top of page
Speakers
Bug Bounty Village Speakers 2026

Jason Haddix
Jason Haddix AKA jhaddix is the CEO and “Hacker in Charge” at Arcanum Information Security. Arcanum is a world class assessment and training company.
Jason has had a distinguished 20-year career in cybersecurity previously serving as CISO of FLARE, CISO of Buddobot, CISO of Ubisoft, Head of Trust/Security/Operations at Bugcrowd, Director of Penetration Testing at HP, and Lead Penetration Tester at Redspin. He has also held positions doing mobile penetration testing, network/infrastructure security assessments, and static analysis. Jason is a hacker, bug hunter and currently ranked 57th all-time on Bugcrowd’s bug bounty leaderboards. Currently, he specializes in recon, web application analysis, and emerging technologies. Jason has also authored many talks on offensive security methodology, including speaking at cons such as DEFCON, Bsides, BlackHat, RSA, OWASP, Nullcon, SANS, IANS, BruCon, Toorcon and many more.

Pedro Paniago
Pedro Paniago also known as "drop" in the bug bounty community, is an Offensive Security Manager specializing in Application Security at PwC, as well as a security researcher with a strong focus on AI security.
As a bug bounty hunter, he has identified more than 1,000 vulnerabilities and holds 10+ CVEs. He is certified in CBBH, eJPTv2, PJMT, and BSCP.
In 2024, Pedro ranked in the top 3 at Belgium’s Hack the Government Live Hacking Event, and in 2025 he placed in the top 6. He is an active voice in the bug bounty community, a HackerOne Brand Ambassador, and co-captain of the Belgian team.

Ryan Barnett
Ryan Barnett is a Senior Threat Research Manager leading the Akamai App and API Protector (WAF) product. He also acts as s triager on Akamai's and customers' bug bounty programs. In addition to his primary work at Akamai, he is also a former Faculty Member for the SANS Institute, a WASC Board Member and OWASP Project Leader for: ModSecurity Core Rule Set (CRS) Web Hacking Incident Database (WHID). Mr. Barnett has also authored two web security books: Preventing Web Attacks with Apache (Pearson) and The Web Application Defender's Cookbook: Battling Hackers and Defending Users (Wiley).

Bogdan Stelea
Bogdan Stelea is a Senior Software Engineer performing AI Security Research at Microsoft, working at the intersection of AI security, adversarial ML, and secure agentic system design.
Bogdan develops automated frameworks for conducting variant hunting and discovering prompt injection vulnerabilities at scale. His work focuses on identifying, reproducing, and understanding vulnerabilities in modern AI copilot solutions, with a particular emphasis on cross/indirect prompt injection attacks (XPIA), tool misuse, and the expanding attack surface introduced by AI agents. Moreover, Bogdan creates learning materials and courses that clearly explain the threats introduced by XPIA.
Actively engaged in the AI Security, CTF, and Bug Bounty communities, with a consistent presence at DEF CON, Bogdan has published and presented his AI security research at international academic venues, including IEEE and ACM.

Catherine Cassell
Catherine is a security engineer on the bug bounty team at GitHub. She has five years of experience in offensive security, working in both bug bounty and penetration testing. Catherine has spent the last year and a half at GitHub and runs an annual hardware hacking workshop at the Glass Firewall Conference. At work, she spends her days reading and triaging bounty reports. Outside of work, she spends her free time outside, as far away from screens as possible. You can usually find her hiking or skiing in the Rocky Mountains.

Adam Hassan
Adam Hassan (@adamkadaban) is a vulnerability researcher working with the Microsoft Offensive Research & Security Engineering (MORSE) team. He has a background in Windows/Active Directory security, purple teaming, and CTFs, and loves contributing to open source. Recently, he's spent most of his free time experimenting with using LLMs for security work, from bug hunting and malware reversing to building tools and detection engineering.
https://hackback.zip

Mehmet Önder Key
Önder Key is a cybersecurity consultant specializing in critical infrastructure security, zero-day vulnerability analysis, and offensive security. He has advised organizations in high-security sectors such as defense, aerospace, and finance, with hands-on experience in both red teaming and strategic security engineering. His work has been featured across numerous countries and platforms, contributing to the discovery of systemic vulnerabilities. Currently, he provides consultancy to TurkNet and continues to advance the global offensive security ecosystem by challenging traditional approaches to cybersecurity.

Bruno Mendes
Bruno Mendes is the Head of Hacking at Ethiack. He began his work career as an Offensive Security Researcher on Intel's IPAS Cloud Security team in 2024.
In bug bounty, back in 2023 placed 5th overall in the teams category and won the "Not Dead Yet" award at an Intigriti Live Hacking Event in Lisbon, and most recently co-authored a critical RCE with André Baptista (0xacb) that earned over $100k+ in a single program.
He has an extensive CTF background being a three-time winner of the Cybersecurity Challenge Portugal (2021-2023), captain of Team Portugal at the European Cybersecurity Challenge (2022, 2023, 2025), and won the 2023 International Cybersecurity Challenge with Team Europe. He also captained the Instituto Superior Técnico CTF team (STT) from 2022 to 2024.

Samantha Pearlstein
Samantha is a solutions engineer with a strong background in security research, executive cyber resilience, and nation-state threats. As a former consultant at Accenture, she led cyber resilience initiatives for Fortune 100 executives, developed GenAI-powered security tools, and delivered workshops on emerging cyber challenges. Today, as a Sales Engineer at Escape, Samantha helps AppSec teams secure their APIs and SPAs, combining her passion for cybersecurity with hands-on problem-solving.

Albin Vattakattu
Albin leads the global Vulnerability Disclosure Program (VDP) for Amazon Web Services (AWS). Albin's work has been featured by HackerOne, the SANS Institute, the AWS Security Blog, and multiple international conferences.
Prior to AWS, Albin led incident response teams across North and South America, defending foreign governments and fortune 100 companies against attack campaigns by APTs.

Ben Sadeghipour
Ben Sadeghipour (NahamSec) is a security researcher, ethical hacker, and educator who has spent more than a decade finding and disclosing critical vulnerabilities in some of the world's largest organizations. As one of the most recognized names in the bug bounty community, he has reported thousands of security flaws and consistently ranked among the top researchers on leading hacking platforms.
Beyond his own research, Ben is passionate about lowering the barrier to entry in cybersecurity. Through his widely followed educational content, live streams, and the conferences he founds and organizes, he has helped train a new generation of hackers around the world. His work blends deep technical expertise with a commitment to mentorship and community building.
Ben speaks regularly at industry conferences on offensive security, bug bounty hunting, and building a career in cybersecurity.

Ads Dawson
Ads Dawson has spent the past year stealing data from AI agents in production — through bug bounty programs. A Staff AI Security Researcher at Dreadnode and member of BT6, the frontier AI red team, he specializes in web application security, adversarial machine learning exploitation, and autonomous red teaming. Ranked #2 in Canada on HackerOne (2026) and #1 Up and Comer (Q4 2025), Ads is a HackerOne Ambassador (US South), BugCrowd Hacker Advisory Board member, and selected for Meta's MBBRC live hacking event. He founded the OWASP GenAI Security Project — the fastest project to reach OWASP flagship status — and is lead author of AIRTBench (arXiv), the first AI/ML red teaming benchmark for LLMs. His work includes red teaming frontier models for Google DeepMind and shaping the EU AI Act Code of Practice. He spoke at Bug Bounty Village DC33 on the BT6 AI jailbreaking panel.

Glendon Chong
I am part of the Vulnerability Management team for TikTok. Over the past year, I’ve been actively involved in web application vulnerability triage, collaborating with security researchers and internal teams to dissect, validate, and remediate a wide spectrum of web-based threats. My work centers on bridging reporter expertise and TikTok’s security posture—including in-depth negotiations over CVSS scoring, refining triage workflows for emerging attack vectors, and translating complex vulnerability details into actionable remediations. I bring hands-on experience identifying gaps in modern web architectures, advocating for fair, transparent risk assessment with the bug bounty community, and aligning vulnerability prioritization with our platform’s commitment to user safety.

Max vonBlankenburg
Max is a security research engineer at Semgrep, doing their best to make software break less. Max has worked with smart contracts, CTFs and the software supply chain. Right now they ’re interested in how to use AI to help make security engineering easier and tip the scales towards defenders.

Dane Sherrets
Dane is an Innovations Architect at HackerOne, where he helps organizations run AI-focused bug bounty programs and improve the security of emerging technologies. His work includes winning 2nd place in the Department of Defense AI Bias Bounty competition, discovering critical vulnerabilities in platforms like Worldcoin, and helping design and manage Anthropic's AI Safety Bug Bounty program. Drawing on his background as a bug hunter, Dane blends strategic guidance with hands-on expertise to advance the safety and security of disruptive tech across industries.

Jai Kumar Sharma
Jai Sharma is a Principal Offensive Security Engineer at GoDaddy, where he manages the company's bug bounty program. He comes to that role from both sides of the table; a longtime bug hunter who has also run bug bounty programs in the past, giving him a rare view of how the relationship works (and breaks down) from each perspective.
He cares about making bug bounty work better for hunters and programs alike.
Jai also gives back to the community as a DEF CON volunteer, serving as Coordinator for the Bug Bounty Village and CTF Ops for the Cloud Village.

Parsia Hakimian
Parsia Hakimian is a security engineer in Microsoft's SERPENT team. When he is not playing videogames, he will talk your ear off about static analysis. He has presented at DEF CON about blockchains, browser sandboxes, desktop bug bounties, and using a Nintendo Power Glove as a presentation gimmick. You can find his rants at https://parsiya.net.

Tobias Diehl
Tobias Diehl is a security researcher and Senior Offensive Security Engineer specializing in vulnerability research and emerging attack surfaces. His research has led to multiple vulnerability disclosures in Microsoft technologies, including Power Automate, Power Apps, and AI-integrated enterprise platforms.
A 2025 Microsoft Most Valuable Researcher (MVR), Tobias focuses on identifying novel exploitation paths that blend traditional security weaknesses with modern cloud and AI technologies. He is passionate about sharing research, mentoring new hunters, and helping organizations better understand real-world security risks.

Ali Kabeel
With over a decade of bug hunting experience, Ali has uncovered critical vulnerabilities across top tech platforms including Google, Microsoft, Meta, and Snapchat. He's especially passionate about business logic vulnerabilities, flaws rooted in real-world misuse rather than broken code, because they often evade automated scanners yet carry high impact.
Ali is currently a Security and Privacy Engineering Lead at Bending Spoons, where he leads security efforts across major products including WeTransfer, Brightcove, and Vimeo. He actively shares his expertise through conference talks, mentoring, and community engagement.

Hannah Law
Hannah is an Extensibility Specialist at PortSwigger, where she helps shape how Burp Suite can be adapted to real-world testing workflows. She works hands-on with submissions to the BApp Store, as well as the Bambdas and BChecks community repositories, helping refine extensions and community contributions before they’re shared more widely.
She especially enjoys making extensions better and finding creative workarounds to awkward testing problems. She has also written extensions for customers, internal teams, and her own projects, including the original WebSocket Turbo Intruder extension.

Shrimant Subhash More
Shrimant Subhash More is a Senior Product Security Analyst at HackerOne with over 8 years of experience in offensive security, penetration testing, and vulnerability management. His expertise spans web, API, mobile (Android and iOS), and AI/LLM security, with more than 300 security assessments conducted across diverse industry sectors.
At HackerOne, Shrimant leads and supports vulnerability triage operations, validates security reports submitted by researchers, handles escalations, mentors analysts, and collaborates with global teams to improve security outcomes and triage efficiency. He is passionate about offensive security, product security operations, security automation, and helping organizations build resilient products.
Beyond his professional role, Shrimant actively contributes to the cybersecurity community as a HackerOne Community Brand Ambassador for India West (Pune), where he organizes meetups, conducts workshops, mentors aspiring researchers, and promotes responsible disclosure and bug bounty programs. He is the assignee of CVE-2020-35296 and holds multiple industry certifications across security, cloud, and AI domains.

Armaan Pathan
Armaan Pathan is a Senior Security Engineer at KATIM with more than 10 years of experience in offensive security, application security, and vulnerability research, helping organizations identify and remediate critical security risks.Throughout his career, he has discovered and responsibly disclosed vulnerabilities impacting major companies, including Google, Meta, and Apple, through bug bounty and coordinated vulnerability disclosure programs. His interests include web and API security, security engineering, and exploring how AI can be used to enhance offensive security and vulnerability research. Armaan actively contributes to the security community-publishing technical blogs, presenting at conferences, and raising awareness of emerging threats and practical defenses.

Edward Morris
Edward Morris is a frontier AI security researcher focused on indirect prompt injection, sandbox escape in IDE and browser agents, and offensive use of LLM agents. He ranks top-3 globally on Mozilla's 0DIN GenAI bug bounty program and recently won Meta's AI Hacking Challenge at MBBRC 2026 in Taipei, the only researcher of around 200 to solve it. He is an invited researcher in Anthropic's and OpenAI's AI safety bug bounty programs, and works with BT6, a frontier-AI red team that does pre-deployment testing for major AI labs. His work is finding the attack patterns that break agentic AI before it ships, and turning them into techniques other hunters can use.

Inti De Ceukelaire
Inti is a Founding Member at Intigriti and their former Chief Hacker Officer. As a hacker, Inti has won multiple awards in live hacking competitions from Bugcrowd and HackerOne. Inti specialises in AI-hacking techniques, logic flaws and support systems, and is most known for the "Ticket Trick" methodology that has earned a spot in Portswigger Top Web Hacking Techniques.

Mike Takahashi
Mike Takahashi, aka TakSec, is an AI Red Team Researcher at Zenity; member of BT6; and Bug Bounty Hunter focused on breaking AI systems. He has submitted 400+ vulnerabilities across major bug bounty programs and top ranking on both Anthropic’s Safety Bug Bounty Program on HackerOne and Mozilla’s 0din GenAI Bug Bounty Program. His work targets prompt injection, data exfiltration, and AI agent security.

Joey Melo
Joey is a Principal Security Researcher at CrowdStrike and a contributor to AI safety programs at OpenAI and Anthropic. He specializes in offensive security research and adversarial analysis of complex systems, with a particular focus on AI/ML infrastructure and large language models.
His work has led to the discovery of critical vulnerabilities and novel exploitation techniques, helping organizations better understand and defend against sophisticated threat actors. He has experience across red teaming, exploit development, and designing resilient architectures for high-risk environments.
Joey has earned recognition through bug bounty programs and multiple security competitions, with over $100,000 awarded for vulnerability research. He is also an OSCP, OSCE³ and CRTO-certified professional.

Arnav Garg
Arnav Garg is a Security Researcher at the Microsoft Security Response Center (MSRC), specializing in AI security research, adversarial testing, and the security of Copilot and agentic AI systems. His work focuses on understanding and mitigating emerging AI threats, with particular emphasis on cross/indirect prompt injection attacks (XPIA), data exfiltration techniques, tool misuse, and the evolving attack surface introduced by AI agents. Arnav develops automated frameworks for scalable security testing and vulnerability discovery, helping advance practical defenses for next-generation AI systems. He has presented and published research on AI security, automated prompt injection discovery, and AI vulnerability testing at both internal and external venues.

Metehan Arslan
Metehan Arslan is a Security Engineer and Mathematician specializing in Cryptography, Communications and Hardware Security.

Ryan Bonner
Ryan is a Lead Security Engineer at Arcanum Information Security. A part-time bug hunter, Ryan has built his career on the offensive side of security, focusing on where AI systems and integrations meet the modern web. He specializes in attacking AI-powered applications, including prompt injection, agent, and integration weaknesses that appear as large language models get wired into real products.

Ryan Nolette
Ryan is AWS's Senior Security Engineer and CoAuthor of AWS Detective. He has previously held a variety of roles including threat research, incident response consulting, and every level of security operations. With almost 2 decades in the infosec field, Ryan has been on the development and operations side of companies such as Postman, Sqrrl, Carbon Black, Crossbeam Systems, SecureWorks and Fidelity Investments. Ryan has been an active speaker and writer on threat hunting and endpoint security.

Samet Can Tasci
Samet Can Tasci is a Senior Linux Systems Engineer and cybersecurity researcher with hands-on experience in enterprise infrastructure, cloud environments, application security, identity systems, monitoring, and security automation.
His background combines production engineering with offensive security, giving him a practical view of how vulnerabilities, misconfigurations, and defensive controls behave in real-world systems. His research interests include infrastructure hardening, web application security, threat modeling, detection gaps, automation, and the failure modes of modern defensive technologies.
Samet focuses on turning complex technical behavior into clear, testable, and operationally useful security research for both offensive and defensive teams.

Nick Copi
Nick Copi is a full-time bug bounty hunter targeting web applications, cloud infrastructure, desktop apps, and pretty much anything with an attack surface. His background spans application security engineering, full-stack development, and a long track record of local CTF competition wins. He has presented several technical talks at security conferences and regularly publishes and reviews security research. He really likes JavaScript. Maybe too much. Maybe someone should check on him.

Hui Yi
Hui Yi (@angelystor) runs Vulnerability Management at TikTok, where her team triages HackerOne submissions, validates impact, and decides bounties. Before she was on the receiving end of your reports, she was writing them: her earlier career was spent on red teams building malware and C2 systems and doing vulnerability research at GovTech Singapore. She has presented at conferences including Black Hat Asia and SINCON, and sits on the Black Hat Asia Review Board. In her spare time she plays the 古琴 (Guqin) and vibe codes games.

Chris Holt
Chris Holt, aka flyingtoasters, is a seasoned bug bounty program leader with over 15 years of experience in application and product security. Certified by GAIC, NTISSI, Guinness, PADI, and the USSF, he has spent the last 8 years building and scaling some of the industry's most respected bug bounty programs. His expertise spans the full spectrum of vulnerability management: from offensive security and researcher engagement to program operations and strategic growth.

Radu Stefan Voloaga
Radu Voloaga is a Senior Product Manager at Intigriti, working at the intersection of customers, security researchers, and crowdsourced security programs. He collaborates closely with organizations and the hacker community to understand what drives high-signal discoveries, and how reconnaissance, asset discovery, and hacker behavior translate into actionable security intelligence.
Radu leads the development of Crowd Recon, an initiative focused on making the activity that happens between vulnerability reports measurable and actionable. By transforming researcher-driven reconnaissance into structured signals, Crowd Recon helps surface attack surface blind spots that traditional approaches often miss while complementing scanners, AI, and attack surface management tooling.
He also spends an unreasonable amount of time wondering who created a particular internet-facing asset, why it still exists, and whether anyone remembers owning it.

Martzen Haagsma
Martzen Haagsma is a Product Security Engineer at HackerOne with a passion for building secure systems through collaboration, automation, and continuous learning. With experience spanning security testing, DevOps engineering, and technical leadership, Martzen focuses on helping organizations identify vulnerabilities, improve security processes, and strengthen their overall security posture.
Known for a solution-oriented mindset and a strong belief in the power of teamwork, Martzen enjoys connecting people, sharing knowledge, and turning complex security challenges into practical outcomes. Prior to joining HackerOne, Martzen worked across both public and private sectors in roles involving security testing, agile quality engineering, and engineering leadership.
Outside of work, Martzen is an active technologist with interests ranging from security and software development to automation, IoT, and 3D printing. Through writing, mentoring, and community engagement, Martzen advocates for curiosity, collaboration, and making technology more secure and accessible for everyone.

Rajanish Pathak
I (@h4ckologic) am a cybersecurity researcher passionate about uncovering and addressing critical vulnerabilities in complex technology implementations. My work includes identifying and reporting issues to top tech companies like Apple, Google , Microsoft and many others, some of my CVES identified are Apple (CVE-2021-31001), PhantomJS (CVE-2019-17221), and NPM html-pdf (CVE-2019-15138). I’ve had the privilege of sharing my research at leading conferences, including NoNameCon, Ekoparty, and Hacktivity (2020); Hack in the Box and Romhack (2023); and HITB Bangkok and BSides Ahmedabad (2024), Hack Lu (2025). With a focus on practical solutions and deep technical insights, I’m dedicated to advancing security practices and contributing to the global infosec community.

John Kotheimer
John is a Senior Information Security Engineer and Technical Lead of the AI Vulnerability Reward Program (AI VRP) at Google in New York City. John has significant experience operating bug bounty programs–including a previous role as TL of the Abuse Vulnerability Reward Program at Google–as well as a background in infrastructure security, red teaming, and incident response. As AI VRP lead, John oversees the triage of hundreds of AI bug reports submitted to the program every week. John also coordinates the panel that determines rewards for accepted AI bugs at Google and helps plan and run many of Google’s bugSWAT live hacking events. Before joining Google in 2019, John was an information security consultant at Mandiant and completed graduate study at Carnegie Mellon University. Outside of work, he enjoys travel, craft beer, and riichi mahjong.
bottom of page
.png)






