15 Famous Bug Bounty Hunters

In this article we will learn about 15 Famous Bug Bounty Hunters.

15 famous bug bounty hunters

In today’s article, let us recognize fifteen famous and 1337 bounty hunters that are the talk of the web. This list doesn’t list all the top bug bounty hunters on top crowdsourcing platforms like Bugcrowd, Hackerone, and Cobalt (formerly Crowdcurity), but people who have proven themselves worthy of their contribution and embody real hacker culture – although some people who will also calculated.

The goal is not to list the people who ranked first in the Bug Bounty programs just because of the number of vulnerabilities they submitted, which could be inaccurate. This is in honor of Bugcrowd’s “State of Bug Bounty” PDF report.

Bugcrowd’s “The State of Bug Bounty” states:

A self-employed “security researcher” based in Pakistan was the most prolific submitter overall, with 1,094 contributions – nearly three times the number of leader points and nearly four times the number of top-paid researchers. This is particularly notable given that his first post wasn’t until February 18, 2014 – about a year later than the points and rewards leaders.

While his 1,094 contributions make him the top submitter in the entire research community, a significantly below-average priority rating of 4.42 and a very low overall average reward per valid contribution of $20.54 make this researcher very noisy. These numbers indicate that this researcher uses a shotgun approach to finding and submitting bugs, even if the problems found are eventually flagged as invalid bugs. Further proof of this hypothesis is the fact that this researcher has an extremely low 4% acceptance rate for his papers.

Given these numbers, one could conclude that this researcher places a higher value on the notoriety of the number of submissions than the awards – with 120 Hall of Fame entries, it would be hard to argue that point. So, even though this researcher is very proactive and active, simply put, he is submitting things that are not as valuable as the contributions of other researchers. The upper part in this case is much noisier than the desired signal.

The names are not in order. Okay, let’s get started!

Drum roll please…

Stéphane Chazelas

Stéphane is a *nix and Telecom Specialist who discovered the GNU Bourne-Again Shell (Bash) Shellshock vulnerability. He is also involved in the UNIX and Free Software/Open Source community (writings, contributions to projects). He reported Shellshock at Hackreon and was rewarded $20,000 for the responsible disclosure.

Rafay Baloch

Rafay is a Pakistani independent security researcher who owns rafayhackingarticles.net. He once found a security flaw that allowed remote code execution inside PayPal, for which he was awarded $10,000 and also offered a job by PayPal, but declined the job offer. Rafay is an active participant in bug bounty programs and is listed in a large number of Halls of Fame including Google, Facebook Microsoft, Twitter and Dropbox. Most famously, he discovered the Android Stock browser address bar spoofing that affected Android Lollipop and previous versions.

Frans Rosen

Frans is currently ranked #2 on Hackerone’s top bug bounty hunters. He is a Dev/Security/Founder at Detectify. He was interviewed by Adam Crouchley for finding a flash-based XSS vulnerability in Mega that earned him €1,000. A bit big for a SWF issue, but still a good find. He reported many security bugs for which he was rewarded with a large amount of money.

Jason Haddix

In addition to being Bugcrowd’s former top bug bounty hunter, Jason is currently Bugcrowd’s Director of TechOps. Together with Daniel Miessler, he heads the OWASP IoT, OWASP SecLists and OWASP Mobile Top Ten projects. It is a great web and mobile hacker.

Nir Goldshager

Nir is the CEO of Break Security. He also worked at Imperva in a unique research position that bypassed the Imperva Web Application Firewall. In 2012, he was ranked first in the Facebook Security (White Hat Hacker) Hall of Fame https://www.facebook.com/whitehat/thanks/.

Roy Castillo

Roy is a Filipino bug hunter who reported stored XSS in Gmail for iOS and is known for reporting a bug on Facebook that exposes primary Facebook email addresses. He is believed to be one of the first Filipinos to participate in Bug Bounty Programs. Before his bug-hunting fame, he exploited Facebook’s XSS, which allows outsiders to add scripts to websites. His “Off to Danao City” status infuriated some Facebook users because it couldn’t be deleted and Roy couldn’t be blocked — because he wasn’t in the friend lists of the profiles he appeared on. A bit naughty LOL.

Emily Stark

Emily is a software engineer on the Google Chrome security team. Before working at Chrome Security, she was the lead developer of Meteor, a JavaScript application framework. So who doesn’t know Emily? Well, she is one of the few female bug hunters and has participated in many security crowdsourcing platforms. You don’t want to mess with that woman. Do you want some proof? Check this link: https://hackerone.com/emily.


Bitquark is also a former #1 bug hunter, as is Jason Haddix. Although not much is known about his personal life, he has shared a lot of ass-kicking security flaws that he uncovered on his blog ‘bitquark.co.uk’. Google “Google Sites” awarded him a total of $13,034.80 for his five mistakes.

Don A. Bailey

Don is an information security professional and security researcher whose research has been featured on news exchanges around the world, from CNN, Reuters, BBC and Al Jazeera. He served as Director of Research for iSEC Partners, CTO of emerging startup Revolar, and founded his own IoT startup, Lab Mouse Security. His report of a memory corruption vulnerability in LZ4 software (CVE-2014-4611) earned him a $6,000 reward at Hackerone. It also created a memory corruption payload for any application that uses LZ4, such as Python and Ruby. Don has spoken at InfoSec and hacking conferences such as Black Hat, Hack in the Box, 44con, Duo Security, etc.

Neal Poole

He is a bug hunter and security engineer at Facebook working on the Product Security team. Before he started working at Facebook, he reported almost a dozen flaws to Facebook and also received a White Hat card and was recognized in Facebook’s Whitehat Hall of Fame. He also acquired cash reporting flaws for Google and Mozilla and blogs about every vulnerability he finds after patching them, detailing every step of his discovery and interaction with the affected vendor.

Jung Hoon Lee

Lee is a Korean exploit developer who raised a total of $225,000 for Pwn2Own at the CanSecWest 2015 security conference. In Pwn2Own, he was able to use Mozilla Firefox, Microsoft Internet Explorer and Google Chrome. He also managed to compromise the Windows operating system and ended up with a shell in System by exploiting a hardened version of Google Chrome during CansecWest 2014.

Avram Marius Gabriel

Avram A.K.A @securityshell on Twitter has been implicated in the responsible disclosure programs of Adobe, eBay, Facebook, Google, Microsoft, Twitter, etc. In addition to cracking bug bounty programs, he currently works as a security engineer at RandomStorm. He also maintains a great blog at security-sh3ll.blogspot.com.

Mazin Ahmed

Mazin is a bug bounty hunter who owns blog.mazinahmed.net, where he blogs about his vulnerability findings, such as Multiple CSRF vulnerabilities in Facebook Messenger. It was nominated for the Pwnie Awards 2015 in the “Best Client Side Error Pwnie” category. He is known for his research on the W3 Total Cache vulnerability that leads to a complete invalidation (CVE-2014-9414).

Muhammad Ramadan

Mohamed is the lead author of CODENAME: Samurai Skills Course. He discovered vulnerabilities in Google, Facebook, Twitter, Microsoft, Yandex, Apple, Adobe, Nokia, AT&T, RedHat, SoundCloud, GitHub, Etsy, Nokia Siemens, Zynga, etc. One of his notable findings is the Facebook Camera app for iOS, which allows hackers to hijack accounts, Blind XXE on Facebook by uploading a document, and how attackers can sniff the images you upload to your Facebook Android app.

Read also :The Hacker Methodology 2023

Shubham Shah

Shubham is a security researcher and bounty hunter based in Sydney, Australia. He currently works as a security analyst for Bishop Fox. When he was still 16 years old, he was able to bypass 2-Factor-Authentication (2FA) on Google, Facebook, Yahoo, LinkedIn and many others. He has been inducted into whitehat halls of fame at PayPal, Facebook, Google and Microsoft for his responsible disclosure. At the time of writing, it has been credited with five CVEs.


State of Bug Bounty – https://pages.bugcrowd.com/rs/601-RSA-253/images/state-of-bug-bounty-08-2015.pdf

Leave a Reply

Your email address will not be published. Required fields are marked *