aaron - hacker, researcher, reverse engineer
aaron [--reverser]
aaron [--exploiter]
aaron [--presenter]
aaron [--educator]
aaron [--author]
aaron [--commentator]
aaron [--guest]
Aaron Portnoy is a security researcher, reverse engineer, speaker, and educator.
This page serves as a minimalist reference to his work and interests.
--reverser
Research interests lie in reverse engineering with a focus on deriving structure, semantics, and intent from opaque software systems. This includes analysis of binaries, firmware, and complex control flows across diverse architectures. Created the IDA Pro plugin toolbag to support these efforts, and regularly presents on reverse engineering methodologies and applied tooling.
--exploiter
Research and practical work in exploitation focuses on the development of reliable, high-impact techniques for vulnerability exploitation across diverse targets. Areas of emphasis include memory corruption, logic flaws, and the systematic bypassing of modern mitigations. Published in Phrack, and has authored or co-authored several high-profile exploits demonstrated at industry conferences and in real-world security assessments.
--presenter
Has delivered over 30 invited talks across global stages, including Black Hat, USENIX, Recon, Microsoft BlueHat, and the NSA Distinguished Speaker Series. Presentation topics have spanned reverse engineering methodologies, economic drivers of zero-day trade, large-scale vulnerability discovery, and exploit automation. Recognized by academic institutions such as NYU and Dartmouth for his contributions to offensive computing education. His work has also been featured on the cover of TIME Magazine and referenced in numerous university-level curricula.
--educator
Actively engaged in cybersecurity education across academic, government, and industry contexts. Designed and delivered lectures on reverse engineering and vulnerability analysis at Dartmouth College and Norwich University, and served as a guest speaker at institutions including NYU and the National Security Agency. Led technical trainings at global security conferences such as REcon and CanSecWest, including multi-day workshops on vulnerability discovery and exploitation. Instruction emphasizes practical methodology, foundational theory, and emerging offensive techniques relevant to both students and professionals.
--author
Has authored and co-authored technical work spanning vulnerability research, exploitation techniques, and AI security. Published in Phrack, IEEE Security & Privacy, and peer-reviewed academic proceedings including ACM FSE and USENIX WOOT. Additional applied research published through IBM X-Force and the Network Security journal.
--commentator
Regularly sought as a subject matter expert by major media outlets on topics spanning zero-day markets, AI security, and offensive research. Has been quoted or featured in TIME, Wired, Forbes, Reuters, the BBC, the Wall Street Journal, and Ars Technica, among others.
--guest
Appears as a guest on podcasts and interview series covering cybersecurity, AI risk, and the economics of vulnerability research. Topics range from the history of exploit development and Pwn2Own to the emerging threat landscape for AI-powered systems.
Offense and Defense in an Era of Systemic Asymmetry: Why the Old Model No Longer Holds (Keynote, Ekoparty Miami)Probabilities, Vulnerabilities, and Psychometrics (Boston Security Meetup)BinPool: A Dataset of Vulnerabilities for Binary Security Analysis (ACM International Conference on the Foundations of Software Engineering)Log4j | CVE-2021-44228 Webinar (Randori & GreyNoise)Choose Your Own Adventure: A Career Guide to InfoSec (BSides Austin)The IDA Toolbag (Recon, Nordic Security Conference)The Economics of Vulnerabilities (Worcester Economic Club)
The Busticati 0xC Step Program to Program Recovery (Summercon)I heard you like reversing (Hackito Ergo Sum)Black Box Auditing Adobe Shockwave (CanSecWest, PacSec)The Economics of Vulnerabilities (Hack in the Box)The Vulnerability Disclosure Debate Continues (RSA)Experiments using IDA Pro as a data store (Ekoparty)Reverse Engineering 101 (Guest Lecture, NYU Polytechnic) [video]Reversing Microsoft DirectShow (YSTS)Exploiting Online Games (RSA)Reverse Engineering Dynamic Language Multiplayer Online Games (BA-Con)Reverse Engineering Dynamic Languages (Recon) [video]Reverse Engineer's Cookbook (Toorcon)Reverse Engineering Python Applications (USENIX Workshop on Offensive Computing)RPC Auditing Tools and Techniques (DeepSec, Toorcon) [video]Advanced Fuzzing with Sulley (Blackhat Japan)Fuzzing Sucks! (Blackhat, Microsoft Bluehat)Exploitation: Past, Present, and Future (National Security Agency)When Configuration Becomes Code: The Hidden Execution Layer in AI Development Tools (Mindgard, 2026)Forced Descent: Google Antigravity Persistent Code Execution Vulnerability (Mindgard, 2026)The Missing First Step in AI Security Testing: Reconnaissance (Mindgard, 2026)TheLibrarian.io's AI Security Is Checked Out, and Their Disclosure Response Is Overdue (Mindgard, 2025)Zed IDE Vulnerabilities & Coordinated Disclosure (Mindgard, 2025)Inside OpenAI Sora 2: Uncovering System Prompts Driving Multi-Modal LLMs (Mindgard, 2025)From Prompt to Pwn: Cline Bot AI Coding Agent Vulnerabilities (Mindgard, 2025)BinPool: A Dataset of Vulnerabilities for Binary Security Analysis (ACM FSE, 2025)MSMQ QueueJumper (RCE Vulnerability): An In-Depth Technical Analysis (IBM X-Force)Adobe Shockwave - A Case Study on Memory Disclosure (Phrack, Issue 69)Pwn2Own Wrap Up and Analysis (Network Security, 2010)Walking on Water: A Cheating Case Study (IEEE Security & Privacy, 2009)Reverse Engineering Python Applications (USENIX WOOT, 2008)World War Zero: How Hackers Fight to Steal Your Secrets (TIME)Aaron Portnoy – 'There's no silver bullet for ransomware or supply chain attacks' (The Daily Swig)The business of cyberwar (Thought Leader)Info security expert to address Worcester group (Worcester Business Journal)The Real AI Security Risk Isn't Data Leakage—It's What Your Agents Can Do (Forbes)Google AI Coding Tool Antigravity Was Hacked A Day After Launch (Forbes)AI Doctor's Assistant Swayed to Change Scrips, Researchers Find (The Register)Expert Walks Worcester Through the Economics of Internet Secrets (Worcester Business Journal)Mindgard Finds Sora 2 Vulnerability Leaking Hidden System Prompt via Audio (Hackread)Life as a Bug Hunter (BBC)Exclusive: Researchers Trick a Bot That Prescribes Meds (Axios)Tech Giants Microsoft, Amazon and Others Warn of Widespread Software Flaw (WSJ, paywalled)Zero-day Broker Exploits Vulnerability in I2P to De-anonymize Tails Users (Computerworld)Crack'n'hack Stack Phrack's Back, Jack! (The Register)Hackers Are Actively Exploiting Big-IP Vulnerability with a 9.8 Severity Rating (Ars Technica)iPhone Falls in Pwn2Own Hacking Contest (Reuters)Hacking Online Games: A Widespread Problem (CNET)Chrome Owned by Exploits in Hacker Contests, But Google's $1M Purse Still Safe (Wired)Portrait of a Full-Time Bug Hunter — Abdul-Aziz Hariri (Wired)With Millions Paid in Hacker Bug Bounties, Is the Internet Any Safer? (Wired)Exploit Dealer: Snowden's Favourite OS Tails Has Zero-Day Vulnerabilities Lurking Inside (Forbes)BlackBerry Cracked in Hacking Contest (Dark Reading)More High-Severity Flaws Haunt Adobe Software (ZDNet)HP patches OpenView vulnerabilities (Reuters)Are Vulnerability Disclosure Deadlines Justified? (Idaho National Laboratory, 2011)He Started Hacking at 15. Now He's Predicting the Biggest AI Security Breach of 2026. (Wake UP X Podcast)From Pwn2Own to Pwning AI (Adventures of Alice and Bob Podcast)CVE-2026-41153 — JetBrains Junie: command injection via malicious project file enabling unsafe command execution (Mindgard, 2025)CVE-2026-0612 — The Librarian: information leakage via web_fetch tool in AI assistant (Mindgard, 2025)CVE-2026-0613 — The Librarian: internal port scanning via AI assistant (Mindgard, 2025)CVE-2026-0615 — The Librarian: unauthorized access to supervisord status page via AI assistant (Mindgard, 2025)CVE-2026-0616 — The Librarian: unauthorized access to Adminer database interface via AI assistant (Mindgard, 2025)CVE-2025-68432 — Zed IDE: arbitrary code execution via malicious LSP binary configuration in .zed/settings.json (Mindgard, 2025)CVE-2025-68433 — Zed IDE: command injection via MCP configuration (Mindgard, 2025)Eclipse Theia MCP — MCP configuration vulnerability in Eclipse Theia IDE (Mindgard, 2025)Cline — DNS-based data exfiltration via prompt injection in source file docstrings, coercing reads of .env files and exfiltrating secrets via DNS queries; no CVE assigned (Mindgard, 2025)Cline — arbitrary code execution via prompt injection in .clinerules config file, bypassing user approval dialogs; no CVE assigned (Mindgard, 2025)Cline — TOCTOU race condition via sequential prompt injection enabling arbitrary code execution across separate interaction windows; no CVE assigned (Mindgard, 2025)Cline — model identity disclosure via error messages revealing underlying AI model; no CVE assigned (Mindgard, 2025)Aider — zero-click arbitrary command execution via malicious .aider.conf.yml loading an external command file with user prompts suppressed; no CVE assigned or pursued (Mindgard, 2026)CVE-2023-21554 — Microsoft MSMQ QueueJumper: unauthenticated RCE via malformed MSMQ packets; w/ Valentina Palmiotti, Fabius Watson (Randori/IBM, 2023)CVE-2021-3064 — Palo Alto GlobalProtect: stack-based buffer overflow enabling unauthenticated RCE in portal and gateway interfaces; Randori Attack Team (Randori, 2021)CVE-2017-13997 — Schneider Electric InduSoft Web Studio / InTouch Machine Edition: missing authentication enabling arbitrary command execution, CVSS 9.8 (Exodus Intelligence, 2017)CVE-2017-14024 — Schneider Electric InduSoft Web Studio / InTouch Machine Edition: stack-based buffer overflow enabling RCE, CVSS 9.8 (Exodus Intelligence, 2017)CVE-2017-8022 — EMC NetWorker: buffer overflow in nsrd service enabling unauthenticated RCE (Exodus Intelligence, 2017)CVE-2013-0657 — Schneider Electric IGSS: stack-based buffer overflow via TCP port 12397, CVSS 10.0 (Exodus Intelligence, 2013)CVE-2013-0658 — Schneider Electric Accutech Manager: heap-based buffer overflow in RFManagerService.exe, CVSS 10.0 (Exodus Intelligence, 2013)CVE-2012-4704 — 3S CODESYS Gateway-Server: array index error enabling RCE (Exodus Intelligence, 2013)CVE-2012-4705 — 3S CODESYS Gateway-Server: directory traversal enabling arbitrary code execution (Exodus Intelligence, 2013)CVE-2012-4706 — 3S CODESYS Gateway-Server: integer signedness error causing heap buffer overflow (Exodus Intelligence, 2013)CVE-2012-4707 — 3S CODESYS Gateway-Server: out-of-bounds memory access enabling code injection (Exodus Intelligence, 2013)CVE-2012-4708 — 3S CODESYS Gateway-Server: stack-based buffer overflow enabling RCE (Exodus Intelligence, 2013)CVE-2012-2288 — EMC NetWorker: format string vulnerability in nsrd RPC service enabling RCE (Exodus Intelligence, 2012)CVE-2012-0121 — HP Data Protector Express: unspecified vulnerability enabling RCE or DoS, CVSS 10.0 (Exodus Intelligence, 2012)CVE-2012-0122 — HP Data Protector Express: unspecified vulnerability enabling RCE or DoS, CVSS 10.0 (Exodus Intelligence, 2012)CVE-2012-0123 — HP Data Protector Express: unspecified vulnerability enabling RCE or DoS, CVSS 10.0 (Exodus Intelligence, 2012)CVE-2012-0124 — HP Data Protector Express: unspecified vulnerability enabling RCE or DoS, CVSS 10.0 (Exodus Intelligence, 2012)Oracle Critical Patch Update — multiple Oracle product vulnerabilities (Exodus Intelligence, April 2013)CVE-2011-0335 — Adobe Shockwave Player: memory buffer overflow enabling RCE (TippingPoint DVLabs, 2011)CVE-2011-0555 — Adobe Shockwave Player: memory buffer overflow enabling RCE (TippingPoint DVLabs, 2011)CVE-2011-0556 — Adobe Shockwave Player: memory buffer overflow enabling RCE (TippingPoint DVLabs, 2011)CVE-2011-0569 — Adobe Shockwave Player: buffer overflow in Font Xtra.x32 enabling RCE (TippingPoint DVLabs, 2011)CVE-2011-2111 — Adobe Shockwave Player: buffer overflow in IML32.dll enabling RCE (TippingPoint DVLabs, 2011)CVE-2011-2116 — Adobe Shockwave Player: memory corruption enabling RCE (TippingPoint DVLabs, 2011)CVE-2010-2866 — Adobe Shockwave Player: integer signedness error in DIRAPI module enabling RCE (TippingPoint DVLabs, 2010)CVE-2010-2867 — Adobe Shockwave Player: pointer offset vulnerability in DIRAPIX.dll enabling RCE (TippingPoint DVLabs, 2010)CVE-2010-2870 — Adobe Shockwave Player: heap-based buffer overflow in DIRAPIX.dll enabling RCE (TippingPoint DVLabs, 2010)CVE-2010-2874 — Adobe Shockwave Player: memory corruption via uninitialized pointer enabling RCE (TippingPoint DVLabs, 2010)CVE-2010-2877 — Adobe Shockwave Player: improper input validation in Director movie parsing enabling RCE (TippingPoint DVLabs, 2010)CVE-2010-2878 — Adobe Shockwave Player: improper input validation in DIRAPIX.dll enabling RCE (TippingPoint DVLabs, 2010)CVE-2010-2879 — Adobe Shockwave Player: integer overflow in TextXtra.x32 enabling RCE (TippingPoint DVLabs, 2010)CVE-2010-4188 — Adobe Shockwave Player: heap-based buffer overflow enabling RCE (TippingPoint DVLabs, 2010)CVE-2010-4189 — Adobe Shockwave Player: memory buffer overflow enabling RCE (TippingPoint DVLabs, 2010)CVE-2010-3106 — Novell iPrint Client: ActiveX control improper input validation enabling RCE (TippingPoint DVLabs, 2010)CVE-2010-3107 — Novell iPrint Client: logic flaw in file deletion permissions (TippingPoint DVLabs, 2010)CVE-2010-4316 — Novell iPrint Client: browser plugin Execute Request debug parameter RCE (ZDI-CAN-858; TippingPoint DVLabs, 2010)CVE-2010-4317 — Novell iPrint Client: browser plugin GetDriverFile uninitialized pointer RCE (ZDI-CAN-905; TippingPoint DVLabs, 2010)CVE-2010-4319 — Novell iPrint Client: remote arbitrary file deletion (TippingPoint DVLabs, 2010)CVE-2010-4385 — RealNetworks RealPlayer: invalid frame dimensions in SIPR stream enabling RCE (TPTI-10-17, TippingPoint DVLabs, 2010)CVE-2010-4390 — RealNetworks RealPlayer: heap buffer overflow in MDPR chunk parsing enabling RCE; w/ Logan Brown (TippingPoint DVLabs, 2010)CVE-2010-4294 — VMware Movie Decoder / Workstation / Player / Server: heap memory corruption enabling code injection (TippingPoint DVLabs, 2010)CVE-2009-3846 — HP OpenView Network Node Manager: heap-based buffer overflow in ovlogin.exe, CVSS 10.0 (TippingPoint DVLabs, 2009)CVE-2009-4176 — HP OpenView Network Node Manager: heap-based buffer overflow in ovsessionmgr.exe, CVSS 10.0 (TippingPoint DVLabs, 2009)CVE-2009-4177 — HP OpenView Network Node Manager: buffer overflow in webappmon.exe CGI via Host header, CVSS 10.0 (TippingPoint DVLabs, 2009)CVE-2009-4178 — HP OpenView Network Node Manager: heap-based buffer overflow in OvWebHelp.exe via Topic parameter, CVSS 10.0 (TippingPoint DVLabs, 2009)CVE-2009-4179 — HP OpenView Network Node Manager: stack-based buffer overflow in ovalarm.exe via Accept-Language header, CVSS 10.0 (TippingPoint DVLabs, 2009)CVE-2009-4180 — HP OpenView Network Node Manager: stack-based buffer overflow in snmpviewer.exe via Host header, CVSS 10.0 (TippingPoint DVLabs, 2009)CVE-2009-4181 — HP OpenView Network Node Manager: heap-based buffer overflow in OvCgi/Toolbar.exe, CVSS 10.0 (TippingPoint DVLabs, 2009)CVE-2009-1539 — Microsoft DirectShow: size validation vulnerability in QuickTime media file parsing enabling RCE (TippingPoint DVLabs, 2009)CVE-2009-0909 — VMware Workstation / Player / ACE / Server: heap-based buffer overflow in VNnc Codec enabling RCE (TippingPoint DVLabs, 2009)CVE-2009-0910 — VMware Workstation / Player / ACE / Server: heap-based buffer overflow in VNnc Codec (TippingPoint DVLabs, 2009)CVE-2008-4030 — Microsoft Office Word: resource management error in RTF file parsing enabling RCE (TippingPoint DVLabs, 2008)CVE-2008-4031 — Microsoft Office Word: resource management error in RTF handling enabling RCE (TippingPoint DVLabs, 2008)CVE-2008-3479 — Microsoft MSMQ: remote code execution via malformed RPC request; w/ Cody Pierce (TippingPoint DVLabs, 2008)CVE-2008-2468 — LANDesk Management Suite: buffer overflow in QIP Server Service enabling RCE, CVSS 10.0 (TippingPoint DVLabs, 2008)CVE-2007-6242 — Adobe Flash Player: improper input validation enabling code execution (TippingPoint DVLabs, 2007)CVE-2007-6026 — Microsoft Office Access: stack-based buffer overflow in Jet Engine enabling RCE (TippingPoint DVLabs, 2007)CVE-2007-5082 — CA BrightStor ARCserve Backup HSM: RCE vulnerability; w/ Sean Larsson (TippingPoint DVLabs, 2007)CVE-2007-5083 — CA BrightStor ARCserve Backup HSM: DoS vulnerability; w/ Sean Larsson (TippingPoint DVLabs, 2007)CVE-2007-5084 — CA BrightStor ARCserve Backup HSM: RCE vulnerability; w/ Sean Larsson (TippingPoint DVLabs, 2007)CVE-2007-5323 — EMC Replistor: buffer overflow in server service enabling RCE, CVSS 10.0 (TippingPoint DVLabs, 2007)CVE-2007-2417 — Progress Software OpenEdge: heap-based buffer overflow in _mprosrv.exe, CVSS 10.0 (TippingPoint DVLabs, 2007)CVE-2007-2280 — HP OpenView Data Protector: stack-based buffer overflow in Omnilnet.exe on TCP port 5555 (TippingPoint DVLabs, 2007)CVE-2007-2279 — Symantec Storage Foundation for Windows: authentication bypass enabling arbitrary code execution (TippingPoint DVLabs, 2007)CVE-2007-1868 — IBM Tivoli Provisioning Manager for OS Deployment: multiple stack overflows in HTTP service enabling RCE (TippingPoint DVLabs, 2007)CVE-2007-1862 — Apache HTTP Server mod_mem_cache: information disclosure via improper memory handling returning previous request headers (2007)CVE-2007-1676 — HP OpenView Shared Trace Service: stack-based buffer overflows in ovtrcsvc.exe and OVTrace.exe via crafted requests to opcode handlers 0x1a and 0x0f (TippingPoint DVLabs, 2007)CVE-2007-1674 — LANDesk Management Suite: stack-based buffer overflow in Alert Service, CVSS 10.0 (TippingPoint DVLabs, 2007)CVE-2006-6334 — Citrix Presentation Server Client: heap-based buffer overflow (TippingPoint DVLabs, 2006)Mindgard - Chief Product Officer
Leading product strategy and vision for Mindgard's AI security platform, driving the roadmap for automated red-teaming and adversarial AI testing solutions.
Mindgard - Head of Research & Innovation
Defining strategy and overseeing research efforts to build the world's most advanced automated red-teaming solution for AI systems.
Dartmouth College - Hacker Fellow
Appointed to advise the Institute for Security, Technology, and Society on offensive security strategy, AI safety, and public-interest technology. Provides guidance on cross-disciplinary research initiatives involving machine learning, secure systems, and vulnerability discovery.
Dartmouth College - Hacker-in-Residence
Bridges academia and industry through mentorship, research collaboration, and curriculum development. Designed and taught courses on reverse engineering and software exploitation, and advised the formation of a student-led cybersecurity group.
IBM - Program Director
Directed applied research within a global security software organization. Led development of novel exploitation tools, resulting in measurable improvements across product lines. Defined strategic direction for SaaS security offerings, aligning research efforts with enterprise-scale impact.
Randori - Director of R&D
Led research and development through the company’s hypergrowth phase, culminating in an acquisition by IBM. Directed zero-day vulnerability discovery efforts and introduced attack emulation frameworks that influenced industry understanding of Attack Surface Management.
Boldend - Director of Research
Directed internal research on offensive capabilities with an emphasis on wireless exploitation and threat prototyping. Bridged the gap between R&D and strategic planning by aligning low-level vulnerability research with product and client needs.
Raytheon - Sr. Principal Cyber Engineer
Served as senior technical lead within a cleared offensive programs division. Delivered zero-day tooling integrated into defense systems and introduced efficiency-focused exploitation methodologies that accelerated project timelines.
Exodus Intelligence - Co-Founder & CTO
Co-founded and scaled a commercial zero-day vulnerability intelligence provider. Delivered original research to elite clients including government and defense agencies, and led discovery efforts resulting in dozens of critical vulnerability disclosures.
Zero Day Initiative - Manager, Security Research
Led the world’s largest vendor-agnostic vulnerability acquisition program. Created and judged the Pwn2Own competition, influencing industry patch cycles and responsible disclosure policies adopted globally by major vendors.
Email: aaron@aaronportnoy.com
GitHub: aaronportnoy