Awesome
Publications from Trail of Bits
- Academic Papers
- Conference Presentations
- Guides and Handbooks
- Datasets
- Podcasts
- Public Comments
- Security Reviews
- Disclosures
- Workshops
- Service Overviews
- Research Reports
- Legend
Academic Papers
Conference Presentations
Automated bug finding and exploitation
Blockchain
Compilers
Presentation Title | Author(s) | Year |
---|---|---|
A Broad Comparative Evaluation of Software Debloating Tools | Michael D. Brown, Adam Meily, Eric Kilmer, Ronald Eytchison | 2024 |
Repurposing LLVM analyses in MLIR: Also there and back again across the tower of IRs | Henrich Lauko | 2024 |
VAST: MLIR for program analysis of C/C++ | Henrich Lauko | 2022 |
A Broad Comparative Evaluation of x86-64 Binary Rewriters | Michael D. Brown | 2022 |
On the Optimization of Equivalent Concurrent Computations | Henrich Lauko, Lukáš Korenčik, Peter Goodman | 2022 |
Cryptography
Presentation Title | Author(s) | Year |
---|---|---|
Weak Fiat-Shamir attacks on modern proof systems | Jim Miller | 2024 |
Building a Rusty path validation library for PyCA Cryptography | William Woodruff | 2024 |
Implementing X.509 path validation for Python | William Woodruff | 2024 |
Careful with MAc-then-SIGn | Marc Ilunga | 2023 |
Ergonomic codesigning for the Python ecosystem with Sigstore | William Woodruff | 2023 |
Sigstore for Python Packaging: Next Steps for Adoption | William Woodruff | 2022 |
die, PGP, die | William Woodruff | 2022 |
Seriously, stop using RSA | Ben Perez | 2019 |
Best Practices for Cryptography in Python | Paul Kehrer | 2019 |
Analyzing the MD5 collision in Flame | Alex Sotirov | 2012 |
Engineering
Presentation Title | Author(s) | Year |
---|---|---|
Linux Security Event Monitoring with osquery | Alessandro Gario | 2019 |
osql: The community oriented osquery fork | Stefano Bonicatti, Mark Mossberg | 2019 |
Getting started with osquery | Lauren Pearl, Andy Ying | 2018 |
osquery Super Features | Lauren Pearl | 2018 |
osquery Extension Skunkworks | Mike Myers | 2018 |
Build it Break it Fix it | Andrew Ruef | 2014 |
Education
Presentation Title | Author(s) | Year |
---|---|---|
Introduction to Semgrep and<br /> Semgrep Practice Exercises | Maciej Domański, Matt Schwager, Spencer Michaels | 2024 |
A mostly gentle introduction to LLVM | William Woodruff | 2022 |
JWTs, and why they suck | Rory M | 2021 |
The Joy of Pwning | Sophia D'Antoine | 2017 |
How to CTF - Getting and using Other People's Computers (OPC) | Jay Little | 2014 |
Low-level Security | Andrew Ruef | 2014 |
Security and Your Business | Andrew Ruef | 2014 |
Bringing nothing to the party | Vincenzo Iozzo | 2013 |
From One Ivory Tower to Another | Vincenzo Iozzo | 2012 |
Infrastructure
Presentation Title | Author(s) | Year |
---|---|---|
Return to the 100 Acre Woods | Stefan Edwards | 2019 |
Swimming with the kubectl fish | Stefan Edwards | 2019 |
Machine Learning
Presentation Title | Author(s) | Year |
---|---|---|
Incubated Machine Learning Exploits: Backdooring ML Pipelines Using Input-Handling Bugs | Suha Sabi Hussain | 2024 |
Holistic ML Threat Models | Adelin Travers | 2024 |
Using Graph-Based Machine Learning Algorithms for Software Analysis | Michael D. Brown | 2023 |
Exploiting Machine Learning Pickle Files | Carson Harmon, Evan Sultanik, Jim Miller, Suha Sabi Hussain | 2021 |
PrivacyRaven: Comprehensive Privacy Testing for Deep Learning | Suha Sabi Hussain | 2020 |
Mobile security
Presentation Title | Author(s) | Year |
---|---|---|
Swift Reversing | Ryan Stortz | 2016 |
Modern iOS Application Security | Sophia D'Antoine, Dan Guido | 2016 |
The Mobile Exploit Intelligence Project | Dan Guido | 2012 |
A Tale of Mobile Threats | Vincenzo Iozzo | 2012 |
Programming
Presentation Title | Author(s) | Year |
---|---|---|
Python internals - let's talk about dicts | Dominik Czarnota | 2019 |
Low-level debugging with Pwndbg | Dominik Czarnota | 2018 |
Insecure Things to Avoid in Python | Dominik Czarnota | 2018 |
Side channels
Presentation Title | Author(s) | Year |
---|---|---|
Hardware side channels in virtualized environments | Sophia D'Antoine | 2015 |
Exploiting Out-of-Order Execution | Sophia D'Antoine | 2015 |
Supply chain
Presentation Title | Author(s) | Year |
---|---|---|
The Next 5 Years of Supply Chain Security on PyPI | William Woodruff | 2024 |
PEP 740 and PyPI: Bootstrapping Provenance for the Python Ecosystem | William Woodruff | 2024 |
Imagining a zero-trust future for PyPI | William Woodruff | 2024 |
Build Provenance: Lessons (so far) from Homebrew | Joe Sweeney | 2024 |
What does it look like to code-sign for an entire packaging ecosystem? | William Woodruff | 2023 |
Securing your Package Ecosystem with Trusted Publishing | William Woodruff | 2023 |
Trusted Publishing: Lessons from PyPI | William Woodruff | 2023 |
Python Packaging Mystery Meat | William Woodruff | 2022 |
Automated Tools for Securing the Software Supply Chain | Michael D. Brown | 2022 |
Improving PyPI's security with Two Factor Authentication | William Woodruff | 2019 |
Threat analysis & malware
Presentation Title | Author(s) | Year |
---|---|---|
Peeling back the 'Shlayers' of macOS Malware | Josh Watson, Erika Noerenberg | 2019 |
The Exploit Intelligence Project Revisited | Dan Guido | 2013 |
Guides and Handbooks
We publish much of our subject matter expertise in the form of guides and handbooks.
Link | Repository | Description |
---|---|---|
Trail of Bits Testing Handbook | trailofbits/testing-handbook | The automated testing handbook is a resource that guides developers and security professionals in configuring, optimizing, and automating many of the static and dynamic analysis tools we use. |
ZKDocs | trailofbits/zkdocs | ZKDocs provides comprehensive, detailed, and interactive documentation on zero-knowledge proof systems and related primitives. |
Building Secure Smart Contracts | crytic/building-secure-contracts | Guidelines and best practices for developing secure smart contracts. |
CTF Field Guide | trailofbits/ctf | Our field guide to winning at Capture The Flag (CTF). |
Ruby Security Field Guide | trailofbits/rubysec | Our field guide for practical Ruby security. |
Datasets
Dataset | Date |
---|---|
Smart Contract Audit Findings | Aug 2019 |
Podcasts
We host our own podcast: Trail of Bits. You can download episodes from your favorite podcast app.
Podcast | Guest | Date | Topic(s) |
---|---|---|---|
MLSecOps March 20 | William Woodruff | March 2024 | Supply chain security |
Risky Biz 707 | Dan Guido | May 2023 | ML security |
ASW 229 | Nick Selby | Feb 2023 | Threat modeling, cloud-native audits |
Risky Biz 690 | Dan Guido | Jan 2023 | Vuln disclosure |
Risky Biz 672 | Dan Guido | Jul 2022 | Blockchain security |
Cloud Security Reinvented | Nick Selby | Jun 2022 | Cloud security |
Skiff Office Hours | Dan Guido | Mar 2022 | Privacy technology |
Risky Biz 652 | Dan Guido | Jan 2022 | Zero-knowledge proofs |
Secureum Safecast #3 | Josselin Feist | Nov 2021 | Blockchain security |
Secureum Safecast #2 | Dan Guido | Oct 2021 | Blockchain security |
Press Freedom Foundation | Dan Guido | Jul 2021 | Mobile security and iVerify |
Employee Cycle | Hannah Hanks | Mar 2021 | First PeopleOps hire |
Risky Biz 614 | Dan Guido | Feb 2021 | iVerify |
Building Better Systems 6 | Dan Guido | Jan 2021 | What blockchain got right |
WCBS 880 | Dan Guido | Sep 2020 | Gap years and intern hiring |
Risky Biz 594 | Dan Guido | Aug 2020 | Apple security |
Epicenter 346 | Dan Guido | Jun 2020 | Smart contract security |
Absolute AppSec 97 | Stefan Edwards | May 2020 | Threat modeling |
Unchained 170 | Dan Guido | May 2020 | DeFi security |
Risky Biz 580 | Dan Guido | Apr 2020 | Mobile voting |
Absolute AppSec 91 | Stefan Edwards | Apr 2020 | Mobile voting |
Zero Knowledge 122 | Ben Perez | Mar 2020 | Cryptography reviews, ZKPs |
Changelog | Dan Guido | Jan 2020 | AlgoVPN |
Risky Business 559 | Stefan Edwards | Oct 2019 | Kubernetes |
FOSS Weekly 545 | William Woodruff | Sep 2019 | PyPI security improvements |
Podcast.__init__ 225 | William Woodruff | Aug 2019 | PyPI security, UX, and sustainability |
Absolute AppSec 68 | Stefan Edwards, Bobby Tonic | Aug 2019 | Kubernetes |
Hashing it Out 53 | Dan Guido | Jul 2019 | Smart contract testing |
Absolute AppSec 60 | Stefan Edwards | May 2019 | Android, programming languages |
Absolute AppSec 55 | Stefan Edwards | Apr 2019 | Security testing |
Hashing it Out 35 | Dan Guido, Josselin Feist | Jan 2019 | Ethereum's failed EIP-1283 |
Risky Biz 526 | JP Smith | Jan 2019 | Post-quantum crypto in CTFs |
Absolute AppSec 37 | Stefan Edwards | Nov 2018 | Programming languages, symbex |
Risky Biz 510 | Lauren Pearl | Aug 2018 | Open source security engineering |
Absolute AppSec 34 | Stefan Edwards | Oct 2018 | Security testing, blockchain |
Zero Knowledge 16 | JP Smith | Mar 2018 | Smart contract security |
Risky Biz 488 | JP Smith | Feb 2018 | Smart contract testing w/ Manticore |
Risky Biz 474 | Dan Guido | Oct 2017 | How to engineer secure software |
Georgian Partners 47 | Dan Guido | May 2017 | AlgoVPN and Tor |
VUC 643 | Dan Guido | Apr 2017 | AlgoVPN |
Risky Biz 449 | Dan Guido | Mar 2017 | Control Flow Integrity |
Risky Biz 425 | Dan Guido | Sep 2016 | Recap the week's news |
Risky Biz 421 | Dan Guido | Aug 2016 | Car hacking and the week's news |
Risky Biz 416 | Dan Guido | Jul 2016 | DARPA Cyber Grand Challenge |
Risky Biz 399 | Dan Guido | Feb 2016 | Apple vs the FBI |
Risky Biz 370 | Dan Guido | Feb 2015 | DARPA Cyber Grand Challenge |
Risky Biz 348 | Dan Guido | Jun 2015 | DARPA Cyber Grand Challenge |
Public Comments
Topic | Agency | Date |
---|---|---|
Automated Artifical Intelligence Bill Of Materials for AI/ML Ops | U.S. Army PEO IEW&S | Dec 2023 |
Open-Source Software Security: Areas of Long-Term Focus and Prioritization | ONCD, CISA, NSF, DARPA, OMB | Nov 2023 |
Understanding the National Security Implications of AI | Whitehouse OTSP | Jul 2023 |
AI Accountability, Regulation, and Audits | NTIA | Jun 2023 |
A Comprehensive Risk Assessment Framework for AI Assurance in Ethical, Legal, and Societal Domains | DARPA | Jun 2023 |
Understanding Crypto Markets Security | CFTC | Mar 2023 |
Regulation of Intrusion and Surveillance Software | Commerce Dept | Jul 2015 |
Security Reviews
Companies that have allowed us to speak about our work can be found here. Many more remain confidential.
ML/AI Reviews
Product | Date | Level of <br />Effort | Announcement | Report |
---|---|---|---|---|
YOLOv7 Threat Model and Code Review | October 2023 | 4 | 📄 | |
EleutherAI, Hugging Face, <br />& Stability AI SafeTensors Library | Mar 2023 | 2 | 📄 |
Cryptography Reviews
Technology Product Reviews
Cloud-Native Reviews
Product | Date | Level of <br />Effort | Announcement | Report |
---|---|---|---|---|
KEDA | Dec 2022 | 6 | Audit of Kubernetes Event Driven Autoscaling (KEDA) | 📄 |
Terraform Enterprise | Nov 2022 | 6 | ||
Nomad Enterprise | Nov 2022 | 6 | ||
HashiCorp Cloud | Jun 2022 | 9 | ||
Tekton | Mar 2022 | 4 | Tekton Security Review Completed | 📄 |
Linkerd | Feb 2022 | 4 | 📛📄✅ | |
CoreDNS | Jan 2022 | 4 | 📄 | |
Terraform Enterprise | Nov 2021 | 6 | ||
Nomad Enterprise | Nov 2021 | 6 | ||
Consul Enterprise | Oct 2021 | 6 | ||
Vault Enterprise | Oct 2021 | 6 | ||
HashiCorp Cloud | Jun 2021 | 8 | ||
Argo | Mar 2021 | 4 | 📛📄 | |
Terraform Cloud | Jan 2021 | 6 | ||
Consul | Oct 2020 | 10 | ||
Nomad | Aug 2020 | 6 | ||
Helm | Aug 2020 | 4 | Helm 2nd Security Audit | 📄 |
Terraform | Mar 2020 | 6 | ||
OPA | Mar 2020 | 2 | Open Policy Agent (OPA) Graduation Proposal | 📄 |
etcd | Jan 2020 | 4 | CNCF | 📄 |
Rook | Dec 2019 | 2 | CNCF | 📄 |
Kubernetes | May 2019 | 12 | Google, CNCF | 📛📄📰 |
Invariant Testing and Development Engagements
Product | Date | Level of <br />Effort | Announcement | Report | Public Suite |
---|---|---|---|---|---|
Panoptic | May 2024 | 9 | 📄 | ||
Curvance | March 2024 | 5 | 📄 | Public invariants |
Blockchain Reviews
Wallet Reviews
Product | Date | Level of <br />Effort | Announcement | Report |
---|---|---|---|---|
Uniswap Browser Extension | Feb 2024 | 6 | 📄✅ | |
Uniswap | Sep 2023 | 4 | 📄✅ | |
dappOS v2 virtual wallet | Jul 2023 | 3 | 📄✅ | |
WalletConnect v2.0 | Mar 2023 | 4 | WalletConnect | 📄✅ |
Uniswap Mobile Wallet | Aug 2022 | 4 | 📄✅ | |
Phantom Wallet | Nov 2022 | 2 | ||
GameStop iOS Web Wallet | Nov 2022 | 1 | ||
Phantom Wallet | Apr 2022 | 4 | ||
GameStop Wallet | Mar 2022 | 2 | GameStop wallet | |
RAILGUN | Feb 2022 | 4 | ||
Casper Web Wallet | Jul 2021 | 4 | 📄 | |
Argent | Aug 2020 | 4 | ||
Magma | Jun 2020 | 1 | 📄 | |
Dharma Wallet | Oct 2019 | 4 | 📄 | |
ZecWallet | Apr 2019 | 2 | 📄 | |
Web3 | Mar 2018 | 2 | W3F and TOB hardware wallet guidance | 💬 |
Algorand
Product | Date | Level of <br />Effort | Announcement | Report |
---|---|---|---|---|
Folks Finance Protocol | Nov 2022 | 6 | 📄✅ | |
wXTZ | Nov 2020 | 4 | 📄 | |
wALGO | Nov 2020 | 4 | 📄 | |
Meld Gold | Jul 2020 | 2 | ||
Algorand | Mar 2019 | 14 | Success and momentum of Algorand | |
Pixel | Dec 2019 | 4 |
Avalanche
Product | Date | Level of <br />Effort | Announcement | Report |
---|---|---|---|---|
Alkimiya Silica V2 | Jun 2022 | 6 | ||
Ava Labs | Apr 2022 | 8 | ||
Flare Network | Mar 2021 | 8 |
Bitcoin & Derivatives
Product | Date | Level of <br />Effort | Announcement | Report |
---|---|---|---|---|
Nomic | Nov 2024 | 10 | Nomic Completes Security Audit by Trail of Bits | 📄✅ |
STAS SDK | Oct 2021 | 4 | ||
STAS-JS SDK | Sept 2021 | 4 | ||
Bitcoin SV | Jan 2021 | 6 | ||
Zcoin | Jul 2020 | 2 | Lelantus Cryptographic Library Audit Results | 📄 |
Zcash | Apr 2020 | 3 | Heartwood security assessment results | 📄 |
Zcash | Nov 2019 | 6 | NU3, Blossom, and Sapling security reviews | 📄 |
Zcash | Nov 2019 | 6 | 📄 | |
Paymail Protocol | Nov 2019 | 7 | ||
Bitcoin SV | Nov 2018 | 12 | ||
Simple Ledger | Oct 2019 | 3 | ||
RSKj | Nov 2017 | 6 | RSK security audit results | 📄 |
Ethereum/EVM
NervOS
Product | Date | Level of <br />Effort | Announcement | Report |
---|---|---|---|---|
xUDT | Jun 2021 | 2 | ||
Nervos -RSA | Mar 2021 | 4 | ||
Nervos SUDT | Oct 2020 | 6 | 📄 | |
Cheque Cell & ORU | Feb 2021 | 8 | ||
Force Bridge - Solidity | Feb 2021 | 4 | ||
Force Bridge - Rust | Feb 2021 | 3 |
Starknet
Product | Date | Level of <br />Effort | Announcement | Report |
---|---|---|---|---|
Opus | December 2023 | 8 | 📄✅ | |
Aura | August 2023 | 8 | 📄✅ | |
Nostra | Dec 2022 | 8 | ||
StarkGate | Dec 2022 | 2 | ||
StarkEx | Oct 2022 | 1 | ||
StarkNet token | Jul 2022 | 1 | ||
StarkPerpetual | Jan 2022 | 8 | ||
StarkEx | Nov 2021 | 8 |
Solana
Product | Date | Level of <br />Effort | Announcement | Report |
---|---|---|---|---|
Squads V4 | Oct 2023 | 2 | Announcement | 📄✅ |
Token-2022 Program | Feb 2023 | 1 | 📄✅ | |
Drift Protocol | Dec 2022 | 6 | Announcement (Tweet) | 📄✅ |
Solana | Apr 2022 | 12 |
Substrate
Product | Date | Level of <br />Effort | Announcement | Report |
---|---|---|---|---|
ParaSpace | Dec 2022 | 1 | 📄 | |
ParaSpace | Nov 2022 | 7 | 📄✅ | |
Parallel Finance | Mar 2022 | 6 | 📄 | |
Polkadex | Feb 2022 | 10 | ||
Polkadex | Dec 2021 | 4 | ||
PINT | Sept 2021 | 4 | ||
Polkaswap | Jul 2021 | 6 | ||
AlephBFT | Jun 2021 | 4 | 📄 | |
Acala Network | Jun 2021 | 4 | ||
Compound Chain | May 2021 | 6 | ||
Acala Network | Jan 2021 | 6 | 📄 | |
Parity Fether | Aug 2019 | 4 | ||
Parity | Jul 2018 | 12 | Parity completes Trail of Bits security review | 📄 |
Tendermint/Cosmos
Product | Date | Level of <br />Effort | Announcement | Report |
---|---|---|---|---|
Orga and Merk | Nov 2024 | 10 | Orga & Merk Trail of Bits Security Audit | 📄✅ |
Berachain Polaris API polaris-geth | Aug 2023 | 8 | ||
Berachain berachain | Jun 2023 | 6 | ||
Umee | Feb 2022 | 8 | 📄 | |
Columbus-5 | Jan 2022 | 2 | ||
IBC Protocol | Dec 2021 | 4 | ||
THORChain | Aug 2021 | 12 | ||
Tendermint | Mar 2019 | 12 | ||
ndau | Nov 2018 | 8 | ndau Holders Elect Inaugural Policy Council |
Tezos
Product | Date | Level of <br />Effort | Announcement | Report |
---|---|---|---|---|
Kolibri | Apr 2022 | 4 | ||
Tezori (T2) | Dec 2020 | 4 | 📄 | |
Tezori | Jul 2018 | 2 | Thanks to @trailofbits for their security review | |
Dexter | Jun 2020 | 4 | 📄 |
Other/Multi-Chain
Disclosures
Name | Product | Discoverer | Year | ID | Blog |
---|---|---|---|---|---|
Insufficient validation of integration timestamp in sigstore-python | sigstore-python | William Woodruff | 2024 | CVE-2024-55655 | |
Rust crates "stable" and "nightly" might be installed instead of the corresponding toolchains | Crates.io | Max Ammann | 2024 | ❌ | |
num-bigint disclosure | num-bigint | Samuel Moelius | 2024 | ❌ | 💬 |
Memory corruption during X.509 validation in GnuTLS | GnuTLS | William Woodruff | 2024 | CVE-2024-28835 | |
Linux kernel modules kASLR bypass | Linux | Dominik Czarnota | 2024 | ❌ | 💬 |
Pedersen DKG vulnerability disclosure | Multiple | Fredrik Dahlgren | 2024 | None | 💬 |
LeftoverLocals disclosure | multiple GPUs | Tyler Sorensen | 2024 | CVE-2023-4969 | 💬 |
Billion hashes attack against Go JOSE libraries | https://github.com/go-jose/go-jose | Matt Schwager | 2023 | GO-2023-2334, GO-2023-2409 | 💬 |
Expo Secure Store: Shortening AES GCM Authentication Tags | expo-secure-store | Joop van de Pol | 2023 | ❌ | 💬 |
YOLOv7 disclosure | YOLOv7 | Alvin Crighton, Anusha Ghosh, Suha Hussain, Heidy Khlaaf, Jim Miller | 2023 | ❌ | 💬 |
Numbers turned weapons: DoS in Osmosis’ math library | Osmosis | Sam Alws | 2023 | ❌ | 💬 |
The issue with ATS in Apple’s macOS and iOS | iOS, iPadOS, tvOS, macOS, and watchOS | Will Brattain | 2023 | CVE-2023-38596 | 💬 |
Eth ABI DoS disclosure | ethabi, eth_abi, etheriumjs-abi, alloy-rs | Max Ammann | 2023 | ❌ | |
Security flaws in an SSO plugin for Caddy | caddy-security | Maciej Domanski, Travis Peters, David Pokora | 2023 | CVE-2024-21500 CVE-2024-21499 CVE-2024-21498 CVE-2024-21497 CVE-2024-21496 CVE-2024-21493 [CVE-2024-21495 CVE-2024-21494](https://www.cve.org/cverecord?id=CVE-2024-21495 CVE-2024-21494) CVE-2024-21492 CVE-2023-52430 | 💬 |
ktor Path Traversal | ktor | Vasco Franco | 2023 | CVE-2022-48476 | |
Specialized Zero-Knowledge Proof failures | Binance's tss-lib; All forks of tss-lib: Joltify, SwipeChain, and ThorChain; Coinbase's kryptology | Opal Wright | 2022 | ❌ | 💬 |
Forgery in Amis' Alice library | Amis' alice | Filipe Casal | 2022 | ❌ | |
Keeping the wolves out of wolfSSL | wolfSSL | Max Ammann | 2022 | CVE-2022-38152 CVE-2022-38153 CVE-2022-39173 CVE-2022-42905 | 💬 |
Escaping misconfigured VSCode extensions - Live Preview XSS | Live Preview VSCode extension | Vasco Franco | 2022 | MS-VULN-073448 | 💬 |
Escaping misconfigured VSCode extensions - Live Preview Path Traversal | Live Preview VSCode extension | Vasco Franco | 2022 | MS-VULN-073447 | 💬 |
Escaping well-configured VSCode extensions (for profit) - VSCode localResourceRoots Bypass | VSCode | Vasco Franco | 2022 | CVE-2022-41042 | 💬 |
Escaping misconfigured VSCode extensions - Sarif Viewer XSS | Sarif Viewer VSCode extension | Vasco Franco | 2022 | MS-VULN-071828 | 💬 |
Stranger Strings: An exploitable flaw in SQLite | SQLite | Andreas Kellas | 2022 | ❌ | 💬 |
json-viewer XSS | jquery.json-viewer | Vasco Franco | 2022 | CVE-2022-30241 | |
Shamir’s Secret Sharing vulnerabilities | Binance’s tss-lib; Clover Network’s threshold-crypto; Keep Network’s keep-ecdsa; Swingby’s tss-lib; THORchain’s tss-lib; ZenGo X’s curv | Filipe Casal | 2021 | ❌ | 💬 |
OSX slack:// protocol handler javascript injection | Slack | Jay Little | 2016 | ❌ | 💬 |
Double free in VLC's 3GP file format | VLC | Loren Maggiore | 2015 | CVE-2015-5949 | 💬 |
Workshops
Workshop Title | Venue | Date |
---|---|---|
Smart Contract Security Automation Workshop | TruffleCon 2019 | Oct 2019 |
Manticore EVM Workshop | Devcon4 2018 | Nov 2018 |
Introduction to Smart Contract Exploitation | GreHack 2018 | Nov 2018 |
DeepState: Bringing Vulnerability Detection Tools into the Dev Cycle | SecDev 2018 | Oct 2018 |
Smart Contract Security Automation Workshop | TruffleCon 2018 | Oct 2018 |
Smart Contract Security Automation Workshop | ETH Berlin 2018 | Sep 2018 |
Manticore EVM Workshop | EthCC 2018 | Mar 2018 |
Manticore Workshop | GreHack 2017 | Oct 2017 |
Service Overviews
Service Title | Type of Document |
---|---|
AI Safety & Security Training | One-page service overview |
Research Reports
Report Title | Description |
---|---|
Cedar, Rego, and OpenFGA Policy Languages: Comparative Language Security Assessment | Comparative assessment of the security properties of selected policy languages. |
Legend
Icon | Definition |
---|---|
💬 | Blog post or other social media |
📄 | Security Assessment report |
✅ | Fix review report |
📛 | Threat Model report |
📰 | Whitepaper |
Header | Definition |
---|---|
Level of Effort | Defined in person-weeks for the project |