Jonathan Leitschuh

United States United States

Jonathan Leitschuh is a Security Software Engineer and Security Researcher, and is currently the first ever Dan Kaminsky Fellow. Jonathan is best known for the July 2019 Zoom Video Conferencing 0-Day Vulnerability. He also championed an industry-wide initiative to formally decommission the support of HTTP in favor of HTTPS only support by major artifact servers in the JVM ecosystem. He has a degree in Robotics and Computer Science from Worcester Polytechnic Institute. His security research focuses on widespread-common security vulnerabilities impacting OSS. He enjoys finding security vulnerabilities in OSS in as well as contributing to the GitHub Security Lab Bug Bounty Program. He's a strong proponent for security researchers having and enforcing vulnerability disclosure policies. He has spoken at conferences ranging from BSides, to Black Hat and DEF CON! In his free time, Jonathan sails his Hobie Getaway Catamaran in Boston Harbor.

Community Contributions

Congratulations! You Found a Security Vulnerability in an Open Source Project! Now What?

After hours of puzzling over your debugger, decompiler, or pentesting toolkit, you’ve finally cracked it. The security vulnerability you strongly believed was present, almost evaded you, but now, you’ve got proof! You’ve achieved the thrill of finding a vulnerability that, hopefully, no one else on the planet knows exists! Now the process of vulnerability disclosure can begin. But where do you start? How does this process work? How do you report a vulnerability? To whom? How do you actually get these things called CVE numbers you’ve heard so much about? What do you do if the process falters? In this talk we will demystify the vulnerability disclosure process by presenting a recently published Open Source Security Foundation (OpenSSF) guide for open source vulnerability finders (“Guidance for Security Researchers to Coordinate Vulnerability Disclosures with OSS Projects”). From tracking down the correct place to disclose to publishing your findings so the wider world can defend themselves adequately. We’ll even discuss that pesky human element that permeates this entire process along the way, too.
Speaking (conference/usergroups) / 01-21-2023