brett gervasoni principal security engineer, mx racer.

about

I am a security engineer at Salesforce, leading the global internal Offensive Security team. I am also a passionate MX racer.

founded

RacerOne

RacerOne was a social GPS based iOS/watchOS/web application designed for motocross athletes. 2016-2023.

RacerOne.mx has been the most successful product I've created, with 3,177 users and 1,541 tracks from all over the world. Users of RacerOne logged over 1.9 million track sessions! RacerOne led me to many opportunities, and I met many friends from developing and running this product.

See the archived preview of the RacerOne.mx marketing landing page, and the screenshot dumps: iOS, Web UI, watchOS.

ZerodayMarketplace

ZerodayMarketplace.com was a bug bounty style web application, with a twist. 2015-2016.

PentestMonster

PentestMonster.com was a traditional bug bounty style web application. This project was successful, though I had other interests. 2014-2016.

public security advisories

To date, I have discovered high or critical risk security vulnerabilities in products from many well known vendors including Adobe, Cisco, Oracle, Foxit, Sun, HP, PHP, Novell, Symantec, Trend Micro, McAfee, and Microsoft. Majority of these were released through vulnerability disclosure programs such as the ZDI.

I have also participated bug bounty programs (including Google's), and have been credited with the discovery of multiple vulnerabilities.

The more recent vulnerabilities I have publicly reported through vulnerability disclosure programs, and at times opt to remain anonymous. A subset of the older vulnerabilities I have found are listed below.

Mozilla Firefox Memory Corruption Vulnerability 2019-08-01 Libaom Decoder Memory Corruption Vulnerability 2019-06-01 PHP 8.0 XML Memory Corruption Vulnerability 2019-03-19 Symantec Web Gateway 5.0.x Multiple RCE Vulnerabilities 2015-05-10 Cisco WebEx Client Heap Overflow Vulnerability 2014-07-10 Novell ZENworks umaninv Information Disclosure Vulnerability 2013-11-24 Oracle Sun GlassFish Enterprise Server Unauth Stored XSS (Leading to Account Takeover) 2011-07-19 Cisco Unified Operations Manager Multiple RCE Vulnerabilities 2011-05-18 Adobe Reader 9 Memory Corruption Vulnerability 2011-03-29 Foxit Reader 5.0 RCE Memory Corruption Vulnerability 2011-03-26 Adobe Reader 9.3.4 Memory Corruption Vulnerabilities CVE-2010-3630 2010-10-05 SafeNet SoftRemote Local Buffer Overflow Vulnerability 2010-03-06 TheGreenBow VPN Client Local Stack Overflow Vulnerability 2010-03-06 Apache 2.2.14 mod_isapi Dangling Pointer Vulnerability 2010-03-06 Quiksoft EasyMail 6 (AddAttachment) Remote Buffer Overflow Exploit 2009-09-17 FreeSSHd 1.2.1 (rename) Remote Buffer Overflow Exploit 2009-03-26 FreeSSHd Multiple Remote Stack Overflow Vulnerabilities 2008-12-21 W3C Amaya Browser (id) Remote Stack Overflow Vulnerability 2008-11-24 PDFView (OpenPDF) ActiveX Heap Overflow Vulnerability 2008-11-15 GoodTech SSH Remote Buffer Overflow Exploit 2008-10-23 FreeSSHd (rename) Remote Buffer Overflow Exploit 2008-07-12 PHP 5.2.3 imagepsloadfont Buffer Overflow Vulnerability 2007-07-26