Jonathan Leitschuh

TL;DR: A security scan with CodeQL of over 1,000 open source projects packaged in Wolfi found seven classes of potential vulnerabilities across 226 projects — 1,878 alerts in total — that can potentially be fixed with automated (or “bulk”) pull requests. This experiment, part of a nascent initiative from Chainguard Labs called “Project Safe Source,” represents another step toward making Chainguard the safe source for open source.

Worked with the Open Source Security Foundation: Vulnerability Disclosure Working Group to develop and publish the "Model Outbound Vulnerability Disclosure Policy: Version 0.1". This policy encapsulates the best practices of several industry disclosure policies into one disclosure policy for open source software security researchers.

After hours of puzzling over your debugger, decompiler, or pentesting toolkit, you’ve finally cracked it. The security vulnerability you strongly believed was present, almost evaded you, but now, you’ve got proof! You’ve achieved the thrill of finding a vulnerability that, hopefully, no one else on the planet knows exists! Now the process of vulnerability disclosure can begin. But where do you start? How does this process work? How do you report a vulnerability? To whom? How do you actually get these things called CVE numbers you’ve heard so much about? What do you do if the process falters? In this talk we will demystify the vulnerability disclosure process by presenting a recently published Open Source Security Foundation (OpenSSF) guide for open source vulnerability finders (“Guidance for Security Researchers to Coordinate Vulnerability Disclosures with OSS Projects”). From tracking down the correct place to disclose to publishing your findings so the wider world can defend themselves adequately. We’ll even discuss that pesky human element that permeates this entire process along the way, too.

I spoke at Black Hat about the work I've been performing as the first ever Dan Kaminsky Fellow.

Q&A with Jonathan Leitschuh, inaugural HUMAN Dan Kaminsky Fellow, in advance of his upcoming Black Hat USA presentation.

HUMAN Security honors its late co-founder, Dan Kaminsky, with a fellowship to fund smart and passionate cybersecurity advocates to do open source work for common good.

I disclosed CVE-2021-26291, a vulnerability in the Java build tool Apache Maven. The vulnerability affects over 100,000 libraries in Maven Central.

Recording of my live streamed walkthrough of the CodeQL Code Scanning Tutorial