Overview
Work History
Education
Public Research
Bug Hunting Results
CTF Experience
Awards
Timeline
Generic

Zong Cao

Beijing

Overview

7
7
years of professional experience

Work History

Security Researcher

Imperial Global Singapore
09.2024 - Current
  • Design and Implementation of Automated Bug Hunting Tools to Apply Hacker's Domain Knowledge into Agent System.
  • Detection of Security Flaws in Connected Wearables and Healthcare Systems
  • Designing Mitigation Strategies Against Attacks

Browser security researcher Intern

ADLab of Venustech
07.2019 - 07.2020
  • Monitoring and Exploiting Trends in Chrome, Firefox, and Safari Vulnerabilities
  • Detection of Security Flaws in Safari, Firefox, and Chrome

Security researcher Intern

DigApis Technology
06.2018 - 09.2018
  • Design and Implementation of Automated Exploitation Tools

Education

Master - Cyber and Information Security

University of Chinese Academy of Sciences
06.2024

Bachelor - Cyberspace Security (Experimental Class)

Beijing University of Posts And Telecommunications
06.2021

Public Research

  • Attacking the WebAssembly Compiler of WebKit. Zong Cao, Zheng Wang, Yeqi Fu, Fangming Gu, Bohan Liu, Blackhat Asia 2023, Briefing Session.
  • The Overlooked Attack Surface: Diving into Windows Client Components for RCE Vulnerabilities. Qinghe Xie, Fangming Gu, Zong Cao, Qingli Guo, Blackhat USA 2024, Briefing Session.
  • Achilles' Heel of JS Engines: Exploiting Modern Browsers During WASM Execution. Bohan Liu*, Zong Cao*, Zheng Wang, Yeqi Fu, Cen Zhang, Blackhat USA 2024, Briefing Session.
  • Is JavaScript Trustworthy in Cloud Computing? Zong Cao, Qian Zhu, Hongkun Chen, Yang Liu, Xiu Zhang. Blackhat Europe 2024, Briefing Session.
  • Server-Side JS Application Security. Zong Cao. Alibaba Security Researcher Conference 2025.
  • No Man's Land: Security Threats in the New Architecture of Operating Systems. Zong Cao, RISC-V Mentorship Showcase 22.

Bug Hunting Results

  • [Medical Devices]: Successful exploitation of a commercially available specific brand's glucose sensor.
  • [Cloud Platform AWS, Azure]: Successful exploitation of PostgreSQL DB services to achieve arbitrary code execution.
  • [MacOS/Safari Browser]: 10+ bugs including CVE-2019-8678, CVE-2022-32863, CVE-2022-32886, CVE-2022-32888, CVE-2022-32885, CVE-2024-44244, CVE-2025-24158. Zong Cao has been acknowledged multiple times in Apple's security advisory.
  • [Firefox Browser]: 10+ bugs including CVE-2024-2606, CVE-2023-32211. Zong Cao has been acknowledged multiple times in Mozilla's security advisory.
  • [Edge Browser]: CVE-2020-0768, Zong Cao has been acknowledged in MicroSoft's security advisory.
  • [Linux OS]: CVE-2023-2483, CVE-2023-1670, CVE-2023-1855, CVE-2023-1859, CVE-2023-30772.
  • [Nginx Server]: 20+ bugs including CVE-2021-46461, CVE-2021-46462, CVE-2021-46463, CVE-2022-25139, CVE-2022-27007, CVE-2022-27008.
  • [VirtualBox]: 5+ bugs. Zong Cao has been acknowledged in Oracle's security advisory.
  • [IDA Pro]: Several OOB reads in type info deserialization.

CTF Experience

  • 2021-2024, NeSE, Member of Never-Stop-Exploiting CTF team group A.
  • 2018-2021, Dubhe, Member of Dubhe CTF team.

Awards

  • Merit Student of University of Chinese Academy of Sciences
  • DEF CON CTF Final 2024 - 12th Place Globally
  • 0CTF/TCTF 2021 Quals - 1st Place Globally
  • National College Student Information Security Competition Innovation Practice Ability Competition Final - 1st Prize
  • National College Cybersecurity Management and Operations Challenge 2019 - National 2nd Prize, North China Region 1st Prize

Timeline

Security Researcher

Imperial Global Singapore
09.2024 - Current

Browser security researcher Intern

ADLab of Venustech
07.2019 - 07.2020

Security researcher Intern

DigApis Technology
06.2018 - 09.2018

Master - Cyber and Information Security

University of Chinese Academy of Sciences

Bachelor - Cyberspace Security (Experimental Class)

Beijing University of Posts And Telecommunications
Zong Cao