Zong Cao

Beijing

Overview

years of professional experience

Imperial Global Singapore

09.2024 - Current

Design and Implementation of Automated Bug Hunting Tools to Apply Hacker's Domain Knowledge into Agent System.
Detection of Security Flaws in Connected Wearables and Healthcare Systems
Designing Mitigation Strategies Against Attacks

ADLab of Venustech

07.2019 - 07.2020

DigApis Technology

06.2018 - 09.2018

University of Chinese Academy of Sciences

06.2024

Beijing University of Posts And Telecommunications

06.2021

Attacking the WebAssembly Compiler of WebKit. Zong Cao, Zheng Wang, Yeqi Fu, Fangming Gu, Bohan Liu, Blackhat Asia 2023, Briefing Session.
The Overlooked Attack Surface: Diving into Windows Client Components for RCE Vulnerabilities. Qinghe Xie, Fangming Gu, Zong Cao, Qingli Guo, Blackhat USA 2024, Briefing Session.
Achilles' Heel of JS Engines: Exploiting Modern Browsers During WASM Execution. Bohan Liu*, Zong Cao*, Zheng Wang, Yeqi Fu, Cen Zhang, Blackhat USA 2024, Briefing Session.
Is JavaScript Trustworthy in Cloud Computing? Zong Cao, Qian Zhu, Hongkun Chen, Yang Liu, Xiu Zhang. Blackhat Europe 2024, Briefing Session.
Server-Side JS Application Security. Zong Cao. Alibaba Security Researcher Conference 2025.
No Man's Land: Security Threats in the New Architecture of Operating Systems. Zong Cao, RISC-V Mentorship Showcase 22.

[Medical Devices]: Successful exploitation of a commercially available specific brand's glucose sensor.
[Cloud Platform AWS, Azure]: Successful exploitation of PostgreSQL DB services to achieve arbitrary code execution.
[MacOS/Safari Browser]: 10+ bugs including CVE-2019-8678, CVE-2022-32863, CVE-2022-32886, CVE-2022-32888, CVE-2022-32885, CVE-2024-44244, CVE-2025-24158. Zong Cao has been acknowledged multiple times in Apple's security advisory.
[Firefox Browser]: 10+ bugs including CVE-2024-2606, CVE-2023-32211. Zong Cao has been acknowledged multiple times in Mozilla's security advisory.
[Edge Browser]: CVE-2020-0768, Zong Cao has been acknowledged in MicroSoft's security advisory.
[Linux OS]: CVE-2023-2483, CVE-2023-1670, CVE-2023-1855, CVE-2023-1859, CVE-2023-30772.
[Nginx Server]: 20+ bugs including CVE-2021-46461, CVE-2021-46462, CVE-2021-46463, CVE-2022-25139, CVE-2022-27007, CVE-2022-27008.
[VirtualBox]: 5+ bugs. Zong Cao has been acknowledged in Oracle's security advisory.
[IDA Pro]: Several OOB reads in type info deserialization.

Merit Student of University of Chinese Academy of Sciences
DEF CON CTF Final 2024 - 12th Place Globally
0CTF/TCTF 2021 Quals - 1st Place Globally
National College Student Information Security Competition Innovation Practice Ability Competition Final - 1st Prize
National College Cybersecurity Management and Operations Challenge 2019 - National 2nd Prize, North China Region 1st Prize