About 🔗

Eugene Lim is a security researcher and white hat hacker. From Amazon to Zoom, he has helped secure applications from a range of vulnerabilities and was ranked #2 globally on the Hackerone leaderboard. In 2019, he won the Most Valuable Hacker award at the H1-213 live hacking event in Los Angeles organized by Hackerone, the US Air Force, the UK Ministry of Defense, and Verizon Media. In 2021, he was 1 of 5 selected from a pool of 1 million white hat hackers for the H1-Elite Hall of Fame.

He wrote “From Day Zero to Zero Day: A Hands-On Guide to Vulnerability Research”, published by No Starch Press in 2025.

He seeks to improve application security and secure user data through sustainable DevSecOps practices.

Hackerone | Github | LinkedIn | Twitter

Book 🔗

Psst: I’m publishing a book with No Starch Press! I wrote “From Day Zero to Zero Day” for newcomers looking to enter the rarefied world of vulnerability research. From code review to reverse engineering to fuzzing, I go through the “how”, not just the “what”, of hunting zero days - stuff that I wish I could’ve learned from the beginning. Available for early access now at all your usual channels including Amazon, out in June 2025!

Conferences and Talks 🔗

• GISEC 2023: Re-Discovering Code Review in Bug Hunting
• DEF CON 30 2022: “You Have One New Appwntment - Hacking Proprietary iCalendar Properties” | Slides | Whitepaper
• DEF CON 30 Recon Village 2022: “(Not-So-Secret) Tunnel: Digging into Exposed ngrok Endpoints”
• DEF CON 30 Cloud Village 2022: “Sign of the Times: Exploiting Poor Validation of AWS SNS SigningCertUrl”
• ShmooCon 2022: “Why No One Pwned Synology at Pwn2Own and TianFu Cup This Year: Analyzing Defensive Coding Techniques from a Vulnerability Researcher’s Perspective”
• HacktivityCon 2021: “All Your (Data)base Are Belong To Us: Getting Started in Vulnerability Research with Code Execution Bugs in Office Applications”
• Black Hat USA 2021: “Turing in a Box: Applying Artificial Intelligence as a Service to Targeted Phishing and Defending Against AI Generated Attacks”
• DEF CON 29 2021: “Hacking Humans with AI as a Service”
• Black Hat USA Arsenal 2020: “Manuka: A modular, scalable OSINT honeypot targeting pre-attack reconnaissance techniques”
• Black Hat Asia Arsenal 2019: “npm-scan: An Extensible, Heuristic-Based Vulnerability Scanning Tool for Installed NPM Packages”

Research 🔗

• CVE-2023-41973: Lack of input santisation on Zscaler Client Connector enables arbitrary code execution.
• CVE-2023-41972: Revert password check incorrect type validation on Zscaler Client Connector.
• MSRC Online Services: Injection in Microsoft Whiteboard.
• CVE-2023-5449: Theft Deterrence bypass in HP display monitors.
• CVE-2023-3991: FreshTomato router firmware OS command injection vulnerability.
• CVE-2023-26140: Cross-Site Scripting in Excalidraw.
• CVE-2023-25196, CVE-2023-25197: SQL injections in Apache Fineract
• CVE-2023-0996: Buffer Overflow in heif_js_decode_image in libheif v1.14.2
• GHSA-m4qf-8rrq-mph9: Remote code execution in SONiC (Software for Open Networking in the Cloud) network operating system via buffer overflow.
• CVE-2022-31014: SMTP Command Injection in NextCloud Calendar.
• CVE-2022-24838: SMTP Command Injection in NextCloud Calendar.
• HT213257: Vulnerability in Apple Calendar.
• CVE-2022-22682: Stored XSS in Synology Calendar.
• CVE-2022-22944: VMware Workspace ONE Boxer update addresses a stored cross-site scripting (XSS) vulnerability.
• CVE-2022-24704, CVE-2022-24705: Buffer overflow in Accel-PPP VPN server via crafted packet.
• CVE-2021-43929, CVE-2022-22679, CVE-2021-43925, CVE-2021-43926, CVE-2021-43927, CVE-2022-22680: Various vulnerabilities in Synology DiskStation Manager (NAS OS).
• CVE-2021-43083: Buffer overflow in Apache PLC4X (communication libraries for industrial programmable logic controllers) via crafted packet.
• CVE-2021-38646: Remote code execution in Microsoft Office Access Connectivity Engine via write-what-where gadget.
• CVE-2021-33035: Remote code execution in Apache OpenOffice via return pointer overwrite with DEP/ASLR bypass.
• CVE-2021-42783, CVE-2021-42784: Unauthenticated remote code execution in D-Link DWR-932C router.
• CVE-2021-42785: Buffer Overflow in tvnviewer.exe via Crafted Packet in TightVNC Viewer 2.8.59.
• CVE-2021–35297: Scalabium dBase Viewer Remote Code Execution via Buffer Overflow.
• CVE-2020-7788: Prototype pollution in ini package included in core Node.js installer and downloaded 16 million times a week.

Media 🔗

• Jen and Tod on Hacker Summer Camp 2022, Rapid7
• A malicious document could lead to RCE in Apache OpenOffice, Help Net Security
• Apache OpenOffice can be hijacked by malicious documents, fix still in beta, The Register
• Malicious documents can hijack Apache OpenOffice, TechRadar
• AI Wrote Better Phishing Emails Than Humans in a Recent Test, WIRED Magazine
• New npm scanning tool sniffs out malicious code, The Daily Swig
• SQL injection flaw opened doorway to Starbucks’ accounting database, The Daily Swig
• SQL Injection Vulnerability Exposed Starbucks Financial Records, SecurityWeek
• Yale graduate earns $11,000 finding bugs by ‘hacking’ into government systems, The Straits Times
• NSF is top hacker in Mindef’s programme that gives cash for discovering software bugs, The Straits Times
• NSF bug hunter wins big, PIONEER Magazine
• Hacking the Singapore Government: A Q&A With A Top Hacker & MINDEF 2.0 Results, HackerOne