Vitor Falcão "busfactor" (@busf4ctor) / X

Vitor Falcão "busfactor"

1,046 posts

Vitor Falcão "busfactor"

@busf4ctor

Full-Time Bug Bounty Hunter | 🥈 2x Google bugSWAT 2nd Place | 🥇 1x Google bugSWAT Best AI VRP Researcher

Brazil

Joined November 2015

Vitor Falcão "busfactor"
@busf4ctor
Feb 26, 2025
This is insane
hackerone.com
GitLab disclosed on HackerOne: Account Takeover via Password Reset...
@asterion04 submitted a report to GitLab. Summary I found a way to change the password of a GitLab account via the password reset form and successfully retrieve the final reset link without user...
80K
Vitor Falcão "busfactor"
@busf4ctor
May 23, 2023
Today I discovered this gem exploit-notes.hdks.org
43K
Vitor Falcão "busfactor"
@busf4ctor
Aug 20, 2025
The first month of full-time hunting ended very well!
Vitor Falcão "busfactor"
@busf4ctor
Aug 5, 2025
I completed my second week as a full-time hunter. It's hard, but having @Rhynorater, @xssdoctor, @un1tycyb3r by your side makes it easy. Last month's stats (half as a full-time hunter): 2 crits triaged 2 highs triaged 1 crit pending triage 3 Google Cloud VRP bugs pending triage
29K
Vitor Falcão "busfactor"
@busf4ctor
Oct 24, 2025
A few months ago, I began studying bug bounties extensively. I've made my list public, and you can submit links to help expand it!
docs.google.com
Bug Bounty Reading List
40K
Vitor Falcão "busfactor"
@busf4ctor
Mar 7, 2023
Looks like the new tool that I wrote in 1 hour is making some profit 😎🤑
Vitor Falcão "busfactor"
@busf4ctor
Mar 7, 2023
Are there any tools that check for reflected parameters from URLs and headers and are not Burp Pro extensions? Will I have to write my own?
58K
Vitor Falcão "busfactor"
@busf4ctor
Oct 25, 2023
Most people believe SQL injections are in the past. They say it's hard to find them. The main issue is the use of automated tools like SQLMap. I'll go through the reasons in this thread so you can give your opinions.
43K
Vitor Falcão "busfactor"
@busf4ctor
Jul 12, 2024
Just snagged my first @Hacker0x01 recon bounty thanks to @Jhaddix's course! Seriously, I just followed the slides, followed all those steps, and found what others missed! The course paid for itself 🎉
26K
Vitor Falcão "busfactor"
@busf4ctor
Feb 17, 2025
Yay, I was awarded a $11,000 bounty on @Hacker0x01! hackerone.com/busf4ctor #TogetherWeHitHarder
hackerone.com
HackerOne profile - busf4ctor
- https://vitorfalcao.com
11K
Vitor Falcão "busfactor"
@busf4ctor
Mar 10, 2023
This is a nice one-liner that I am already using
23K
Vitor Falcão "busfactor"
@busf4ctor
Jan 30, 2025
It only took 30 minutes to go from "new" to "triaged"! 🤯
11K
Vitor Falcão "busfactor"
@busf4ctor
Feb 26, 2025
New blog post! It took me a few months to get motivated to write again, but here we are with a remarkable client-side chain I found with @xssdoctor
vitorfalcao.com
Hacking High-Profile Bug Bounty Targets: Deep Dive into a Client-Side Chain
I’ve always wanted to hack on one of those targets that top hackers were going after—not just because they pay well, but because they usually have fair triaging and amazing scopes. But how? Finding...
16K
Vitor Falcão "busfactor"
@busf4ctor
Feb 25, 2025
I love you @xssdoctor! We got $7,500 for our bug :) Yay, I was awarded a $3,750 bounty on @Hacker0x01! hackerone.com/busf4ctor #TogetherWeHitHarder
hackerone.com
HackerOne profile - busf4ctor
- https://vitorfalcao.com
8.6K
Vitor Falcão "busfactor"
@busf4ctor
Oct 8, 2025
About three months ago, I began full-time bug bounty hunting. It's been a great journey. Read about it on my blog 🙂
My First 3 Months as a Full-Time Bug Bounty Hunter: A Journey of Highs and Lows
From vitorfalcao.com
11K
Vitor Falcão "busfactor"
@busf4ctor
Aug 5, 2025
I completed my second week as a full-time hunter. It's hard, but having @Rhynorater, @xssdoctor, @un1tycyb3r by your side makes it easy. Last month's stats (half as a full-time hunter): 2 crits triaged 2 highs triaged 1 crit pending triage 3 Google Cloud VRP bugs pending triage
37K