Hey, I’m Thomas 👋

I worked as a Vulnerability Researcher for a few years, first with Synacktiv and Sonar, and I'm now a Principal Application Security Engineer at Bentley Systems.

It led me to uncover bugs across all kinds of software. I have a particular affection for some of my recent findings:

• Backends of package managers, for instance with CVE-2021-29472 and CVE-2022-24828 in Composer affecting packagist.org and with the potential to poison 2B+ dependency downloads per month;
• Developer tools, for instance with arbitrary code execution bugs on Visual Studio Code with CVE-2021-43891, CVE-2022-30129, CVE-2023-36742, SourceHut (1, 2, 3), Gogs, etc.
• During Pwn2Own in 2020 and 2022-2023, with findings in the Synology RT6600ax (WAN), TP-Link AC1750 (LAN), Western Digital PR4100.
• Simple-yet-effective authentication bypasses on Zabbix (CVE-2022-23131, CVE-2022-23134) and CasaOS (CVE-2023-37265, CVE-2023-37266), userland LPEs on Ubuntu (CVE-2020-15704) and Fortinet SSL VPN Client, etc.

I tend to be very open about my work—whenever possible—by publishing articles on my employers’ blogs and giving presentations at DEF CON, Hexacon, TyphoonCon, Insomni’hack, GreHack, etc.

I’m also fond of lower-level security sometimes, with hands-on experience orchestrating fuzzing campaigns and corrupting memory that shouldn’t.

You can find me tootin’ on Mastodon at @swapgs@infosec.exchange, and idling on Libera Chat with ~swapgs.

See you around!