corraldev.

Security researcher · Software engineer

Knowing how to break systems is the best way to build them.

I'm Javier Corral. I hunt vulnerabilities by hand in some of the best-defended platforms on the internet, and I write the software I'd rather not have to break later.

OWASP WSTG · ASVS

Live hacking events

Edge-first engineering

Vulnerabilities reported and accepted at

  • Apple
  • PayPal
  • Adobe
  • Palantir

Plus other Fortune 500 companies and global leaders in their sector, through their bug bounty programs.

See the record on HackerOne

Two crafts, one mind.

The attacker and the engineer aren't two different people. They're the same one, who has seen what happens when software is built badly.

Javier Corral at a live hacking event

Live hacking event · Singapore

  1. 01

    Offensive security

    Bug bounty and manual pentesting. No scanners: business logic, chained flaws, and a reproducible proof of concept for every finding. If it can't be exploited, it doesn't get reported.

    • IDOR
    • SSRF
    • Auth bypass
    • Race conditions
    • GraphQL
  2. 02

    Software engineering

    Real products, not prototypes: multi-tenant SaaS, critical payment integrations, and applications built for your team to maintain — not me. Security goes into the design, not into the final report.

    • TypeScript
    • Next.js
    • APIs
    • SaaS
    • Integrations
  3. 03

    Performance at the edge

    Measure before touching anything. Performance, database and cloud-cost optimisation, deployed at the edge — where your users are, not where the server happens to be.

    • Cloudflare
    • Edge
    • Core Web Vitals
    • Cloud cost

On the ground

Bug bounty doesn't happen from a couch.

Javier Corral photographing agricultural machinery during a hacking event

01Des Moines, Iowa

When the target isn't a website

Attack surfaces that don't live in a browser. Stepping outside familiar ground is the fastest way to find what nobody has looked at.

The Spanish hacker team posing with the Hacker World Cup trophy

02Team Spain

Hacker World Cup

Competing with the Spanish team. Offensive security is far more of a team sport than it looks from the outside.

Work

When you need to hire someone, you hire me.

I work with companies through Crackonce. You always talk to the person who finds the bugs and writes the code — no sales rep in front, no junior behind.

  1. 01

    Offensive security

    Web and API pentesting, security audits and continuous security. OWASP methodology and real bug bounty techniques.

  2. 02

    Software consulting

    Web development, custom SaaS and integrations. Senior engineering with security built in from the first design.

  3. 03

    Performance and infrastructure

    Performance, database and cloud-cost optimisation. Measured before touching anything, and proven with numbers.

Crackonce

My consultancy: offensive security and software engineering for companies that need both and don't want two vendors blaming each other.

Go to crackonce.com

Got something to break, or something to build?

A pentest, an audit, a digital product — or just to talk about bugs. Write to me and I'm the one who answers.

Response time

Under 24 business hours

Research

hackerone.com/corraldev

Company

crackonce.com ↗