Yoshinori Hayashi (@8ayac)
Work Experience
Part-time Security Engineer at Cybozu, Inc
Apr 11, 2018 - May 23, 2019- Did security testing and risk assessment
- Operated Cybozu Bug Bounty Program
Part-time Security Engineer at Mitsui Bussan Secure Directions, Inc
Jul 2, 2019 - Mar 31, 2020- Did vulnerability testing of web applications
Application Security Engineer at LINE Corporation
Apr 1, 2021 - PRESENT- Working as a member of the Application Security Team
- Ensuring the security and quality of a wide range services and products developed by LINE and group companies. Platforms and technologies include Web, mobile, desktop, IoT, Fintech, and more.
- Reference:Job description
Education
Department of Information Security, Information Science College, Kanagawa
Apr 1, 2017 - Mar 31, 2021- Received Advanced Diploma(Applied Professional Postsecondary Course(Technology))
- Reference:School information
- Reference:Advanced Diploma (Japan)
Awards & Achievement
MBSD Cybersecurity Challenges 2017
Dec 13, 2017- Won the 1st as team IPFactory
- Reference:https://setten.sgec.or.jp/cooperation/054.html
- Reference:https://caya8.hatenablog.com/entry/2017/12/24/173349
- Reference:https://scan.netsecurity.ne.jp/article/2018/01/18/40514_2.html
MBSD Cybersecurity Challenges 2018
Dec 12, 2018- Won the 1st as team IPFactory
- Reference:https://setten.sgec.or.jp/cooperation/065.html
- Reference:https://caya8.hatenablog.com/entry/2018/12/17/091908
- Reference:https://scan.netsecurity.ne.jp/article/2019/01/16/41841.html
2018 GitLab BugBounty Program
Jan 1, 2019- Won the 7th in GitLab BugBounty Program Hall of Fame.
- Reference:https://hackerone.com/gitlab/thanks/2018?type=team
45th WorldSkills Competition in Kazan
Aug 27, 2019- Won the 6th as team Japan
- Received the Medallion for Excellence
- Reference:https://results.worldskills.org/results?offset=0&base_skill=546&member=14
2019 GitLab BugBounty Program
Jan 1, 2020- Won the 6th in GitLab BugBounty Program Hall of Fame.
- Reference:https://hackerone.com/gitlab/thanks/2019?type=team
Other Activities
Burp Suite Japan User Group
Jan 1, 2019 - PRESENT- A user group of a local proxy tool "Burp Suite.
- Organizing some events and supporting other management tasks.
ISCCTF 2020
Oct 24, 2020- Organized ISCCTF 2020 as a member of team IPFactory.
- Made some web challenges. (Greetinjs, mark damn it)
- Reference:https://caya8.hatenablog.com/entry/2020/10/28/080123
LINE CTF 2022
Mar 26, 2022 - Mar 27, 2022- Organized LINE CTF 2022 as a member of LINE AST(Application Security Team).
- Made a web challenge. (Haribote Secure Note)
- Reference:Press Release (en)
- Reference:Press Release (jp)
- Reference:https://ctftime.org/event/1472/
LINE CTF 2023
Mar 25, 2023 - Mar 26, 2023- Organized LINE CTF 2023 as a member of LINE AST(Application Security Team).
- Made a web challenge. (Old Pal)
- Reference:Press Release (en)
- Reference:Press Release (jp)
- Reference:https://ctftime.org/event/1716
- Reference:LINE CTF 2023 [Web] Old Pal - Author's writeup - もしくはこれ
- Reference:LINE CTF 2023 [Web] Old Pal - Author's writeup [English] - もしくはこれ
LINE CTF 2024
Mar 23, 2024 - Mar 24, 2024- Organized LINE CTF 2024 as a member of LY Corporation SAT1 (Security Assessment Team 1).
- Made a web challenge. (Boom Boom Hell*)
CVEs
CVE-2018-0652
Aug 3, 2018- Found an Stored XSS on GROWI.
- Reference:cve.mitre.org
CVE-2018-0653
Aug 3, 2018- Found an Stored XSS on GROWI.
- Reference:cve.mitre.org
CVE-2018-17454
Oct 1, 2018- Found an Stored XSS on GitLab
- Reference:GitLab Security Release: 11.3.1, 11.2.4, and 11.1.7
- Reference:Original report on HackerOne
CVE-2018-18640
Oct 29, 2018- Found an inappropriate caching policy that possibly cause sensitive information exposures on GitLab.
- Reference:cve.mitre.org
- Reference:GitLab Security Release: 11.4.3, 11.3.8, and 11.2.7
- Reference:Original report on HackerOne
CVE-2019-6785
Jan 31, 2019- Found an input validation issue which could result in a DoS.
- Reference:cve.mitre.org
- Reference:GitLab Security Release: 11.7.3, 11.6.8, 11.5.10
- Reference:Original report on HackerOne
CVE-2019-9220
Mar 4, 2019- Found an input validation issue which could result in a DoS.
- Reference:cve.mitre.org
- Reference:GitLab Security Release: 11.8.1, 11.7.6, and 11.6.10
- Reference:Original report on HackerOne
CVE-2019-13010
Jul 3, 2019- Found an ReDoS on GitLab.
- Reference:cve.mitre.org
- Reference:GitLab Security Release: 12.0.3, 11.11.5, and 11.10.8
- Reference:Original report on HackerOne
CVE-2022-22978
May 16, 2022- Authorization Bypass in RegexRequestMatcher of Spring Security
- Contributed to identifying the cause in resolving this issue, and was credited.
- Reference:cve.mitre.org
- Reference:CVE-2022-22978 | Security | VMware Tanzu
Publications
DEFCON 27 OpenCTF 2019 参戦レポート
Oct 3, 2019- Published in HISYS Journal Vol.34.
- Reference:HISYS Journal Vol.34
技能五輪国際大会(WorldSkills Kazan 2019)出場レポート
Oct 28, 2019- Published in HISYS Journal Vol.35.
- Reference:HISYS Journal Vol.35
GraphQL診断ガイドライン
Dec 24, 2021- Guidelines for vulnerability testing on GraphQL
- Co-authored with the ISOG-J WG1 members
- Reference:https://github.com/WebAppPentestGuidelines/graphQLGuideLine
- Reference:About ISOG-J WG1
Webアプリケーション脆弱性診断ガイドライン 第1.2版
Mar 1, 2022- Guidelines for web application vulnerability testing
- Co-authored with the ISOG-J WG1 members
- Reference:https://github.com/WebAppPentestGuidelines/WebAppPentestGuidelines
- Reference:About ISOG-J WG1
細かすぎるけど伝わってほしい脆弱性診断手法ドキュメント
Apr 12, 2023- The document focused on minor vulnerabilities that are often overlooked
- Co-authored with the ISOG-J WG1 members
- Reference:https://webapppentestguidelines.github.io/newtechtestdoc
- Reference:https://news.yahoo.co.jp/articles/eadff573fdd6bad1d1d5f04cbbb2cf48d4cdfb4b
- Reference:https://scan.netsecurity.ne.jp/article/2023/04/19/49227.html
- Reference:About ISOG-J WG1
Presentations
Dec 13, 2017
MBSD Cybersecurity Challenges 2017 最終審査会 発表スライド
Dec 12, 2018
MBSD Cybersecurity Challenges 2018 最終審査会 発表スライド
Mar 11, 2019
Free Bugs Campaign