Jason Haddix AKA jhaddix is the CEO and “Hacker in Charge” at Arcanum Information Security and the field CISO for flare.io. Arcanum is a world class assessment and training company. Jason has had a distinguished 20-year career in cybersecurity previously serving as CISO of Buddobot, CISO of Ubisoft, Head of Trust/Security/Operations at Bugcrowd, Director of Penetration Testing at HP, and Lead Penetration Tester at Redspin. He has also held positions doing mobile penetration testing, network/infrastructure security assessments, and static analysis. Jason is a hacker, bug hunter and currently ranked 57th all-time on Bugcrowd’s bug bounty leaderboards. Currently, he specializes in recon, web application analysis, and emerging technologies. Jason has also authored many talks on offensive security methodology, including speaking at cons such as DEFCON, Bsides, BlackHat, RSA, OWASP, Nullcon, SANS, IANS, BruCon, Toorcon and many more.

Yo! I'm Justin Gardner - a full-time bug bounty hunter out of Richmond, VA. I also host the Critical Thinking - Bug Bounty Podcast and advise for Caido - the latest and greatest HTTP proxy. I'm an active member of the HackerOne live hacking event circuit (the medium through which I do most of my bug bounties) and have placed top 5 in most of the live hacking events I've attended for the past couple years. Web hacking is my sh*t, but I love all types of hacking.

Roni Carta, known as Lupin and co-founder of Lupin & Holmes, is an ethical hacker specializing in offensive cybersecurity, with a strong background in bug bounty hunting, including a $50,000 reward for hacking Google AI, red teaming at ManoMano, and significant research into software supply chain vulnerabilities, notably presenting at DEF CON 32 and recently reporting a hack of Google's AI Gemini; his diverse technical skills range from ATO and RCE exploits to supply chain security, earning him recognition in various cybersecurity competitions.

Jeff Foley has over 20 years of experience in information security, focusing on research & development, security assessment, and attack surface management. During the last eight years, Jeff identified a lack of situational awareness in traditional information security programs and shifted his attention to this vital function. He is now the Project Leader for Amass, an OWASP Foundation Flagship Project that provides the community with guidance and tooling for in-depth attack surface mapping and asset discovery. Jeff has assisted various companies with attack surface management and has been invited to speak at conferences. In past lives, Jeff was the Vice President of Research at ZeroFox, focused on proactive cybersecurity outside the traditional corporate perimeter. He also served as the Global Head of Attack Surface Management at Citi, one of the largest global banks, and started their first program addressing exposure management. Jeff began his career serving the United States Air Force Research Laboratory as a contractor specializing in cyber warfare research and development. He concluded his government contracting at Northrop Grumman Corporation, where he performed the roles of Subject Matter Expert for Offensive Cyber Warfare Research & Development and Director of Penetration Testing. In these roles, he also developed a penetration testing training curriculum for the Northrop Grumman Cyber Academy and taught trainers to utilize the material across this international organization. During his time in this profession, Jeff has taught at various academic institutions on offensive security, cloud security, and attack surface management.

Aaron is passionate about protecting connected devices from exposures with over 10 years as a bug bounty program owner with Belkin, Linksys, and Cisco Meraki. He currently serves as Chief Information Security Officer (CISO) at Cisco, where he protects millions of networks and end-users that power the Internet. He actively participates in the community through leadership in open-source initiatives, authorship, a technical review for books such as Bug Bounty Bootcamp and Practical IoT Hacking by No Starch Press.

Hello! I am an application security engineer by day, and a bug bounty hunter by night! I enjoy turning security research, and bug bounties, into an engineering problem. I love collaborating with others, and I am always trying to learn new technologies. Other than hacking, I enjoy hockey, fitness, exploring, and video games!

Anthony Silva is a Customer Success Manager at YesWeHack, where he manages a diverse portfolio of clients — from startups to international enterprises — across multiple industries and countries. He supports organizations in designing, launching, and optimizing their bug bounty, vulnerability disclosure (VDP), and pentest programs, guiding them from initial onboarding through the full lifecycle of their engagements. Anthony works closely with cross-functional teams, including sales, product, technical experts, triage analysts, and the hacker community, to ensure customer satisfaction and program effectiveness. Before joining YesWeHack, he gained valuable experience in various technology and consulting companies, where he developed a strong foundation in cybersecurity, project management, and client relations. As an active registered hunter on several platforms, he also brings hands-on insight into offensive security practices. Based in Paris and originally from Toulouse, Anthony has French, Spanish, and Portuguese roots. He is passionate about technology, geopolitics, science, and video games.

Dane is an Innovations Architect at HackerOne, where he helps organizations run AI-focused bug bounty programs and improve the security of emerging technologies. His work includes winning 2nd place in the Department of Defense AI Bias Bounty competition, discovering critical vulnerabilities in platforms like Worldcoin, and helping design and manage Anthropic's AI Safety Bug Bounty program. Drawing on his background as a bug hunter, Dane blends strategic guidance with hands-on expertise to advance the safety and security of disruptive tech across industries.

Goraksh is Senior Security Engineer on the Amazon Bug Bounty Team where he leads overall Strategy and Engineering initiatives. He is core founding member of the Amazon Bug Bounty Program and passionate about unleashing its full potential. Goraksh also has a penetration testing background with expertise in hardware and mobile security. He likes emerging challenges and loves to do focused research. When not doing security he is into testing his legs with hiking and running half marathons.

Abhinav's artistry comes from the times he used to sneakily paint drawings made by his sister. His hacking career began as a toddler, disassembling his toys but never put them back together. His entrepreneurial roots come from selling snacks at a school fair and making a loss of $10. Having learned how not to make money, he launched Hackerware.io - a boutique badgelife lab with in-house manufacturing - which has grown over the past nine years into a global presence across 19 countries. He’s often spotted at conferences around the world - hosting hardware villages or pulling off the kind of random shenanigans that earned him the Sin CON Person of the Year 2025 award.

Inspired by a book on criminal forensic analysis, Jay brought cookies to a staff application security engineer some six years ago and absorbed as much info as possible, pivoting from there into mobile application security engineering and subsequently application security at large. Since 2020 Jay has been securing Shopify in various roles, and contributing to their high volume high payout bug bounty program hosted on HackerOne.

Bruno is a security researcher with a background in Web2, specializing in client-side vulnerabilities. he has conducted extensive audits and research on topics such as popular wallets and sandbox environments. He is currently ranked in the top 10 on the HackenProof bug bounty platform worldwide and has reported vulnerabilities through HackerOne to platforms such as Zoom and MetaMask.

Previously a top 10 bounty hunter at Bugcrowd, now the VP of Operations overseeing triage, appeals, escalations, and the support team, also creating YouTube content at youtube.com/codingo and developing tools at github.com/codingo.

Ben Sadeghipour, also known as NahamSec, is an ethical hacker, content creator, and keynote speaker. With a passion for cybersecurity that began in his teenage years, Ben's professional journey as a bug bounty hunter took off in 2014. He has played a role in helping organizations identify and remediate thousands of security vulnerabilities across a wide range of web and mobile applications in tech giants such as Amazon, Apple, Google, Airbnb, Snapchat, Zoom, and even the US Department of Defense. Ben helps others learn ethical hacking, bug bounty hunting, and reconnaissance techniques. He has also created training materials and content for conferences such as OWASP, DEFCON, and Bsides.

Adnan is a Security Engineer and part-time Bug Bounty hunter who has a passion for finding vulnerabilities in CI/CD systems of the world's largest companies. He's spoken at conferences like DEF CON, Black Hat, and his offensive security research on topics like GitHub Actions Cache Poisoning is cited by GitHub and the SLSA framework. He also maintains Gato-X - an open-source tool that he's used to earn hundreds of thousands of dollars in bug bounties over the last two years.

Jasmin Landry is a seasoned ethical hacker and full-time bug bounty hunter who has reported hundreds of security vulnerabilities to some of the world’s largest tech companies. After years leading cybersecurity efforts as Senior Director of Information Security at Nasdaq, Jasmin returned to his roots in hacking — now focusing exclusively on uncovering critical bugs through platforms like HackerOne and Bugcrowd. Recognized at multiple live hacking events for top findings, he brings a sharp eye for unexpected issues and a deep understanding of modern attack surfaces. He’s also a co-leader of OWASP Montréal and an active voice in the security research community.

Nick Copi is an AppSec engineer and active bug bounty hunter who has reported 100+ high signal vulnerabilities to companies in the last year. He has a diverse technical background, including building and hosting infrastructure and challenges for a couple dozen capture the flag or other offensive hands-on training lab events. He is a member of the CTBB Full Time Hunter's Guild, and an active contributor to the online bug bounty space, always eager to share interesting ideas around other people's "nearly exploitable bugs" as well as novel attack scenarios. His hobbies include debugging minified JavaScript, grepping Blink source in hopes of discovering magical undocumented behaviors, and doing pull ups on iframe jungle gyms.

For over 20 years, Adam has balanced the worlds of application security and web development. He currently serves as the CTO of HackingHub and the Director of BSides Exeter. Over the past five years, he has combined his expertise to create and deliver gamified educational content, aimed at teaching the next generation of ethical hackers and developers about web application security.

Harrison Richardson (rs0n) began his Cybersecurity career in the US Army as a 25B. After leaving the service, Harrison worked various contract and freelance jobs while completing his Masters in Cybersecurity from the University of Dallas. Harrison's first full-time job in the civilian sector was at Rapid7, where he worked as a senior security solutions engineer as part of their Applied Engineering Team. Today, Harrison works as a product security engineer coving web applications, cloud, and AI systems. In his free time, Harrison develops a wide range of open-source tools and works to provide educational content to the bug bounty community through YouTube & Twitch.

Vanshal is a security engineer and AI researcher focused on web application security and automation. He has responsibly disclosed vulnerabilities through platforms like HackerOne and Bugcrowd, and his recent work explores how artificial intelligence can scale vulnerability discovery. Vanshal has built AI-powered agents that automate recon, analyze HTTP responses, and identify real bugs across thousands of domains. He’s also worked on secure sandboxing for running hacking tools safely. At DEF CON 33, he’ll share how he built an autonomous bug bounty agent — from prompt engineering and tool orchestration to live recon and vulnerability triage. His talk blends hands-on hacking with AI, aimed at researchers who want to scale their impact with modern tooling.

Tyson Laa Deng leads PayPal's Bug Bounty Program as Technical Lead, where he strengthens the company's cybersecurity posture through strategic collaboration with the global security research community. He develops critical metrics and frameworks that drive vulnerability analysis and remediation efforts across PayPal's digital infrastructure. With extensive experience in information security, Tyson Laa Deng bridges technical expertise with cross-functional leadership, working closely with legal, communications, and engineering teams to ensure comprehensive security strategies. His approach combines rigorous technical analysis with relationship-building, fostering trust between PayPal and external researchers. When he's not mentoring engineers or analyzing the latest security trends, you'll find him behind a camera lens capturing the least perfect shot, composing classical pieces, or on the soccer field trying to strategize like Messi.

Splunk Offensive Security Engineer with over 9 years of experience poking holes in things (responsibly, of course) and helping others sleep at night (sometimes). Whether it’s finding flaws in a product before the bad guys sniff them out, leading incident response like a firefighter, or scaling bug bounty programs, Gabriel brings a mix of curiosity, chaos, and calm. He is always evangelizing the art of ethical hacking—and occasionally reminding people that security by obscurity is not a strategy.

Born and raised in TX, been hacking or breaking things since I was Kid. Got my start in Phreaking because computers were too expensive back then! Been working in the Information Security field since 2013 and have been working for Synack since 2016. I've seen over 15k reports in that time and have been pretty active with researchers from all over the world. Before security I worked as a technician for various companies including Geek Squad. Before my time on in IT I did body piercings or worked in various fields included retail and fast food. All of which helped me understand the importance of helping people to the best of my abilities.

Richard Hyunho Im (@richeeta) is a security researcher who has over a dozen credited reports from Apple (including CVE-2025-24225, CVE-2025-24198, and CVE-2024-44235), is ranked in the top 25 of OpenAI's bug bounty program, and created Fertitta Entertainment's inaugural vulnerability disclosure and bug bounty programs.

Inti is the currently the Chief Hacker Officer at bug bounty platform Intigriti.

Sam is a security engineer @ Google and helps run the Google & Alphabet VRP. In the past, Sam has won two DEF CON Black Badges and numerous live hacking event awards including an MVH trophy. Sam has submitted hundreds of bug bounty reports and triaged thousands of your reports.

Martin is a Security Researcher at PortSwigger with over 10 years of experience specializing in web security and reverse engineering. Renowned for presenting multiples groundbreaking researches at premier conferences like Black Hat, DEFCON and RSA. Active participant in Capture The Flag (CTF) competitions and bug bounty programs, consistently uncovering critical vulnerabilities and driving innovation in cybersecurity.

Robert Vulpe, also known as nytr0gen, is a Senior Security Engineer at UiPath. He is renowned for his expertise in cybersecurity, particularly in assessing product security through various penetration testing methodologies. With over 300 pentest assessments under his belt, Robert has identified and reported over 1500 security vulnerabilities in high-profile companies such as Amazon, PayPal, Goldman Sachs, and Epic Games. His meticulous approach to security is evident in his detailed and professional reports. He is listed among PayPal's Top 10 Hackers and was selected for the prestigious Forbes 30 under 30 list for his outstanding achievements in cybersecurity. With more than 8 years of experience in source-code review, he possesses a keen eye for identifying code-level security flaws.

Joel Noguera is a security researcher at XBOW, a company dedicated to developing innovative AI for offensive security. Joel is a security professional and bug hunter with more than eight years of expertise in exploit development, reverse engineering, security research and consulting. He has actively participated in Bug Bounty programs since 2016, reaching the all-time top 60 on the HackerOne leaderboard. Before joining XBOW, he was part of Immunity Inc., where he worked as a security researcher for three years. Joel has presented at Recon, BlackHat Europe, EkoParty and BSides Keynote Berlin, among others.

Hey there hackers! I am a Lead Triager at HackerOne based in Denver. I started my security journey by sending out download links to trojans to unsuspecting users on ICQ. Years later I began poking around internal systems at the companies I worked at. This led to a deeper interest in how easily users can be compromised. Shortly after I went all in on learning all things appsec related. Today I get to see, recreate, assess, and triage your bug bounty reports which range from open redirects to PII disclosure of thousands of customers to novel LLM hacks. I've triaged over 10,000 reports. My advice is to validate your input! Feel free to reach out over LinkedIn.

Shlomie Liberow is a security researcher who specialises in translating technical vulnerabilities into actionable business risk for enterprises. He has led technical delivery of live hacking events for major organizations, mediating over $20M in bounty payouts by helping companies understand the real-world impact of bugs within their specific environment and risk profile. As a researcher, he has personally discovered 250+ vulnerabilities across Fortune 500 companies

Ryan is AWS's Senior Security Engineer for the Outreach Team and CoAuthor of AWS Detective. He has previously held a variety of roles including threat research, incident response consulting, and every level of security operations. With almost 2 decades in the infosec field, Ryan has been on the development and operations side of companies such as Postman, Sqrrl, Carbon Black, Crossbeam Systems, SecureWorks and Fidelity Investments. Ryan has been an active speaker and writer on threat hunting and endpoint security. - www.linkedin.com/in/cloudy-with-a-chance-of-security - https://github.com/sonofagl1tch

Elisa Gangemi is a Senior Cybersecurity Engineer on the OffSec Team at T-Mobile, where they manage the Penetration Testing Pipeline and contribute to the company’s Bug Bounty Program. With prior experience in offensive and product security at startups, Elisa helped launch vulnerability management programs, including bug bounty initiatives and security tooling. They began their technology career as a QA tester, then transitioned into InfoSec at Akamai Technologies, working on technical program management and security research. Elisa holds the GIAC GWAPT certification and serves on the GIAC Advisory Board. They’ve enjoyed learning hacking techniques and have participated in a U.S. team that twice placed in the top four at NorthSec’s CTF in Montreal. DEF CON 33 marks their first year attending and speaking.

As a penetration tester for Rhino Security Labs, I bring over a decade of experience to the security industry. For the past two years, I have specialized in bug bounty hunting and penetration testing, focusing on web applications and recently expanding into Android application security. My work has resulted in vulnerability submissions to major companies, including Epic Games and PayPal. Beyond my primary roles, I actively conduct security research on open-source projects and emerging web technologies. This research has led to the discovery of several CVEs, including a critical Unauthenticated Remote Command Execution (RCE) vulnerability in Appsmith Enterprise Edition.

Manages bug bounty programs through his vulnerability management services company Nova Information Security based in San Francisco, California. He has worked with shaping and transforming the bug bounty programs of multiple big-tech companies, putting a focus on high-quality researcher/triager communication and transparency in the submission process. Coming from a background in penetration testing and security consulting, those skills have proven valuable in not just establishing internal processes and recommending fixes, but also understanding the motivations of security researchers and how to do right by them. The result is a well-run program what creates value internally while security researchers are engaged and feel how their work is meaningful. Together with his co-speaker, he now shares his insight into common pitfalls and issues when dealing with the bug bounty process to allow both security researchers and program owners to make better, informed decisions on how to approach the wild world of bug bounty.

Parsia is an offensive security "engineer" at Microsoft. While not a full-time hunter, he has learned a great deal from hunts and the bug bounty community. He spends most of his time reading code and experimenting with static and dynamic analysis – but wishing he was gaming. Parsia has previously presented at DEF CON's main venue and the AppSec Village. When not breaking (or fixing) things, he plays videogames, D&D, spends time with family outside - and, as his wife jokes, ""subjects himself to the tax and immigration systems of US and Canada."