Log inSign up
Chris Evans
3,518 posts
Image
user avatar
Chris Evans
@scarybeasts
CISO and Chief Hacking Officer at HackerOne. Past: Founded {vsftpd, Chrome security, Google Project Zero}; Tesla; Dropbox. Hacker / Researcher. beebjit.
San Francisco Bay Area
scarybeastsecurity.blogspot.com
Joined May 2009
201
Following
25K
Followers
RepliesRepliesMediaMedia

New to X?

Sign up now to get your own personalized timeline!

Create account

By signing up, you agree to the Terms of Service and Privacy Policy, including Cookie Use.

Terms·Privacy·Cookies·Accessibility·Ads Info·© 2026 X Corp.
Don't miss what's happening
People on X are the first to know.
Log inSign up
  • Pinned
    user avatar
    Chris Evans
    @scarybeasts
    Nov 30, 2021
    I'm now CISO and Chief Hacking Officer at HackerOne. "The most rewarding parts of my career have been the times when I’ve hired hackers, rewarded independent hackers, defended hackers, and celebrated the achievements of hackers." linkedin.com/posts/scarybea…
    Image
  • user avatar
    Chris Evans
    @scarybeasts
    Feb 28, 2018
    Overheard today: "the least plausible technology in Star Trek is instant video conferencing that just works".
  • user avatar
    Chris Evans
    @scarybeasts
    May 10, 2017
    So my CPU has a webserver in it and my SYSTEM account has a JavaScript engine in it. I think we've lost the complexity battle.
  • user avatar
    Chris Evans
    @scarybeasts
    Aug 5, 2015
    I'm very excited to soon be joining @TeslaMotors to lead security.
  • user avatar
    Chris Evans
    @scarybeasts
    Sep 26, 2017
    Uhhhuh this Google Project Zero bug has a working remote exploit into the WiFi chip of the iPhone 7! bugs.chromium.org/p/project-zero…
  • user avatar
    Chris Evans
    @scarybeasts
    Nov 21, 2016
    Hardest exploit I ever wrote: [0day][exploit] Advancing exploitation: scriptless 0day exploit against Linux desktops goo.gl/6tKeoS
  • user avatar
    Chris Evans
    @scarybeasts
    Nov 2, 2019
    Remember, Google Chrome is very well sandboxed. So when you see a Chrome 0-day fixed by the team in isolation, you have to suspect another company (Microsoft?) is sitting on an unfixed sandbox escape. Usually (but not always) a Windows kernel bug. Often Win 7 only.
  • user avatar
    Chris Evans
    @scarybeasts
    Jan 1, 2018
    Red alert? "tl;dr: there is presently an embargoed security bug impacting apparently all contemporary CPU architectures that implement virtual memory, requiring hardware changes to fully resolve.": pythonsweetness.tumblr.com/post/169166980…
  • user avatar
    Chris Evans
    @scarybeasts
    May 17, 2021
    [blog] Recovering "lost" treasure-filled floppy discs with an oscilloscope: scarybeastsecurity.blogspot.com/2021/05/recove…, a project with Phil Pemberton. A fun project with a lot of nuance and experimentation.
    Image
    Image
    Image
  • user avatar
    Chris Evans
    @scarybeasts
    May 6, 2017
    [blog] [1day] Ode to the use-after-free: one vulnerable function, a thousand possibilities: scarybeastsecurity.blogspot.com/2017/05/ode-to…
    Image
  • user avatar
    Chris Evans
    @scarybeasts
    Nov 16, 2020
    [blog] "Reverse engineering a forgotten 1970s Intel dual core beast: 8271, a new ISA": scarybeastsecurity.blogspot.com/2020/11/revers… A small team decapped / reversed an 8271; beautiful but shockingly large. Dual core! Larger than the 6502 CPU (right). Fascinating Intel history and a new Intel ISA!
    Image
  • user avatar
    Chris Evans
    @scarybeasts
    Sep 19, 2017
    [blog] Employed again! I’m now Head of Security at Dropbox, and enjoying it. Details: scarybeastsecurity.blogspot.com/2017/09/excite…
  • user avatar
    Chris Evans
    @scarybeasts
    Jul 1, 2022
    I've just published the technical post mortem for an incident I've been working on. I hope it's useful to defenders:
    Image
    hackerone.com
    HackerOne disclosed on HackerOne: June 2022 Incident Report
    # Intro Since the founding of HackerOne, we have kept a steadfast commitment to disclosing security incidents because we believe that sharing security information far and wide is essential to...
  • user avatar
    Chris Evans
    @scarybeasts
    Mar 15, 2022
    On behalf of the HackerOne team, I’d like to apologize to the Ukrainian hacker community for the frustration and confusion that our poor communication has caused. We have not (and will not) block lawful payments to Ukraine.
Advertisement
Advertisement