September-December 2020

Over the next few weeks I'll publish several articles on fixed vulnerabilities I've discovered over the past couple of years. Most of the vulnerability details have not been previously disclosed, so this website will be the first to publicly publish details. (Don't miss any research: Get new articles via email.)

A few other vulnerabilities have been disclosed by vendors but with limited details. All published research will have significant context around the vulnerabilities for both researchers and vendors to learn how to identify and mitigate.

In the articles I'll provide background information on the vulnerability type, affected types of software, how to identify the vulnerability, and how to properly mitigate the vulnerability. I'll also explain why I recommended specific fixes or mitigations, and how to properly identify the best potential solutions when writing or receiving a vulnerability report.

Typically I perform research which is likely to affect multiple vendors, so most of the articles will focus on a vulnerability type and it's effect on multiple vendors (with varying impacts and severity levels). Hopefully this type of cross-vendor and wider-view analysis encourages others to try research in overarching vulnerabilities which affect multiple products instead of narrow single-product research.

Late 2020/early 2021

Unless another apocalyptic event occurs between September 2020 and early 2021, I expect to continue publishing more current research, ideally shortly after vulnerabilties are fixed and allowed to be disclosed (instead of months or years after the fix). This type of research should be more interesting for everyone. Security researchers will learn how to identify and effectively report similar vulnerabilities which likely still exist in other software. Software vendors will also learn how to identify and defend against these types of vulnerabilities.

I also want to share how I write effective security reports to ensure the correct fix or mitigation is implemented. Even without great writing skills (mine certainly need improvement), these guidelines should help researchers write better security reports and effectively communicate the key technical details. In my experience, this is frequently necessary because some vendors do not have expertise to properly mitigate some vulnerability types.

For vendors, I'll also write on how to improve vulnerability report and research policies to get better reports from researchers and reduce friction on both sides.

What are you most interested in?

If you know of a particular vulnerability or something else I've worked on, and are yearning for more details, don't hesistate to send me an email or Tweet. I've got a significant backlog of interesting research to write about, so your feedback will help me prioritize based on public interest.

Ensure you don't miss any research to get inspired: Get new articles via email.

If you're also interested in research in Spanish, I'll be glad to publish some of the more interesting articles in both Spanish and English. Let me know what you'd like to read in Spanish.

Si tambien te interesan investigaciones en español, me encantaría publicar algunos de los artículos más interesantes en ambos inglés y español. Déjame saber qué te gustaría leer en español.

Thanks for reading. Have a great day! Gracias por leer. ¡Que tengas un buen día!