Tools ↗
Robin Divino
Robin Divino
@japzdivino  ·  h4nt3rx
Principal Offensive Security Engineer · Bug Bounty Hunter · OSCP
Web AppSec Network Pentesting Bug Bounty API Security Philippines 🇵🇭

Whoami

I'm a security researcher and penetration tester based in the Philippines, currently working as Principal Offensive Security Engineer at VikingCloud, where I lead a team of offensive security professionals.

I started out as a programmer, spending five years writing software before pivoting into information security — a move I've never looked back on. Today I focus on web application security, API testing, network penetration testing, and mobile security for clients worldwide.

Outside of my day job I've been hunting bugs on HackerOne and Bugcrowd since the early days, reporting over 1,000 valid vulnerabilities to more than 180 organizations, and racking up acknowledgements from Facebook, Microsoft, PayPal, Quora, SAP, HackerOne, and the U.S. Department of Defense. In 2016 I was ranked 5th globally among the most-voted hackers on HackerOne for the entire year.

I serve as a HackerOne Brand Ambassador for the Philippines, helping grow and support the local security research community.

Gamer by day. A bug bounty hunter by night.

Work History

Credentials

🔐
OSCP — OffSec Certified Professional
OffSec  ·  April 2023
Verify ↗
🟢
HTB CWES — Certified Web Exploitation Specialist
Hack The Box  ·  February 2024  ·  HTBCERT-17A20004B9
Verify ↗

B.S. Computer Science (Application Development) — University of Makati

Notable Findings

Internal attachments exported via "Export as .zip"
HackerOne $12,500 2016 · Highest single bounty ever paid by HackerOne at the time
Getting the email address of any HackerOne user via GraphQL
HackerOne $12,500 2023
Bypass HackerOne 2FA requirement and reporter blacklist
HackerOne $10,000 2018
Easy $10,000 bounty using the Wayback Machine
HackerOne $10,000 2025
IDOR on HackerOne Embedded Submission Form
HackerOne $2,500 2024
Redacted usernames disclosure in "Export as .pdf" feature
HackerOne $500 2023
SOP Bypass using rel='noreferrer'
HackerOne 2018
Harvesting all private invites using leave program fast-tracked invitation and security@ email forwarding feature
HackerOne 2018

Also acknowledged by Facebook, Microsoft, PayPal, Quora, SAP, and the U.S. Department of Defense.

Publications

📰
Pinoy White Hat
medium.com/pinoywhitehat  ·  Editor & Contributor
✍️
Personal Medium Blog
robindivino.medium.com
📝
Hashnode Blog
h4nt3rx.hashnode.dev
▶️
YouTube Channel
youtube.com/@japzdivino  ·  White-hat hacking walkthroughs

Community

ROOTCON — Bug Bounty Village
Represented the Bug Bounty Village at the Philippines' premier hacking conference.
SPIRITCYBER24
Singapore International Cyber Week IoT Bug Bounty Hackathon — competed as team Peenoise, placing 3rd.
SPIRITCYBER25
Singapore International Cyber Week IoT Bug Bounty Hackathon — competed as team Peenoise, placing 4th.
HackerOne Philippines Club
Delivered talks on Web Application VAPT and bug bounty hunting for student communities.