• Siwoo Mun (a.k.a munsiwoo)
  • Security Researcher at Samsung SDS, mainly focus on web security.
  • Member of the CTF teams HypeBoy, Aleph Infinite, and HeungBu.

Seoul, Republic of Korea


Honors & Awards



    • 1st, Plaid CTF 2024 (team HypeBoy)
    • 2nd, Hayyim CTF 2022 (team Yamong Clinic)
    • 3rd, DEFCON CTF 30 Final, Las Vegas (team StarBugs) - 2022y
    • 3rd, 2022 Whitehat Contest Final (team 오리고기파티)
    • 4th, DEFCON CTF 31 Final, Las Vegas (team HypeBoy) - 2023y
    • 4th, WACON CTF 2022 Quals(team 팀 평균연령42세)
    • 4th, DEFCON CTF 29 Final (team StarBugs) - 2021y
    • 5th, SECCON CTF 2022 Final, Tokyo (team Cha shu)
    • Finalist, Cyber Conflict Exercise 2022

  • 2020
    • 1st, m0leCon 2020 (team AlPray)
    • Finalist, 화이트햇 콘테스트 (team Uneducated People)
    • Finalist, 사이버 공격방어대회(CCE) Quals (team 흥부부대찌개)
    • Finalist, CONFidence CTF 2020 Teaser (team CodeRed)
    • Finalist, Midnight Sun CTF 2020 Quals (team CodeRed)
    • Finalist, 0CTF/TCTF 2020 Quals (team Heart Breaker)
    • Finalist, DEFCON CTF 28 (team StarBugs)

  • 2019
    • 1st , HolyShield CTF 2019 Junior (team HeungbuBudaeJjigae)
    • 1st , WhiteHat Contest 2019 Junior Final (team Uneducated people)
    • 1st , SUA CTF 3th (team BOB8TH_VULN_ANALYSIS)
    • 2nd , The Hacking Championship Junior 2019 (team HeungbuBudaeJjigae)
    • 3rd , Belluminar CTF 2019 (team Aleph Infinite)
    • 5th , ISITDTU CTF Final (team Aleph Infinite)
    • 5th , Timisoara CTF (team Munahnhae)
    • 9th , DEFCON CTF 27 Quals (team CGC)
    • 14th , PlaidCTF 2019 (team CGC)
    • Finalist, DEFCON CTF 27 (team CGC)
    • Finalist (5th), ISITDTU CTF Final (team Aleph Infinite)
    • Finalist (4th), Codegate CTF 2019 Junior (team munsiwoooooo)
    • Finalist (4th), 2019 DVP Global Blockchain CTF (team HeungbuBudaeJjigae)

  • 2018
    • 1st , 2018 CyberGuardians (team Layer7)
    • 2nd , Timisoara CTF, Romania (team NextLine)
    • 3rd , Harekaze CTF (team SeoulWesterns)
    • 3rd , 제 1회 KO-WORLD 해킹방어대회 (team phpandrust)
    • Finalist (13th), DEFCON CTF 26, Las Vegas (team C.G.K.S)
    • Finalist (8th), Cyber Conflict Exercise, Jeju (team 야몽클리닉/Red Team)
    • 은상, 2018 대한민국 육군해킹방어대회 (The Republic of Korea Army Attack and Defense Contest)

  • 2017
    • 1st , Christmas CTF 2017 (team 박광호 1인팀)
    • 3rd , Kookmin Univ & Ubuntu CTF 2017 (team 새싹보끔밥)
    • 4th , Neverland CTF 2017 (team gazoku - solo)
    • 8th , SECUINSIDE CTF Quals 2017 (team FHF)

  • Wargame

Bug Bounties


    • Immunefi
      • Sovryn: Critical severity rewarded $22,410 USD
      • BlockPI Network: Critical severity rewarded $15,000 USD
      • [Censored]: High severity rewarded $6,000 USD
      • Unlockd: High severity rewarded $5,000 USD
      • [Censored]: High severity rewarded $2,000 USD
      • [Censored]: Low severity rewarded $1,000 USD
      • AscendEX: Low severity rewarded $700 USD
      • DeGate: Low severity rewarded $500 USD

    • The vulnerabilities reported above are all Web2 vulnerabilities. (SQL Injection, SSRF, XSS)
      I comply with Immunefi's Responsible Publication Policy.

  • 2021
    • HackerOne
      • Starbucks Arbitrary File Read: Critical severity rewarded $6,000 USD
      • Starbucks Multiple XSS: Medium severity rewarded $4,770 USD
    • Bugcamp
      • CISSP Reflected XSS: rewarded $120 USD - Related to the following GNUBOARD5 XSS
    • GNUBOARD5

  • 2020
    • Bugcrowd
      • Atlassian Jira Service Desk XSS: rewarded $600 USD
      • Bitdefender XSS: rewarded $300 USD
    • HackerOne
      • Starbucks: rewarded $1,500 USD
      • Steam(store.steampowered.com) Stored XSS: rewarded $400 USD
    • Naver Bug Bounty Program
      • found 15+ vulns - total rewarded $2,000 USD
    • Prototype Pollution: Node.js NPM modules
      (NodeJS Module Vulnerability Automation Analysis, Best of the Best 8th)
      • CVE-2020-7719, CVE-2020-7700, CVE-2020-7702
      • CVE-2020-7717, CVE-2020-7715, CVE-2020-7716
      • CVE-2020-7707, CVE-2020-7721, CVE-2020-7701
      • CVE-2020-7724, CVE-2020-7727, CVE-2020-7718
      • CVE-2020-7725, CVE-2020-7722, CVE-2020-7703
      • CVE-2020-7704, CVE-2020-7714, CVE-2020-7706
      • CVE-2020-7723

  • 2019
    • HackerOne
      • μtorrent: Reflected XSS
      • afreecaTV: found 13+ vulns including SQL Injection
    • Naver Bug Bounty Program
      • found 8+ vulns: total rewarded $1,200 USD
    • GNUBOARD5
      • SQL Injection (<=5.4.0.1) - 2019.09.08
      • XSS (<=5.4.0.1) - 2019.09.08
      • Authentication bypass (<=5.4.0.1) - 2019.09.08
    • DVP Bug Bounty
      • Gate.io: SQL Injection (DVP-2019-30029) - rewarded 4.5 ETH
      • Gate.io: DOM-based XSS (DVP-2019-30165, DVP-2019-30149) - rewarded 0.250 ETH

  • 2018
    • KISA Bug Bounty Program
      • NAVER: SQL Injection(KVE-2018-1301) - rewarded $1,000 USD

  • 2017
    • NAVER PER(Privacy Enhancement Reward)
      • found 25+ vulns (XSS, Open Redirect)

Work Experience


  • SAMSUNG SDS, 통합보안센터(Samsung Security Center)  
    • Position: Security Researcher
    • Date: Jan, 2024 ~
    • Task: Penetration Testing, Vulnerability Research

  • RAON Whitehat, 핵심연구팀(Core Research Team)  
    • Position: Security Researcher
    • Date: Sep, 2021 ~ Dec, 2023 (2 year 3 months)
    • Task: Penetration Testing, Vulnerability Research

  • Best of the Best 8th, KITRI  
    • Position: Mentee (취약점분석트랙)
    • Date: Jul, 2019 ~ Apr, 2020 (9 months)
    • Detail: KITRI, BoB

Speakers


  • CODEGATE 2019(Junior Best Presentation Award)    
    • Title: PHP Trick Trip
    • Content: PHP의 여러 보안 이슈와 취약점을 통해 웹 해킹 공격으로 이어질 수 있는 버그에 대해 다루며,
       Zend 엔진을 분석해본 경험을 토대로 버그가 발생하는 논리적 이유와 이를 분석했던 과정을 소개하는 발표
    • Content(eng): This presentation covers various security issues and vulnerabilities in PHP that can lead to web hacking techniques,
      and based on my experience analyzing the Zend Engine, it discusses the logical reasons for bugs and the process of analyzing them.
    • Date: Mar 27, 2019
    • Detail: CODEGATE Official Website, Presentation (pdf)
    • Award: 한국인터넷진흥원장상

  • 빗썸 청소년 사이버 보안 캠프, Bithumb    
    • Title: 쉽고 간단하게 배워보는 정보보안 Tip
    • Content: 개인정보가 유출될 수 있는 여러 상황을 예를 들며 이를 사전에 예방하는 방법을 소개하는 발표
    • Date: Nov 23, 2018
    • Detail: Articles, Bithumb Official Website

  • HackingCamp 18, PoC Security    
    • Title: Security option bypass 101
    • Content: PHP의 open_basedir, disable_functions 옵션을 우회하는 여러 방법에 대해 소개하는 발표
    • Date: Sep 02, 2018
    • Detail: HackingCamp Official Website

Publications

Contact me at [email protected]
© Siwoo Mun. All Rights Reserved