@shielder.com
InfoSec boutique. Owning things since 2014. We love to go for the extra mile, where we usually find the best π¦ππͺ²πͺ³πππ· the others miss. Web: https://www.shielder.com Twitter: @ShielderSec Fediverse: @shielder.infosec.exchange
Presenting our 2025 annual report! In our report, youβll see that OSTIF's story and mission are intertwined. OSTIF will continue to fight for open source infrastructure and the privacy rights of users for as many decades as youβll let us.
Our statement and report link: ostif.org/2025-annual-...
Love breaking things just to see how they work? ππ¨
βA @shielder.com delegation is on the ground at @fosdem.org, and we're looking for fellow hackers and security researchers.
βIf you are passionate about securing the Open Source world, we definitely need to talk!
Happy New Year, Hackers! π
Weβre looking forward to a 2026 full of crazy exploits, instant patches, and - most importantly - YOU, the amazing human beings behind the screens.
Bootloaders acting weird? π
If you are at #39c3, catch @shielder.com's own @thezero.org to geek out over bootloader oddities and low-level vulnerabilities.
Want to learn more about our approach into auditing complex libraries and writing cool exploits?
ποΈ: Dec 02
π: 20:00 CET
RSVP: luma.com/ostif-meetup...
Attending #theSAS25? Meet @paupu.bsky.social for his PAM pwnage talk!
It won't be recorded and it might *wink wink* contain a cool drop you don't want to miss π
ππΏ Hackers!
Are you a Red Teaming Wizard π§πΏ looking for a new challenge? @shielder.com is hiring a Red Teaming Lead to join our crew!
More info β¬οΈ (share appreciated) #hiring #redteaming
romhack.io/job-opportun...
In partnership with @aswf.io, OSTIF and @shielder.com worked on audits of MaterialX and OpenEXR. Our deepest gratitude for this opportunity to work with incredible maintainers and cool projects such as these- read about them at our blogs: ostif.org/materialx-au..., ostif.org/openexr-audi...
Blog post: shielder.com/blog/2025/07...
Reports: github.com/ShielderSec/...
π¨ New Open Source Audit Alert! π¨
Shielder, with @ostifofficial.bsky.social & ASWF audited OpenEXR and MaterialX:
π 11 issues found (1 critical, 3 still to be published)
βοΈ Most fixed, others planned
π£οΈ ndaprela @smaury.bsky.social @suidpit.bsky.social @thezero.org
Full details in the blog post β¬οΈπ§΅
Last week Apple released MacOS 13.4 which contains a fix for a vulnerability @suidpit.bsky.social exploited to escape the Sandbox.
Update now and stay tuned for the technical details!
Ref: support.apple.com/en-us/122373
In Lausanne for @1ns0mn1h4ck.bsky.social? Donβt miss the chance to meet our very own @not4nhacker.bsky.social! If you're into cursed OAuth hacking techniques or breaking mobile apps, find a comfy spot -- you might be there for a while!
Ship happens- and that's why security audits are an important part of security efforts. We facilitated work on #Karmada thanks to support from the @cncf.io and with auditing performed by @shielder.com. You can now sea the impact of an audit for yourself at ostif.org/karmada-audi...
π¨ New Open Source Audit Alert! π¨
Shielder, with @ostifofficial.bsky.social & @cncf.io, audited karmada-io:
π 6 issues found (1 high, 1 medium, 2 low, 2 info)
βοΈ Most fixed, others planned.
π£οΈ to @suidpit.bsky.social and @thezero.org
Full details in the blog post!
www.shielder.com/blog/2025/01...
Pizza box with a infosec illustration saying "Cooking delicious exploits since 2014"
Stickers, a kway, and a medal
Medal saying "10 years of cyber security, still can't fix your printer"
The best infosec swag in town.
@shielder.com
Attending #TheSASCon2024 in the beautiful BaliποΈ?
Make sure not to miss @suidpit.bsky.social's talk about his novel research on the macOS π sandbox and how to bypass it.
ποΈ Wednesday, October 23 - 15:10
For the weekend, we gift you with not one, but TWO ways to escalate `sudo iptables` (+ a couple other boring preconditions) into a r00t shell - read how @smaury.bsky.social and @suidpit.bsky.social managed to climb your friendly neighborhood π₯wall!
www.shielder.com/blog/2024/09...
Our very own @suidpit.bsky.social will present his novel #macOS research at #TheSAS2024 - if you want to learn more about the macOS sandbox and how to escape it make sure to be in Bali ποΈ from Oct 22 to Oct 25!
Learn more here: thesascon.com
During a recent engagement Mindless hacked his way through Vtiger CRM which led to discover a privilege escalation and a SQL injection.
Learn more in the dedicated advisories:
- CVE-2024-42994 #sqli www.shielder.com/advisories/v...
- CVE-2024-42995 #privesc www.shielder.com/advisories/v...
Back in December 2023 our researchers @thezero.org @suidpit.bsky.social and Mindless performed an audit sponsored by AWS and facilitated by OSTIF on boost.
It resulted in 7 findings and 15 new fuzzers.
The report is now public, check the details here: www.shielder.com/blog/2024/05...
In early 2023 we (@thezero.org & @smaury.bsky.social) collaborated with SecureDrop to start designing and prototyping the #E2EE messaging protocol for a future version of SecureDrop.
π blog post: securedrop.org/news/introdu...
π» poc code: github.com/freedomofpre...
Check-out the original blog post by Element too!
element.io/blog/securit...
Exciting news! We've just released a new blog post on mobile app security, where @suidpit.bsky.social and @thezero.org used their intent-fu to discover vulnerabilities (CVE-2024-26131, CVE-2024-26132) in Element, a @matrix.org client for Android. #writeup #CVE
www.shielder.com/blog/2024/04...
We recently partnered with the Open Source Technology Improvement Fund (OSTIF) to perform a security audit sponsored by AWS on Bref. The audit resulted in 5 findings promptly addresses by @mnapoli.bsky.social.
The report is now public, check the details here: www.shielder.com/blog/2024/03...
Hey hackers - attending #Nullcon? Pop to say hi and talk about AppSec and VR!
You can find @smaury.bsky.social @thezero.org @suidpit.bsky.social around ππΏ
During a recent Red Team Assessment @thezero.org and @smaury.bsky.social discovered a vulnerability in PostgreSQL's #PgAdmin which in the worst case allows unauthenticated attackers to run arbitrary server-side code.
Check out the #RCE advisory and patch now!
www.shielder.com/advisories/p...
Hey hackers! Are you attending @fosdem.bsky.social?
If you want to talk about open-source software and hardware security make sure to hit up @smaury.bsky.social and @thezero.org!
TL;DR Product security folks: do not blindly trust the attack requirements shared by the researchers. Security researchers: when testing embedded devices make sure to mimic correctly all their configurations (i.e. the NVRAM content). 7/7
Apparently most of the researchers are either keeping an authentication bypass private or they do their research in emulated environments only and no one ever checked the vulnerabilities before issuing the CVE numbers and releasing the advisories. 6/7
After some intense debugging sessions they discovered that not only that one but also a lot of other ASUS routers' vulnerabilities were probably incorrectly deemed as unauthenticated. 5/7