About me

I am Application Security Researcher, static code analysis enthusiast, former Application Security Engineer, former Software Engineer with a solid development background. I have been on many sides: as a software developer, internal security auditor, external reporter, bug bounty submitter and triager.

I have started as a desktop and backend C++/C# developer. While one part of me enjoyed creating programs, my other passion always was finding cracks and breaking things. After some time I’ve moved into the Information Security field where I feel I found a balance: I enjoy writing security tools and performing technical security assessments. In my free time I like researching security of third party products (both closed and open source).

Open source projects I am or was actively developing:

Security Code Scan - Security static code analysis for C# and VB.NET.
Electronegativity - Vulnerability patterns detector for JavaScript/TypeScript Electron applications.

You can find me on Twitter, GitHub, Linkedin and you can reach me at jarlob📧gmail.com

Disclosures:

Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution in npm/arborist- CVE-2021-39135
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization in npm/node-tar - CVE-2021-37713
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links in npm/node-tar - CVE-2021-37712
Unauthenticated file read in Emby - CVE-2021-32833
Unauthenticated arbitrary file read in Jellyfin - CVE-2021-21402
Remote Code Execution and Local Elevation of Privileges in GoSign App
Weak JSON Web Token (JWT) signing secret in YApi - CVE-2021-27884
Undocumented template expression evaluation in the gajira-comment GitHub action - CVE-2020-14189
Undocumented template expression evaluation in the gajira-create GitHub action - CVE-2020-14188
Remote code execution (RCE) and elevation of privileges (EoP) in SmartStoreNET - CVE-2020-27996, CVE-2020-27997
Arbitrary code execution in DatabaseSchemaReader - CVE-2020-26207
Arbitrary Code Execution in FastReports - CVE-2020-27998
SQL Injection in Mailtrain - CVE-2020-24617
Path traversal vulnerability in Adobe git-server - CVE-2020-9708
Local privilege elevation vulnerability in Composer Windows installer - CVE-2020-15145
Authenticode signature validation bypass in Autodesk Dynamo BIM (CVE-2020-7079) and SoundSwitch
Authorization bypass in Tele2.lt self service website
Arbitrary code execution in Resource.NET (not fixed)
Arbitrary code execution in dnSpy
Path Traversal in Aspose.ZIP for .NET
RCE in Joplin desktop client
SQL injection in Xataface. (The fix)
SQL injection in PHP-MySQLi-Database-Class