whoami
My name is Julien Ahrens (also known as @MrTuxracer), I’m a 35-years full-time bug bounty hunter, exploit developer and freelancer. I founded this blog in 2011, when I started to get interested in security topics. My goal has always been to reflect my very own learning curve and to give back my very personal contribution to the security community.
Online publications about myself
- hackerone.com - HACKER SPOTLIGHT: INTERVIEW WITH MRTUXRACER
- synack.com - Hacking Up the Synack Leaderboard with Levels
- sz.de - Ich finde immer eine Schwachstelle
- bild.de - Interview with bild.de
- youtube.com - Interview @ Live Recon with @nahamsec
- hackerone.com - Live Hacking in Amsterdam
I have also profiles on all major bug bounty platforms:
A complete overview of all coordinated/disclosed vulnerabilities can be found on the following sites:
CVE Track Record
| Vendor/Product | Type | CVE(s) |
|---|---|---|
| Framer Preview | Arbitrary URL Loading | CVE-2020-25203 |
| Acronis Cyber Backup | Unauthenticated SSRF | CVE-2020-16171 |
| o2 Business App for Android | Open Redirect | CVE-2020-11882 |
| Mailgun MJML | Local File Inclusion | CVE-2020-12827 |
| Oracle | Undisclosed | CVE-2020-2870, CVE-2020-2871, CVE-2020-2872, CVE-2020-2873, CVE-2020-2874, CVE-2020-2876, CVE-2020-2877, CVE-2020-2878, CVE-2020-2879, CVE-2020-2880, CVE-2020-2881 |
| WordPress SlickQuiz | Stored Cross Site Scripting | CVE-2019-12517 |
| WordPress SlickQuiz | SQL Injection | CVE-2019-12516 |
| Quest | XSS | CVE-2019-11604 |
| Schneider Electric | Remote Code Execution | CVE-2018-7841 |
| AlienVault | Cross-Site Request Forgery | CVE-2017-14956 |
| Check_mk | Information Disclosure | CVE-2017-14955 |
| Ubiquiti | Privileges Escalation | CVE-2016-6914 |
| AlienVault | Cross-Site Scripting | CVE-2016-6913 |
| Apache Archiva | Cross-Site Scripting | CVE-2016-5005 |
| Apache Archiva | Cross-Site Request Forgery | CVE-2016-4469 |
| Typo3 | Cross-Site Scripting | CVE-2015-5956 |
| Yahoo | Remote Code Execution | CVE-2014-7216 |
| Free Download Manager | Remote Code Execution | CVE-2014-2087 |
| GetGo Download Manager | Remote Code Execution | CVE-2014-2206 |
| Watchguard | Cross-Site Scripting | CVE-2013-5702 |
| Watchguard | Privileges Escalation | CVE-2013-5701 |
| Nullsoft WinAmp | Denial of Service | CVE-2013-4694 |
| Ricoh | Remote Code Execution | CVE-2012-5002 |
| C4B Xphone UC | Cross-Site Scripting | CVE-2012-4259 |
| Lan Messenger | Denial of Service | CVE-2012-3845 |
| GpsMadpEdit | Denial of Service | CVE-2012-6042 |
| Astaro (now Sophos) | Cross-Site Scripting | CVE-2012-3238 |
About Disclosures!
Another important part of my work has always been (and will always be) the coordination of security vulnerabilities with vendors of all kinds. I think that especially the open source community, which is not backed up by a multi-billion dollar industry, deserves the free contribution of vulnerability information. Whenever possible, I’ll therefore try to follow my disclosure policy.
Lorem Ipsum
If you like to contribute something: info [a.t] rcesecurity [d.o.t] com
For an additional level of privacy: PGP-Key.
All data and information provided on this site is for informational purposes only. rcesecurity.com makes no representations as to accuracy, completeness, currentness, suitability, or validity of any information on this site and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use either directly or indirectly. All information is provided on an as-is basis.