Reported vulnerabilities/bugs
- Found and fixed a cross-site scripting exploit in the PageTriage extension deployed on English Wikipedia CVE-2024-23174
- Awarded 5000 USD for finding a mechanism to reliably leak a user’s browsing history via a experimental origin-trial web feature in Google Chrome 116. https://crbug.com/1457049
- Awarded 7500 USD for discovering a XSS sanitation deficiency in the Golang html/template library. CVE-2023-24538
- Awarded 3133.7 USD for discovering authentication bypasses in the dart:core URI parsing module in Dart-lang by the Google Vulnerability Rewards Program in 2022 CVE-2022-3095
- Awarded 3133.7 USD for discovering a URL validation bypass in Google’s Clojure library by the Google Vulnerability Rewards Program in 2021.
- Found and reported security/privacy issues in Google Chrome and Firefox’s implementation of the ResourceTiming API. CVE-2022-1146, CVE-2022-29915
- Found and reported a high severity Denial-of-service attack against the popular jpeg-js javascript library to snyk.io. [CVE-2022-25851]
- Use-after-free in sudo-project/sudo (cvtsudoers) Github issue#198