Bug Bounty Village Philippines is a dedicated space for ethical hackers, researchers, and cybersecurity enthusiasts to explore the world of ethical hacking through bug bounty programs. The village aims to foster learning, collaboration, and networking among security professionals and aspiring ethical hackers. Participants will gain hands-on experience identifying and reporting vulnerabilities responsibly, contributing to a safer digital landscape.

Operator
Robin "Japz" Divino (@h4nt3rx)

Talk
Breaking into Bug Bounties: Turning Skills into Rewards
Bug bounty hunting has opened the doors for hackers, researchers, and security enthusiasts to turn their technical skills into real-world rewards. In this talk, we’ll explore how to get started in the bug bounty world — from understanding program scopes and essential tools, to applying proven hunting methodologies that lead to payouts and recognition. Attendees will learn practical techniques, see a live demo of a new vulnerability research, and walk away with a checklist of quick-win bug types. Whether you’re a curious beginner or an aspiring top-ranked hunter, this session will equip you with actionable steps to start hacking for both fun and profit.

Speaker
Robin "Japz" Divino is a Principal Offensive Security Engineer at VikingCloud, an Independent Security Researcher, and a seasoned bug bounty hunter recognized by global companies such as Facebook, Twitter (X), Microsoft, PayPal, and many more. He has submitted hundreds of security reports to various global programs. Robin is the HackerOne Brand Ambassador for the Philippines and has spoken at multiple universities, sharing knowledge to inspire the next generation of ethical hackers.

Automotive Security and Car Hacking have been the focus for more than ten years now. More talks and research are geared towards it because it is the trend and we owe it to the Car Hacking Village in DEFCON, carfucar, Craig Smith, mintynet and of course to Charlie Miller and Chris Valasek. They are our inspiration to promote security awareness that cars are hackable too. We are bringing CHV in the Philippines at ROOTCON.

Operator
shipcod3

Talks
Connected Car Attack Surface Mapping: OSINT Techniques for Automotive Threat Intelligence
Modern vehicles have evolved into sophisticated, internet-connected computing platforms with attack surfaces spanning cloud infrastructure, telematics systems, and over-the-air update mechanisms. With the automotive industry generating over $11 billion in cyberattack losses in 2023 alone, security researchers struggle to comprehensively map connected vehicle ecosystems using traditional OSINT methodologies that lack automotive-specific knowledge. This presentation introduces a systematic OSINT methodology designed for automotive threat intelligence, combining conventional reconnaissance techniques with automotive-focused discovery methods to identify exposed automotive APIs, misconfigured cloud infrastructure, vulnerable telematics endpoints, and supply chain weaknesses that standard assessments typically miss. Through live demonstrations using real automotive manufacturer targets, attendees will learn to adapt existing OSINT tools like Shodan, Censys, and certificate transparency logs with automotive-focused data sources to build complete attack surface maps of connected vehicle ecosystems. Participants will gain practical skills for discovering OTA update infrastructure, fleet management systems, and connected vehicle APIs while learning to transform raw reconnaissance data into actionable automotive threat intelligence that can be immediately applied, whether entering the automotive security space or expanding traditional pentesting expertise into the rapidly growing connected vehicle market.

Secret Fresh with RAMN and CARLA: The Journey For Autonomous Driving Research on a Miniature Board and Network
RAMN (Resistant Automotive Miniature Network) is a credit-card-sized ECU testbed for safely studying and researching automotive systems. It is good hardware for learning about the CAN Bus, as it simulates a CAN/CAN-FD network of 4 ECUs, and has interactive add-on pods for vroom vroom. It has been used in CTF competitions, particularly in the Car Hacking Village. In this talk, the researchers will discuss how to play with it effectively, demonstrate known CAN Bus attacks, and how to integrate it into a closed-loop with the open-source autonomous driving simulator CARLA. Values from the virtual world, such as car speed and throttle control, take a physical form on the CAN/CAN-FD bus and inside the ECUs. You can drive the car yourself, or let a self-driving algorithm do the job with RAMN.

Speakers
Reuel Magistrado
Reuel Magistrado is an Auto Threat Researcher at VicOne, specializing in web application, web services, and mobile application penetration testing for automotive clients. He is also involved in creating CTF challenges for automotive security. With extensive experience conducting manual security assessments that go beyond automated tools, Reuel has authored technical reports and delivered security solutions to various clients in previous roles at NCC Group and iZOOlogic. Reuel holds multiple industry certifications, including Burp Suite Certified Practitioner (BSCP), APIsec Certified Practitioner (ACP), Practical Mobile Pentest Associate (PMPA), and several specialized penetration testing certifications from The SecOps Group. He also shared his expertise through technical presentations, including his recent talk at NCC Group Philippines’ “Pwning Hall of Fame,” where he demonstrated a race condition exploit leading to price manipulation.

Jay Turla
Jay Turla is a Principal Security Researcher at VicOne and one of the goons of ROOTCON. He has presented at international conferences such as ROOTCON, HITCON, Nullcon, and DEFCON, among others. He previously worked for HP Fortify and Bugcrowd in the area of appsec. His primary research interest at present is car hacking, and he is currently one of the main organizers of the Car Hacking Village at ROOTCON Philippines, a community recognized and supported by the Car Hacking Village. He is an exploit developer and found some zero days in Modbus and CAN Bus systems. He is also the leader of the hacking team “Peenoise,” which is one of the top teams during the SPIRITCYBER-24 Hackathon, an IoT / ICS / OT Hacking competition in Singapore.

Florengen Arvin Parula
Florengen Arvin Parula is an Auto Threat Researcher at VicOne, where he focuses on Automotive Cybercrime and tinkering with CAN Bus systems. He used to work for Lear Corporation, where he gained experience in automotive testing and QA. He is new to the cybersecurity field but has adapted to the world of automotive security and has even blogged about replicating RAMN (Resistant Automotive Miniature Network) using a Single STM32 Board.

Hardware Hacking Village PH is a community of hardware enthusiasts dedicated to the art of tinkering and DIY projects. Our village welcomes individuals of all skill levels, from seasoned experts to those just beginning their journey in hardware hacking. We are passionate about exploring the endless possibilities of hardware technology, and we encourage our members to experiment, innovate, and share their knowledge. Whether you're interested in soldering, circuit design, IoT, or any other aspect of hardware hacking, you'll find a supportive and inspiring environment at Hardware Hacking Village PH.

At Hardware Hacking Village PH, we believe in the power of hands-on learning and the joy of creating something unique. Our community thrives on the curiosity and creativity of our members, who are always eager to dive into new projects and explore the latest DIY trends. By fostering a culture of collaboration and knowledge sharing, we aim to empower everyone to push the boundaries of what they can achieve with hardware.

Hardware Hacking Village will be hosting a Sumobot competition this year which will be opened to all attendees.

Operator
m0gul

The Cellular Assault Village focuses on the security of cellular communications. Our goal is to raise awareness and educate people about the risks of unsecured cellular networks. We provide equipment, tools, and demonstrations to show different types of attacks and vulnerabilities in cellular networks. This helps attendees understand how cyber attackers exploit these networks.

We also educate attendees about scams involving mobile phones, like malicious links or phishing messages, and other threats such as SMS interception, call spoofing, and SMS spoofing. By showcasing these attacks, we aim to help attendees protect their sensitive data and secure their cellular networks.

Operator
hncaga

Talk
Inside Mobile Communication Attacks and Scams
This presentation takes a closer look at how mobile communication can be abused, showing real examples of how attackers intercept SMS and calls, and how IMSI catchers work to capture information from nearby devices. Live demonstrations will show these attacks from the point of view of an attacker. It will also cover how scammers send fake messages that can lead to phishing and other malicious activities.

The talk will also highlight recent cases from 2024 to the present where these methods were used in real incidents, many of which made headlines. These examples will show how these techniques are being misused today, not only by scammers but also in other forms of fraud and deception.

Speaker
Henry N. Caga
Henry N. Caga is a seasoned cybersecurity professional with extensive experience in penetration testing and independent security research. As a Lead Penetration Tester in 2024, Henry holds certifications in CEH, ECSA, LPT (Master), and eCPTXv2, showcasing his proficiency in ethical hacking and advanced security assessments.

Beyond his professional role, Henry actively contributes to the security community as an independent researcher and bug bounty hunter. His efforts have been acknowledged by leading tech companies, including Google, where he holds a Hall of Fame Rank of 547, as well as Yahoo!, Cloudflare, eBay, PayPal, Twitter, Globe/GCash, and others.

With 15 years of experience in law enforcement, Henry has also been part of INTERPOL's IT Crime Investigation working party since 2007. His combined expertise in cybersecurity and law enforcement enables him to offer valuable insights into emerging threats and defenses. Henry’s journey in cybersecurity began with his first notable appearance in 2004, and he has since been a dedicated contributor to the field, continually working to enhance digital security and share his knowledge with the broader community.

The Red Teaming Village is designed to expose cybersecurity practitioners to various adversarial techniques and contribute to the growth and development of the red team community in the Philippines. A series of presentations and live challenges are prepared that will immerse its attendees with the mindset of an attacker. Led by seasoned security professionals, the village provides a valuable opportunity for red teamers to practice and further improve their techniques as well as equip blue teamers the understanding and capability to prevent and mitigate such threats.

This year's revamped exhibits offer an enhanced experience for all participants. Jump into the Red Teaming Village OSINT Challenge and test your skills in uncovering hidden information with real-world scenarios. Plus, the Infamous Live Privilege Escalation Challenge is back with a twist, providing heart-pounding excitement as you practice privilege escalation in a controlled, competitive environment. Prepare for an exciting red-teaming experience!

Operator
ar33zy

The Lock Picking village covers the physical side of security, simply because securing your infrastructure is not enough if the weakest link is a physical lock that an attacker can open in a few seconds. With a lock pick kit and a reset pin, one can easily be resetting your firewalls and switches in no time, God-mode activated!

This year's Lock Picking Village is exclusive to Human+ participants only, and it's all about high security locks. We will have an in-depth discussion and hands-on demo on high-security locks, the different mechanisms and ways to attack them.

Operator
d3rp