Buttercup won the $3M second prize at DARPA's AIxCC. We found 28 vulnerabilities across 20 CWEs with 90% accuracy at just $181/point, achieving this with exclusively non-reasoning LLMs.

Need to evaluate impact of leaked GCP credentials or VM compromise? We implemented a GCP Scanner to help with that! I am very excited to present GCP Scanner ( https://t.co/2rV6OXR3hf) w/ @_under_hill at BlackHat Arsenal USA this year on August 10. https://t.co/ESMycdLPjD

Today we take you behind the scenes like never before, learn about the work @Google's security experts do behind closed doors to keep billions safe every day. The HACKING GOOGLE docuseries is streaming NOW on @YouTube →  https://t.co/QP1TpgPXgV

The documentary has 6 episodes featuring various security teams at Google. There are a lot of interesting previously undisclosed details. Overall quality of the series is just amazing :)

It is finally live :) definitely recommending to watch https://t.co/8jk5BFWww1.

Excited to have found my first CVE (CVE-2022-23302) researching Log4j 1.x with @MShudrak

I'm still hiring! Looking for an engineering manager in Sunnyvale, CA, USA. Details: https://t.co/fi0NaENY8I (And happy new year everyone!)

Screenshot might help:

I wrote a basic #fuzzing UI for @MShudrak ‘s fuzzer Manul (based on AFL) to help people see/understand grey-box fuzzing!

Let's talk about brute-forcing ASLR on modern Windows. Check my blog post on Medium

Especially in Figure 2, 64-bit DLL only has 524 288 possible base-addresses!!!

I just found an awesome blog post about ASLR weaknesses on modern Windows. Some stuff is 100% new for me.

My article "Leveraging Coverage-Guided Fuzzing to Find Exploitable Bugs" was published by Pentest Mag

I have something fun for you, I pulled the javascript interpreter out of Avast and ported it to Linux 😆 This runs unsandboxed as SYSTEM, any vulns are wormable pre-auth RCE on 400M endpoints  ¯\_(ツ)_/¯ https://t.co/vGrfke7fPd 🐧

After a decade of fuzzing, we just launched FuzzBench, a fuzzer benchmarking platform to bridge the gap between academic fuzzing research and industry fuzzing engines (e.g libFuzzer, AFL, Honggfuzz).  https://t.co/bo6rgxXi23

This is so cool!

Just a reminder that I’ll be giving a keynote at FuzzCon RSA on Tuesday morning in SF. I’ll talk about history, modern adoption, and future challenges. There are about 120 attendees registered so it should be a great size for networking. Ping me for a free registration code.

Just released Manul v 0.4, a lot of performance improvements and bug fixes. New features: - InApp coverage-guided blackbox fuzzing on both Windows (winAFL-like) and Linux. On Linux, it is the only tool that supports this type of fuzzing now :) - Added AFL forkserver (x10 speedup)

Woot woot, my DEFCON talk is available on youtube now: check it out here:

I've just written a performant in-memory fuzzing module with @fridadotre for AFL++ https://t.co/TqXEHD3yNf. Watch AFL++ on GH and stay tuned for a frida_mode in the next days!