Today, we present an interview with Denver Jackson. He's a full-stack developer originally from the UK, now living in Thailand for the past 10 years. He's a passionate security researcher who loves coding and exploring how things work. In his free time, he watches Arsenal, runs a 60k-subscriber YouTube channel for live watch-along reactions, and enjoys going out with friends and a beer whenever he gets the chance.
Why did you end up in security? Was this your plan all along, or was it an accident?
It wasn’t exactly planned, but it feels like a natural evolution. I’ve been coding since I was like 12 years old and spent a multitude of years working as a full-stack developer across various companies. I’ve always been fascinated by hacking and how others manage to attack systems, pretty much because I wanted to know how to protect my own systems. At some point, I started trying to replicate vulnerabilities before public proof of concepts came out — partly out of curiosity, partly to challenge myself, and then I eventually found out about bug bounty programs and started participating.
What tips would you give a person interested in ethical hacking?
I would highly recommend starting off by learning a programming language like PHP and then Python. Those will give you a solid foundation once you've learnt those well. I would then say try to replicate the vulnerabilities you see when public on databases and try to create your own PoC's before they are released. This will help you understand how the vulnerability works and how to exploit it. Once you feel comfortable with that, start looking for your own vulnerabilities in open source projects or bug bounty programs.
You started your adventure with the Patchstack Bug Bounty Program by finding several 0-days. How do you find vulnerabilities? Do you have some proven practices? Do you hunt for a specific type of vulnerability or not?
Without giving away too many details, my process usually starts with plugins that have high install counts but relatively simple or outdated codebases — they’re often under-reviewed despite their reach. I’ll read through recent changelogs or patch notes first to see what was fixed and think about what might have been missed. Then I manually review the plugin’s PHP files, focusing on common weak spots like unauthenticated AJAX handlers, REST API routes, or broken nonce/capability checks. I don’t limit myself to one type of vulnerability, but I do lean towards logic flaws and auth bypasses — especially cases where user input isn’t properly validated before sensitive actions. For me, it’s all about reading the code slowly, understanding the flow, and spotting assumptions the developer made that an attacker could break / bypass.
What makes Patchstack’s bounty program different from the rest?
I'll be honest, I haven't participated in any other bounty programs, but what I've found with Patchstack is that the team is really helpful and quick to respond. The reporting process is also super easy to use and makes it easy to submit findings. I feel the money they also pay out, too, is fair and reasonable for the time taken to find vulnerabilities, and I love the idea of the leaderboard, although I'm still trying to fully figure out the algorithm behind that, haha 😁
Is there a vulnerability you found that you are most proud of? How did you find it, and why do you consider it so special?
Yep — and it was my first ever vulnerability, which is why I’m really proud of it. It was a 0-day in a WordPress plugin with over 100,000 active installs. I initially started by replicating a previously reported vulnerability that had already been patched, but I didn’t stop there. I kept digging to understand how the plugin handled authentication overall, and that’s when I found a way to essentially set my own authentication header and bypass the entire auth check, which would eventually lead to full privilege escalation.
If you had unlimited power and could change one thing in WordPress’s security, what would it be and why?
If I had unlimited power to change one thing in WordPress security, I’d modify the login error messaging. Right now, WordPress tells you if a username is invalid or if the password is incorrect, which leaks information. That small detail allows attackers to enumerate valid usernames before even attempting brute-force or targeted attacks. It’s a subtle but widely exploitable flaw. I’d standardize the login response to a generic message like 'Invalid credentials', no matter what went wrong. It’s a simple fix that would shut down a huge number of automated attacks before they even start.
How have your hacker skills and mindset come in handy elsewhere?
I've spotted vulnerabilities in code that other developers missed when reviewing codebases/commits when working for companies before.
