Publications

Security Research

I look for security bugs in open source software. Some are found in my free-time, some on company time while working for Mozilla. Here are some examples:

  • CVE-2015-4518 CSP bypass in Firefox Reader mode
  • CVE-2014-1485 XSLT-based CSP bypass in Firefox (and related products)
  • CVE-2013-4519 Multiple HTML Injection Vulnerabilities in ReviewBoard
  • CVE-2013-4409 Possible Remote Code Execution Vulnerability in ReviewBoard
  • Multiple security issues in Etherpad-lite, caused release 1.2.9 on March 17. 2013 (no CVE assigned)
  • CVE-2013-0774 disclosure of profile directory name in Firefox (and related products)
  • CVE-2012-5650: DOM based Cross-Site Scripting in CouchDB