Hey, I’m Thomas 👋

I’m currently working as a Vulnerability Researcher for Sonar, helping millions of developers to write safer code.

I’ve been in the offensive security field for a few years now, first with Synacktiv and now doing full-time research to improve Sonar products. It led me to uncover bugs across all kind of software—I have a particular affection for some of these recent findings:

• Backends of package managers, for instance with CVE-2021-29472 and CVE-2022-24828 in Composer affecting packagist.org and with the potential to poison 2B+ dependency downloads per month;
• Developer tools, for instance with arbitrary code execution bugs on Visual Studio Code with CVE-2021-43891, CVE-2022-30129, CVE-2023-36742, SourceHut (1, 2, 3), etc.
• During Pwn2Own in 2020 and 2022-2023, with findings in the Synology RT6600ax (WAN), TP-Link AC1750 (LAN), Western Digital PR4100.
• Simple-yet-effective authentication bypasses on Zabbix (CVE-2022-23131, CVE-2022-23134) and CasaOS (CVE-2023-37265, CVE-2023-37266), userland LPEs on Ubuntu (CVE-2020-15704) and Fortinet SSL VPN Client, etc.

I tend to be very open about my work—whenever possible—by publishing articles on my employers’ blogs and giving presentations at DEF CON, Hexacon, TyphoonCon, Insomni’hack, GreHack, etc.

I’m also fond of lower-level security sometimes, with hands-on experience orchestrating fuzzing campaigns and corrupting memory that shouldn’t.

You can find me tootin’ on Mastodon at @swapgs@infosec.exchange, and idling on Libera Chat with ~swapgs.

See you around!