Does See No Eval deserve some kind of Most Underrated Research nomination?

they’re called 0days because ive found 0 of them

Rough copy of the FORCEDENTRY code is now available. Most relevant code is here: github.com/jeffssh/CVE-20… Blog soon!

I've been reverse engineering the xz backdoor this weekend and have documented the payload format and written a proof-of-concept exploit for the RCE. The payloads are signed with an ED448 key, so I patched my own key into the backdoor for testing. :-) github.com/amlweems/xzbot

Excited to be back at DEFCON!

V8 Sandbox escape/bypass/violation and VR collection github.com/xv0nfers/V8-sb…

Allocating new exploits Pwning browsers like a kernel & Digging into PartitionAlloc and Blink engine phrack.org/issues/71/10.h…

Pwndbg 2025.01 is out! It adds official LLDB support including support for macOS and Mach-O binaries, improved performance, enhanced embedded debugging & many more! Also, want to support us or buy us a coffee? See our GH sponsors: github.com/sponsors/pwndbg github.com/pwndbg/pwndbg/…

Chrome Browser Exploitation: from zero to heap sandbox escape by matteo malvica ⭕ youtube.com/watch?v=RL2po1…

So proud to lead Robinhood's Vulnerability Research Program github.com/fleetdm/fleet/…

chompie Dammit, that's a typo and I can't edit the post. Well anyway project-zero.issues.chromium.org/issues/42451725

I'm thrilled to announce that my talk Ghost Calls: Abusing Web Conferencing for Covert Command & Control was accepted to #BHUSA 2025 (CC: Black Hat) blackhat.com/us-25/briefing…

Me and the homies are dropping browser exploits on the red team engagement 😎. Find out how to bypass WDAC + execute native shellcode using this one weird trick -- exploiting the V8 engine of a vulnerable trusted application. ibm.com/think/x-force/…

googleprojectzero.blogspot.com/2024/10/from-n… issuetracker.google.com/issues?q=compo…

Pointer leaks through pointer-keyed data structures googleprojectzero.blogspot.com/2025/09/pointe…

OMG.. whatsapp 0c in pwn2own

As the operator of a soup kitchen, I don’t see why I should be expected to fix health code violations people report. After all, we are run almost entirely by volunteers

We really should be talking about this more....KASLR is just not working properly on Android right now, and it hasn't for a long time. googleprojectzero.blogspot.com/2025/11/defeat…

speedrunners reinvented Use After Free and called it "stale reference manipulation" one day theyre gonna invent type confusion and call it item abuse