Sebastián Alba Vives, Security Research Portfolio

// 00.5

Hall of Fame & Acknowledgments

public recognition

CERN · European Organization for Nuclear Research

Computer Security Kudos Page

CERN runs the Large Hadron Collider (the world's largest particle accelerator) and much of the open-source scientific software it publishes (ROOT for data analysis, Geant4 for particle simulation, Delphes for detector simulation) is used across high-energy physics, NASA and ESA space missions, and hospital radiotherapy planning. I reported critical vulnerabilities in ROOT and the first CVE ever assigned in Geant4's history; the CERN Computer Security Team added my name to their public Kudos page.

2026

View on CERN Kudos ↗

Kaspersky · Neuromorphic Platform PSIRT

Vulnerability Acknowledgments

Kaspersky's PSIRT runs a coordinated-disclosure program that publicly credits external researchers. My reports targeted the Kaspersky Neuromorphic Platform (their open-source framework for running brain-inspired spiking neural networks on specialised AI inference hardware) where I found memory-safety issues in the FlatBuffers + ZMQ communication layer. Kaspersky acknowledged the findings in their Security Researcher Acknowledgements bulletin.

2026

View on Kaspersky ↗

DSCI · Data Security Council of India

Letter of Appreciation

DSCI is India's national cybersecurity council, established by NASSCOM and backed by the Indian government. It operates the national Threat Intelligence Platform used to monitor cyber threats against India's critical infrastructure. I discovered three vulnerabilities in the platform, including unauthenticated access to configuration data and full source code exposure, all patched. DSCI's CEO Vinayak Godse issued a Letter of Appreciation for the responsible disclosure.

2026

Letter of Appreciation ↗

OWASP CERVANTES · Official OWASP Project

2 Letters of Recognition

OWASP Cervantes is an official project under the Open Web Application Security Project, the leading non-profit dedicated to web application security. Grayback is its vulnerability disclosure platform. I reported two web vulnerabilities through the VDP program: a stored Cross-Site Scripting that persisted JavaScript on the application, and a Server-Side Template Injection that allowed expressions to be evaluated on the server. Both findings were acknowledged with individual Letters of Recognition signed by Ruben Mesquida, OWASP Project Leader.

2026

Letter of Recognition (XSS) ↗ Letter of Recognition (SSTI) ↗

U.S. DEPARTMENT OF DEFENSE · Vulnerability Disclosure Program

Recognized by the U.S. Department of Defense

The U.S. Department of Defense runs one of the largest vulnerability disclosure programs in the world, coordinated by the Defense Cyber Crime Center (DC3) on HackerOne. I submitted a vulnerability report that was triaged and resolved by the DoD security team, earning the Insecticide and Good Samaritan platform badges.

2026

HackerOne report (resolved) ↗

BITDEFENDER · Bug Bounty Hall of Fame

Bitdefender Bug Bounty Hall of Fame

Bitdefender is a global cybersecurity company. I reported two out-of-bounds write vulnerabilities in Napoca, their open-source bare-metal hypervisor, both reachable from a guest virtual machine. Bitdefender assigned two CVEs and listed me in their public Bug Bounty Hall of Fame.

2026

View Hall of Fame ↗

// 01

Confirmed CVE Assignments

35 CVEs across 13 targets · ordered by severity

// 02

Vendor-Confirmed Findings

10+ confirmations

// 03

Findings Breakdown

by language · bug class · domain

Source Language

where the bugs live

Bug Class

memory safety dominates

Domain / Platform

where the code runs

Tooling & Techniques

how I found them

// 04

Patent & Other Contributions

// 05

Attack Surface Scanner

pick a target · watch how it was found

Each target below is a real project I audited. Click one to replay the scan, from git clone to CVE assigned. Every step, file path and tool shown is what actually happened.

sebasteuo@field-log:~