/20/security-advisory-cross-site-scripting-vulnerabilities-2/
Featured in MIT Technology Review
Life as a bug bounty hunter — https://www.technologyreview.com/s/611896/life-as-a-bug-bounty-hunter/
Featured in Peerio (Security Patch Released)
Security Patch Released — https://github.com/PeerioTechnologies/peerio-desktop/releases/tag/v2.98.7 (Archived)
Featured in Synack Red Team Calendars (2018 & 2019)
The Places You Go with the Synack Red Team (2018 SRT Calendar)
Hacker-to-Hacker (2019 SRT Calendar)
Featured in Bugcrowd (Inside the Mind of a Hacker)
Inside the Mind of a Hacker (2019 Edition [Page 16]) — https://dochub.com/P0B76b3K6dd453kwn2y1Gg/itmoah2019-pdf
Featured in Wordfence Intelligence
Wordfence Intelligence Vulnerability Researchers Profile — https://www.wordfence.com/threat-intel/vulnerabilities/researchers/evan-ricafort
Featured in Wordpress (WordPress 5.2.4 and 5.4.1 Security Patch Release)
WordPress 5.2.4 - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
WordPress 5.4.1 - https://wordpress.org/news/2020/04/wordpress-5-4-1/
WPVulnhub - https://wpvulndb.com/vulnerabilities/9908
SecurityWeek - https://www.securityweek.com/wordpress-524-patches-six-vulnerabilities
Rapid7 - https://www.rapid7.com/db/vulnerabilities/freebsd-vid-459df1ba-051c-11ea-9673-4c72b94353b5
MITRE (CVE-2019-17674) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17674
MITRE (CVE-2020-11025) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11025
NIST (CVE-2019-17674) - https://nvd.nist.gov/vuln/detail/CVE-2019-17674
NIST (CVE-2020-11025) - https://nvd.nist.gov/vuln/detail/CVE-2020-11025
Featured in Wordpress (WordPress 5.8.1 Security Patch Release)
WordPress 5.8.1 - https://wordpress.org/news/2021/09/wordpress-5-8-1-security-and-maintenance-release/
SoMag News - https://www.somagnews.com/security-focused-wordpress-5-8-1-is-live-heres-whats-new/
Paradox Digital (UK) - https://paradoxdigital.uk/blog/wordpress-5-8-1-security-update/
MITRE (CVE-2021-39202) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39202
NIST (CVE-2021-39202) - https://nvd.nist.gov/vuln/detail/CVE-2021-39202
Featured in Apple (Apple Security Update - Fall 2022)
Apple - macOS Ventura 13 (CVE-2022-32918 - Photos Privacy Issue) - https://support.apple.com/en-us/HT213488
Center for Internet Security - https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-apple-products-could-allow-for-arbitrary-code-execution_2022-127
MITRE (CVE-2022-32918) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32918
NIST (CVE-2022-32918) - https://nvd.nist.gov/vuln/detail/CVE-2022-32918
Lazymap
NMAP Equipped Network Penetration Testing Tool — https://github.com/evanricafort/lazymap
SegIt
Automated Network Segmentation Testing Kit — https://github.com/evanricafort/segit
"Evan helped us by identifying a vulnerability in our public website, and thanks to Evan's professional standards he did so in accordance with our Responsible Disclosure Policy. Evan is one of the good guys."
"Evan assisted in identifying a vulnerability on our website. He was extremely easy to work with to have this issue resolved in a timely and professional manner. Thanks for all your help Evan, we greatly appreciate it."
"Evan's responsible disclosure helped keep our nonprofit's servers secure."
"Thank you Evan for helping us uncover a hidden vulnerability issue in our account management flow. We couldn't have found it without your help! Now our team can work to fix this issue and give more protection to our customers accounts. Thanks!"
I reported valid security vulnerability to the following companies. (Last Update December 02, 2024)
To read my write ups, just click here!