Today we present an interview with João Pedro Soares de Alcântara(most of you probably know him by his nickname – Kinorth). He lives in Brazil and has been passionate about computers since his childhood. He started studying security three years ago, and today, he’s a bug bounty hunter.
He’s also on the Patchstack Alliance all-time researcher podium with over 590 contributions.
Why did you end up in security? Was this your plan all along or was it an accident?
Since I was a kid, I’ve always been passionate about computers and video games. I was the kind of child who loved diving deep into everything I played. So, at 11 years old, I created my game server with my younger brother. I still remember tweaking the game files to add content to our server—content that didn’t even exist in the original game. From that moment on, I couldn’t picture myself in any career that wasn’t in the IT field.
At 18, I started a federal technical course focused on programming and web development. There, I learned several web concepts that I now use daily as an ethical hacker. Being a hacker has always been a dream of mine, heavily inspired by movies, series, and anime.
But it was only in college that I realized I could turn this dream into my profession. So, I began my journey into cybersecurity by studying through online courses and freely available content on the internet.
Currently, it’s been a little over three years since I started studying cybersecurity. During this time, bug bounty programs have been essential to my growth, mainly because I faced several challenges trying to break into this market. Bug bounty ended up being the best way I found to gain experience and work in the field.
So, I wouldn’t say that working in security was an accident, but rather a career dream that I dedicated myself to making a reality.
What tips would you give a person interested in ethical hacking?
Don’t be afraid to start hunting for vulnerabilities! It’s essential to put everything you learn into practice as you study. Waiting until you’re “100% ready” is a mistake because, in this field, learning is constant and never-ending. Even if you only know one type of vulnerability, start looking for it while continuing your studies.
In the beginning, I could only find XSS vulnerabilities, but every report I submitted was a huge motivation to keep moving forward and learning more!
How do you find vulnerabilities? Do you have some proven practices? Do you hunt for a specific type of vulnerability or not?
I enjoy analyzing WordPress hooks and looking for any improper usage. It’s quite common to find hooks accepting AJAX requests insecurely, often without performing any user validation. But of course, this isn’t limited to just AJAX requests.
Another strategy I use is leveraging regex to find vulnerabilities. Throughout my bug hunts, I’ve noticed that many code patterns repeat themselves. So, whenever I find a vulnerability, I create a specific regex for it and try to find similar ones.
What makes Patchstack’s bounty program different from the rest?
The monthly competitions and various events organized by Patchstack are a major highlight. These intense competitions serve as great motivation to keep me focused on finding vulnerabilities.
Another aspect that makes the program unique is its amazing community—always active and helping each other. It makes you feel that we’re not alone in this mission to make the web a safer place.
And of course, I can’t forget to mention the Patchstack team—they’re incredibly friendly and understanding. I can communicate with them freely, which is very different from other traditional Bug Bounty sites, where interaction with the staff is minimal.
Is there a vulnerability you found that you are most proud of? How did you find it and why do you consider it so special?
The vulnerability I’m most proud of finding was an XSS on NASA’s main domain. It was one of the first vulnerabilities I discovered in a bug bounty program, and from that moment on, I started seeing myself as a professional hacker!
But when it comes to WordPress, there are a few vulnerabilities that stood out to me. Among them, the XSS I found in the Essential Addons for Elementor plugin, multiple XSS vulnerabilities in Bold Page Builder, and an LFI I discovered in WPBakery.
In October, you won our famous Special Bug Bounty by reporting 275 vulnerabilities in a month. How did you do it?
My strategy was to focus exclusively on the new event scope. First, I downloaded all the available plugins from the WordPress SVN repository. Then, I filtered out all the plugins that were already part of the monthly competitions, leaving only the newly added ones in the event’s scope.
My entire hunting process was driven by regex to maximize the number of vulnerabilities found in the shortest time possible. I started by looking for obviously vulnerable code since being the first to spot them would give me a better chance of avoiding duplicates.
I earned a lot of AXP points with LFI, Arbitrary File Upload, and Privilege Escalation, but in the end, I focused entirely on hunting for XSS and SQL Injection.
But of course, to report 275 vulnerabilities in just a few days, I had to dedicate countless hours each day. On the final day, I went over 24 hours straight reporting and hunting for flaws—without any sleep.
If you had unlimited power and could change one thing in WordPress’s security, what would it be and why?
It might sound silly, but I would rename some hooks and functions! For example, the “admin_enqueue_scripts” and “admin_notices” hooks, which can be accessed by Subscriber users. Another problematic case is the “is_admin()” function—it doesn’t check the user’s access level, yet I often see it being used as if it does, which can lead to vulnerabilities.
Although these hooks and functions aren’t meant to check user access levels, their names often mislead developers into making mistakes. I’ve found and reported dozens of vulnerabilities caused by this kind of confusion.
How have your hacker skills and mindset come in handy elsewhere?
I can’t pinpoint a specific moment, but I believe I’ve become more analytical over time. Additionally, I’ve developed OSINT skills that occasionally come in handy—especially when I need to find a way to contact someone without their email or other contact information.
You can connect with João on:
