Jonathan Leitschuh

Worked with the Open Source Security Foundation: Vulnerability Disclosure Working Group to develop and publish the "Model Outbound Vulnerability Disclosure Policy: Version 0.1". This policy encapsulates the best practices of several industry disclosure policies into one disclosure policy for open source software security researchers.

After hours of puzzling over your debugger, decompiler, or pentesting toolkit, you’ve finally cracked it. The security vulnerability you strongly believed was present, almost evaded you, but now, you’ve got proof! You’ve achieved the thrill of finding a vulnerability that, hopefully, no one else on the planet knows exists! Now the process of vulnerability disclosure can begin. But where do you start? How does this process work? How do you report a vulnerability? To whom? How do you actually get these things called CVE numbers you’ve heard so much about? What do you do if the process falters? In this talk we will demystify the vulnerability disclosure process by presenting a recently published Open Source Security Foundation (OpenSSF) guide for open source vulnerability finders (“Guidance for Security Researchers to Coordinate Vulnerability Disclosures with OSS Projects”). From tracking down the correct place to disclose to publishing your findings so the wider world can defend themselves adequately. We’ll even discuss that pesky human element that permeates this entire process along the way, too.

I spoke at Black Hat about the work I've been performing as the first ever Dan Kaminsky Fellow.

Q&A with Jonathan Leitschuh, inaugural HUMAN Dan Kaminsky Fellow, in advance of his upcoming Black Hat USA presentation.

HUMAN Security honors its late co-founder, Dan Kaminsky, with a fellowship to fund smart and passionate cybersecurity advocates to do open source work for common good.

I disclosed CVE-2021-26291, a vulnerability in the Java build tool Apache Maven. The vulnerability affects over 100,000 libraries in Maven Central.

Recording of my live streamed walkthrough of the CodeQL Code Scanning Tutorial

I did a live stream providing an introduction to the CodeQL programing language. This provided a guided walk-through of the CodeQL tutorial.