TBA

More talks to come. Reviewed by a peer-review board of practising researchers. Click any talk for details — share the link with a colleague.













Two Android native memory-corruption cases anchor this talk: a PlayStation App voice-party parser bug in a custom peer-to-peer protocol, where a malformed RUDP field overflows a fixed-size stack buffer, and a Microsoft Teams Adaptive Cards issue, where a crafted data URL reaches a native rendering path and triggers an arm64 heap out-of-bounds write. They are the payoff from five months of LLM-assisted vulnerability research across Meta, Microsoft, Sony, and private mobile targets - a cyborg workflow of human judgment, LLM speed, persistent evidence, and verifier gates that also produced public findings, bounty reports, and critical private bugs.
The first version was simple: a Mac Mini at home, Codex running overnight, and a menu of hunting strategies with a dice-roll fallback. Early output was noisy, so I added strict proof checks to reduce false positives. That phase ultimately produced real findings across Meta surfaces, including Sapling, Meta's internal Git-like version control system, clone-time NTLM theft and client-side code execution, Lexical, Meta's popular rich-text editor framework, with collaboration and DevTools bugs, one-click NTLM theft and client-side code execution in Meta Quest Developer Hub, ExifTool-based client-side code execution in Mapillary, and a DOM XSS in facebook/Rapid, Meta's open-source map editor. It also produced duplicates, dead ends, and false starts.
That failure pattern shifted the hunt. I moved from obvious source surfaces to hidden first-party ones: unpacked Teams and Outlook desktop paths where attacker-controlled URL state reached legacy bootstrap code, loaders, and redirects, ending in template-injection XSS in two Microsoft products.
After the client-side and OSS phase, I moved to Claude for blackbox hunting, but it kept repeating work and did not scale. I solved this by freezing targets into evidence: Burp captures, JS bundles, API responses, APKs, screenshots, and reports, with one rule: capture once, re-query forever. The Mac Mini became SWAMP, a 24/7 evidence box, and I built Atlas plugins so any model could use it. This reusable pipeline reduced redundancy while still producing strong findings, including Microsoft Designer's token leak, a Power BI chain, and critical bugs such as IDORs, admin takeover, backend leaks, and malicious WebView notifications with reach to millions of installed devices, verified end-to-end only on my own test device.
At that point, I pushed the same workflow into Android native libraries, leading to two representative cases: a PlayStation App voice-party parser bug in a custom peer-to-peer protocol, where a malformed field overflows a fixed-size stack buffer, and a Microsoft Teams Adaptive Cards issue, where a crafted data URL triggers a heap out-of-bounds write in the native rendering path.
I will share practical tips, prompts, and workflows so others can apply this approach. Drawing on five months of cyborg vulnerability research, this talk shows that the point is not to remove the human from the loop, but to build a reusable workflow around durable evidence, verifier gates, refusal rules, and a machine-speed loop where agents move fast while humans keep proof and responsibility intact.

Luật Nguyễn (@l4wio) is a Vietnamese security researcher and co-founder of CyberJutsu Academy. He has disclosed roughly dozen CVEs across Firefox, Chrome/PDFium, Kibana, cURL, and PHP, following earlier roles at Tencent's KeenLab and Microsoft Security Response Center team. A CTF enthusiast and member of VNSecurity/CLGT, won the Cyber SEA Game with Team Vietnam, and is now deeply interested in applying LLMs to build full-stack vulnerability-hunting pipelines spanning web, browsers, mobile, memory corruption, and threat hunting...