Who’s the hardest working researcher of all time?  Of 2009?

Posted by Scott Moore on March 09, 2010 at 10:39 AM EST.

Many inquires are made to the X-Force, some self serving, requesting the names of the researchers who find the most vulnerabilities.   I imagine that it is a great resume bullet to say that you are on this list.  It is time to update our list of vulnerability discoverers of all time and to recap the past year’s top discoverers.

The X-Force Database now catalogs a little over 47,000 vulnerabilities in our database.  We try to list the discoverer of each vulnerability, when available.  Our numbers differ from some vulnerability databases because we catalog multiple, similar vulnerabilities found in a single application as one entry in our database.  I will give you an example of one hard working researcher, Russ McRee.  He found a vulnerability in multiple php files in a popular CMS (Content Management System).  Some databases count these as different vulnerabilities, but the X-Force database entry considers this to be one entry .  The database lists all of the offending php files that have the same user-supplied input validation issue.  Hopefully this will clear up some of questions that I anticipate receiving after this blog post.

Top Vulnerability Discoverers of All Time

Located below is a chart of the percentage of vulnerabilities that are discovered by the top 10 researchers of all time, the percentage of vulnerabilities that are discovered by named individuals, and the percentage of vulnerabilities are listed as unknown discoverers through the end of 2009.

With that being said, here are the all time leaders in vulnerabilities discovered.

Luigi Auriemma still describes himself as a 29 year-old atheist living close to Milan, Italy.   He enjoys releasing free information, whether it is interesting or not, but knows that someone, somewhere,  is looking for the information that he publishes.  He is not for hire.

r0t is a 19 year-old from Turku, Finland, who according to his bio, published his first public advisory as a 14 year- old. 

indoushka is rather elusive, but has moved into the Top 10 list.

rgod  still maintains the third spot on the list (posthumously).  His site remains intact, hosted by close friends.

Top Vulnerability Discoverers of 2009

Moudi finds himself at the top discoverer of 2009.  He is described as a hacker from Lebanon who posts most of his findings via exploit sites such as Offensive Security’s Exploit Database and Packet Storm Security.  Some familiar names can also be found within.

Thoughts and Caveats Worth Repeating

The problem with constructing Top-10 lists like the two above is that you are guaranteed to upset some vulnerability researcher out there that did not make it on to the list. So, here are a few caveats to bear in mind:

1. While X-Force aims to analyze and catalogue every public vulnerability disclosure, it is entirely possible that some vulnerabilities may be missed.  This may be because they were disclosed on non-public lists or could not be verified being an actual vulnerability.
2. In some cases, a vulnerability may be publicly disclosed without an indicator as to who initially discovered the vulnerability (which is often intentionally done by the discoverer).  Therefore, we catalogue the researcher as “unknown.”
3. There are no points for sexiness of the vulnerability. The lists above are based purely on the number of public disclosures , not the quality of the vulnerability. Cross-site scripting vulnerabilities in a commercial shrink-wrapped application count for the same as a remote root vulnerability on a default Windows service.
4. If a researcher did not publicly disclose the vulnerability , it does not count.  So, even if you are an uber pentester that regularly discovers 100 new vulnerabilities with each consulting engagement, you weren’t counted  unless you released a public disclosure of the vulnerability (sorry).