Skip to content
View rootvector2's full-sized avatar
🎯
Focusing
🎯
Focusing

Highlights

  • Pro

Block or report rootvector2

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more about blocking users.

You must be logged in to block users.

Maximum 250 characters. Please don’t include any personal information such as legal names or email addresses. Markdown is supported. This note will only be visible to you.
Report abuse

Contact GitHub support about this user’s behavior. Learn more about reporting abuse.

Report abuse
rootvector2/README.md

Naveed Khan

Security Researcher — Memory Safety · Protocol & Infrastructure Bugs · Web3 Audits
I break the code you never think about — before an attacker does.


Every day you use software you'll never know the name of — the libraries that decode an image, parse a packet, compress a file, or read a byte. That invisible layer sits inside your browser, your phone, and the servers the internet runs on. It's also where the dangerous bugs survive, because almost nobody audits it.

That's where I work.

Over the last six months I've authored 270+ security & correctness pull requests across 80+ open-source projects — 100+ merged upstream. Every fix below is public, with my name on the commit.

🔎 Selected merged fixes

Project Lang The fix
liburing C Integer overflow in the io_uring allocator
libjxl C++ Off-by-one heap OOB read in GIF palette decoding
libjxl C++ Heap OOB read/write in alpha-blend path
libavif C Integer overflow in image rowBytes math
libzip C OOB read on empty archive entry name
Angular TS Comment-delimiter injection in escapeCommentText
Apache Commons BCEL Java Signed read of bytecode operands in classfile parser
Apache Commons Collections Java Deserialization invariant checks in map readObject
yyjson C Reject SIZE_MAX length in string allocator

…and 90+ more across OpenSSL, Apache, Dojo, npm, FlatBuffers, and others.

🧠 Focus

memory-safety auditing · source-code review · fuzzing & crash triage · protocol conformance · smart-contract auditing (EVM & Move)

Bug classes I hunt: out-of-bounds read/write · integer overflow & truncation · sign-extension errors · unsafe deserialization · injection / escaping

🛠️ Toolkit

C · C++ · Java · Rust · Python · Solidity · Move ASan/UBSan · libFuzzer · OSS-Fuzz · GDB · Foundry / Hardhat

📫 Reach me

LinkedIn · dxbnaveed.k@gmail.com

The oldest, most boring corners of a codebase are where the bugs quietly wait.

Pinned Loading

  1. libavif libavif Public

    Forked from AOMediaCodec/libavif

    libavif - Library for encoding and decoding .avif files

    C

  2. TYPO3/typo3 TYPO3/typo3 Public

    The TYPO3 Core - Enterprise Content Management System. Synchronized mirror of https://review.typo3.org/q/project:Packages/TYPO3.CMS

    PHP 1.2k 708

  3. nih-at/libzip nih-at/libzip Public

    A C library for reading, creating, and modifying zip archives.

    C 1k 322

  4. libvpx libvpx Public

    Forked from webmproject/libvpx

    Mirror only. Please do not send pull requests.

    C

  5. ntp-project/ntp ntp-project/ntp Public

    The full and complete NTP Reference Implementation from the Network Time Protocol Project at Network Time Foundation.

    C 190 75

  6. dloebl/cgif dloebl/cgif Public

    GIF encoder written in C

    C 147 25