Security Researcher — Memory Safety · Protocol & Infrastructure Bugs · Web3 Audits
I break the code you never think about — before an attacker does.
Every day you use software you'll never know the name of — the libraries that decode an image, parse a packet, compress a file, or read a byte. That invisible layer sits inside your browser, your phone, and the servers the internet runs on. It's also where the dangerous bugs survive, because almost nobody audits it.
That's where I work.
Over the last six months I've authored 270+ security & correctness pull requests across 80+ open-source projects — 100+ merged upstream. Every fix below is public, with my name on the commit.
| Project | Lang | The fix |
|---|---|---|
| liburing | C | Integer overflow in the io_uring allocator |
| libjxl | C++ | Off-by-one heap OOB read in GIF palette decoding |
| libjxl | C++ | Heap OOB read/write in alpha-blend path |
| libavif | C | Integer overflow in image rowBytes math |
| libzip | C | OOB read on empty archive entry name |
| Angular | TS | Comment-delimiter injection in escapeCommentText |
| Apache Commons BCEL | Java | Signed read of bytecode operands in classfile parser |
| Apache Commons Collections | Java | Deserialization invariant checks in map readObject |
| yyjson | C | Reject SIZE_MAX length in string allocator |
…and 90+ more across OpenSSL, Apache, Dojo, npm, FlatBuffers, and others.
memory-safety auditing · source-code review · fuzzing & crash triage
· protocol conformance · smart-contract auditing (EVM & Move)
Bug classes I hunt: out-of-bounds read/write · integer overflow & truncation · sign-extension errors · unsafe deserialization · injection / escaping
C · C++ · Java · Rust · Python · Solidity · Move
ASan/UBSan · libFuzzer · OSS-Fuzz · GDB · Foundry / Hardhat
LinkedIn · dxbnaveed.k@gmail.com
The oldest, most boring corners of a codebase are where the bugs quietly wait.


