Mario Mejia | Security Researcher & Bug Bounty Hunter

About Me

I am an Offensive Security Engineer with a solid background in Security Penetration Testing, Vulnerability Research & Bug Bounty Hunting. Recognized as Mexico and Central America's top-ranked hacker for 4 consecutive years on HackerOne. My independent security research has led to significant industry recognition, including being selected as a main stage speaker at BugCon Mexico 2024.

Over the course of my career, I've successfully identified and reported more than 200 vulnerabilities, demonstrating expertise in web applications, APIs, Artificial Intelligence Systems, LLM's and cloud security.

Skills & Expertise

Web Application Security Penetration Testing API Security Artificial Intelligence (AI) LLM Security Cloud Security Network Security Threat Hunting Incident Response Security Controls Cloud Infrastructure Bug Bounty Programs

Professional Experience

Offensive Security Engineer

2022 - Present

Leading offensive security initiatives at dLocal, specializing in penetration testing, threat hunting, and incident response. Coordinated and executed security engagements involving comprehensive vulnerability assessments.

Key Achievements:

Led offensive security operations for global payment platform
Implemented advanced threat hunting methodologies
Developed security controls and incident response procedures
Mentored junior security professionals

Security Penetration Tester

2021 - 2022

Conducted comprehensive security assessments for Tripadvisor, focusing on web applications, APIs, and cloud infrastructure.

Key Achievements:

Performed extensive penetration testing engagements
Identified critical vulnerabilities in production systems
Provided detailed remediation guidance
Enhanced security incident response capabilities

Security Researcher

2019 - Present

Independent security researcher and bug bounty hunter on HackerOne platform. Recognized as Mexico and Central America's top-ranked hacker for 4 consecutive years.

Key Achievements:

Discovered 200+ security vulnerabilities
Top ranked on HackerOne Mexico Leaderboard 2021-2024
Main stage speaker at BugCon Mexico 2024
Published multiple technical writeups and research

Awards & Achievements

1st Place at BugCon Live Hacking Event - 2022

Sep 2022

BugCon Mexico organized a live hacking event hosted by Mercado Libre, competing against the best hackers in Mexico. Demonstrated exceptional skills in vulnerability discovery and exploitation techniques.

Live Hacking 1st Place Mercado Libre

1st Place at BugCon Live Hacking Event - 2021

Sep 2021

Secured first place in BugCon Mexico's live hacking competition, showcasing advanced penetration testing skills and innovative vulnerability discovery techniques against Mercado Libre's assets.

Live Hacking 1st Place BugCon Mexico

Top Ranked Hacker - HackerOne Mexico

2021 - 2024

Recognized as Mexico and Central America's top-ranked hacker for 4 consecutive years on HackerOne platform, demonstrating unparalleled dedication to cybersecurity excellence and research.

HackerOne Top Ranked 4 Years

Latest Writeups

Exposing PII and SSNs through Persistent Session Tokens

2024

PII Exposure Session Tokens Critical

Read Full Writeup →

How I Accessed Microsoft's ServiceNow

2024

ServiceNow Microsoft Enterprise

Read Full Writeup →

Latest Posts

July 15, 2025

I earned $5,000 for my submission on @bugcrowd
1-Click prompt injection💉 allowed an attacker to send a victim a URL with an embedded malicious prompt that would extract their sensitive information and send it to the attacker's server.#bugbountytips #ittakesacrowd pic.twitter.com/NqYjtPblDk
— Moblig (@moblig_) July 15, 2025

June 14, 2025

🧵 HTTP Parameter Pollution — full customer data exposure in a payments API.

During a pentest, I came across a request that initially seemed secure.
The server extracted the customer ID from the authentication cookie and used it to filter payment records server-side.

However👇… pic.twitter.com/OPbiYje4cY
— Moblig (@moblig_) June 14, 2025

October 19, 2024

Yay, I was awarded a $15,000 bounty on @Hacker0x01!

The program was running a 3x campaign and had an average of 0% critical vulnerabilities.

An unusual combination of persistent tokens and good ol' Google Dorking. I will be doing a write-up for this one when it is resolved,… pic.twitter.com/Oja6z8yTPb
— Moblig (@moblig_) October 19, 2024

September 14, 2022

Yay, I was awarded a $16,300 bounty on @Hacker0x01! https://t.co/8mFTC1blb4 #TogetherWeHitHarder
🎉🎉🎉
Tip: Even if an asset asks for authentication, fuzz for endpoints using ffuf, I found an unauthenticated API that allowed me to retrieve sensitive information! pic.twitter.com/vXVvEOpKnh
— Moblig (@moblig_) September 14, 2022

Get In Touch

Let's Connect

Interested in security research, bug bounty programs, or collaboration opportunities? Feel free to reach out!

Bug Bounty Programs

I actively participate in various bug bounty programs and have been recognized as Mexico and Central America's top-ranked hacker for 4 consecutive years. If you're running a program and need a security researcher, let's talk!

↓

Mario E. Mejia Lezama

About Me

Skills & Expertise

Professional Experience

Offensive Security Engineer

Key Achievements:

Security Penetration Tester

Key Achievements:

Security Researcher

Key Achievements:

Awards & Achievements

1st Place at BugCon Live Hacking Event - 2022

1st Place at BugCon Live Hacking Event - 2021

Top Ranked Hacker - HackerOne Mexico

Latest Writeups

Exposing PII and SSNs through Persistent Session Tokens

How I Accessed Microsoft's ServiceNow

Latest Posts

Get In Touch

Let's Connect

Bug Bounty Programs