ruby.sh!

security research and writing

Here is a list of all my security (or somewhat security adjacent) publications/writings/research etc. I have plans to move my threads from Twitter to longer form articles, but as they were first published there I will still treat them as a separate publication.

• arXiv preprint, 2025 - Beneath the Mask: Can Contribution Data Unveil Malicious Personas in Open-Source Projects?

• ruby.sh, 2024 - writing up my thoughts about CVE-2024-3094 and a very early release of a tool to audit git repositories for similar anomalous contributor behavior (reposted from twitter thread)

• nist, 2020 - CVE-2020-11694 JetBrains PyCharm advisory

• twitter, 2020 - JetBrains included their Apple code-signing and artifactory credentials in PyCharm builds

• assetnote, 2019 - Getting access to Zendesk’s Google Cloud and Artifactory from GitHub dotfile repos

• hackerone, 2019 - Leaked artifactory_key, artifactory_api_key, and gcloud refresh_token via GitHub.

• tokyo, 2018 - Hack me if you can: inside the world of bug bounty hunting

• nist, 2017 - CVE-2017-16755 / CVE-2017-16756 (HelpSpot disclosure)

• hackerone, 2016 - Incoming email hijacking on sc-cdn.net (Snapchat)

• medium, 2016 - First thoughts and a quick setup guide on Bash for Windows

• medium, 2016 - Watch Paint Dry: How I got a game on the Steam Store without anyone from Valve ever looking at it.

• medium, 2015 - Offensive Security’s “Penetration Testing with Kali Linux” Course — and why it’s possibly the best way to get started in InfoSec