Disclosures

Public and privately disclosed security findings from my pre-AI career. Most of this work is eight to fifteen years old — kept here as a record of how I think, not as a service offering.

2022

  • NIST Public

    National Vulnerability Database — coordinated error correction

    Coordinated with NIST to identify and correct thousands of errors in the National Vulnerability Database. Downstream scanners got more trustworthy.

  • Microsoft Public

    Microsoft Bug Bounty — $3,000 award

    Public recognition and a $3,000 award from Microsoft for a private vulnerability disclosure.

  • Apache Log4j (tooling) Public

    Log4Shell Detection Tool

    Open-sourced a Log4j detection tool with 90% lower resource use, 99% faster runtime, and zero false positives vs. incumbent scanners. Picked up by 150+ companies during the Log4Shell response.

2021

  • Microsoft Private disclosure

    Windows PowerShell Core and Windows Defender Application Control

    Privately disclosed several major vulnerabilities in Microsoft PowerShell Core and Windows Defender Application Control (WDAC). One of these became publicly documented as VULN-051861.

    VULN-051861 writeup →
  • IBM Private disclosure

    IBM BigFix — multiple vulnerabilities

    Privately disclosed several major vulnerabilities in IBM BigFix during the Verve Industrial Protection period. Subsequent public CVEs grew out of earlier work on the same product family.

2017

  • IBM Embargoed

    IBM BigFix — CVE-2017-1466

    IBM BigFix advisory. Public details were embargoed at time of original disclosure.

  • IBM Public

    IBM BigFix — CVE-2017-1222

    IBM BigFix Platform did not perform authentication checks for a critical resource, allowing anonymous users access to protected areas.

2015

  • IBM Public

    IBM BigFix — CVE-2016-0214

    Unauthenticated file upload vulnerability in the IBM BigFix platform, permitting denial of service and the hosting of phishing pages via management infrastructure.

  • University of Wisconsin-Madison Private disclosure

    UW-Madison AANTS — network infrastructure vulnerability chain

    Chain of vulnerabilities that, when combined, would have let a remote unauthenticated attacker manipulate all managed switches, routers, and firewalls on the UW campus network. Privately disclosed and remediated.

If you're researching a specific advisory and need more detail than what's here, email me at bill@strawgate.com. For active vulnerability reports in any of my current open-source projects (FastMCP, py-key-value, py-mcp-collection), please use GitHub security advisories rather than public issues.