• Siwoo Mun (a.k.a munsiwoo)
  • Security Researcher at Samsung SDS, mainly focus on web security.
Seoul, Republic of Korea
[email protected]

Honors & Awards



  • –ing
    • 1st, Plaid CTF 2024 (team HypeBoy)
    • 2nd, Hayyim CTF 2022 (team Yamong Clinic)
    • 3rd, DEFCON CTF 30 Final, Las Vegas (team StarBugs) - 2022y
    • 3rd, 2022 Whitehat Contest Final (team 오리고기파티)
    • 4th, DEFCON CTF 31 Final, Las Vegas (team HypeBoy) - 2023y
    • 4th, WACON CTF 2022 Quals(team 팀 평균연령42세)
    • 4th, DEFCON CTF 29 Final (team StarBugs) - 2021y
    • 5th, SECCON CTF 2022 Final, Tokyo (team Cha shu)
    • 5th, Cyber Conflict Exercise 2025 Final (team NAONSECURE)
    • Finalist, Cyber Conflict Exercise 2022

  • 2020
    • 1st, m0leCon 2020 (team AlPray)
    • Finalist, Whitehat Contest (team Uneducated People)
    • Finalist, 사이버 공격방어대회(CCE) Quals (team 흥부부대찌개)
    • Finalist, CONFidence CTF 2020 Teaser (team CodeRed)
    • Finalist, Midnight Sun CTF 2020 Quals (team CodeRed)
    • Finalist, 0CTF/TCTF 2020 Quals (team Heart Breaker)
    • Finalist, DEFCON CTF 28 (team StarBugs)

  • 2019
    • 1st , HolyShield CTF 2019 (team HeungbuBudaeJjigae/Junior)
    • 1st , WhiteHat Contest Final (team Uneducated people/Junior)
    • 1st , SUA CTF 3th (team BOB8TH_VULN_ANALYSIS)
    • 2nd , The Hacking Championship Junior 2019 (team HeungbuBudaeJjigae)
    • 3rd , Belluminar CTF 2019 (team Aleph Infinite)
    • 5th , ISITDTU CTF Final (team Aleph Infinite)
    • 5th , Timisoara CTF (team Munahnhae)
    • 9th , DEFCON CTF 27 Quals (team CGC)
    • 14th , Plaid CTF 2019 (team CGC)
    • Finalist, DEFCON CTF 27 (team CGC)
    • Finalist (5th), ISITDTU CTF Final (team Aleph Infinite)
    • Finalist (4th), Codegate CTF 2019 Junior (team munsiwoooooo)
    • Finalist (4th), 2019 DVP Global Blockchain CTF (team HeungbuBudaeJjigae)

  • 2018
    • 1st , 2018 CyberGuardians (team Layer7)
    • 2nd , Timisoara CTF, Romania (team NextLine)
    • 3rd , Harekaze CTF (team SeoulWesterns)
    • 3rd , 제 1회 KO-WORLD 해킹방어대회 (team phpandrust)
    • Finalist (13th), DEFCON CTF 26, Las Vegas (team C.G.K.S)
    • Finalist (8th), Cyber Conflict Exercise, Jeju (team 야몽클리닉/Red Team)
    • 은상, 2018 대한민국 육군해킹방어대회 (The Republic of Korea Army Attack and Defense Contest)

  • 2017
    • 1st , Christmas CTF 2017 (team 박광호 1인팀)
    • 3rd , Kookmin Univ & Ubuntu CTF 2017 (team 새싹보끔밥)
    • 4th , Neverland CTF 2017 (team gazoku - solo)
    • 8th , SECUINSIDE CTF Quals 2017 (team FHF)

  • Wargame

Bug Bounties


  • –ing
    • Immunefi
      • Farcaster: Critical severity rewarded 25,000 USDC 🤑
      • Sovryn: Critical severity rewarded 0.5 BTC + 80,000 SOV 🤑
            - Summary: SSRF to XSS (potentially exploitable to trigger browser wallet interactions)
      • BlockPI Network: Critical severity rewarded 15,000 USDC + bonus 🤑
            - Summary: SQL Injection leading to full database access
      • Polymarket: Critical severity rewarded 6,000 USDC (April 24, 2024)
            - Title: SQL Injection in `polymarket.com` and `clob.polymarket.com`
            - Summary: Blind SQL Injection allowing full extraction of sensitive user data
      • Local Traders: Critical severity (bounty evaded)
            - Summary: 2FA bypass vulnerability affecting security controls in a P2P exchange (patched)
      • Unlockd: High severity rewarded 5,000 USDC
      • Xterio Games: High severity rewarded 2,000 USDC
      • Kiln (dApp/Infra): Medium severity rewarded 1,500 USDC
      • Forta Network: Low severity rewarded 1,000 USDC
      • ENS: Low severity rewarded 1,000 USDC
      • AscendEX: Low severity rewarded 700 USDC
      • DeGate: Low severity rewarded 500 USDC

      • The vulnerabilities reported above are all Web2 vulnerabilities. (SQL Injection, SSRF, XSS)
      I comply with Immunefi's Responsible Publication Policy.

    • Naver Bug Bounty Program: XSS
          - Summary: Insufficient origin validation in postMessage handling led to a XSS - $200 USD


  • 2021
    • HackerOne
      • Starbucks Arbitrary File Read: Critical severity rewarded $6,000 USD (max bounty)
            - Summary: Arbitrary file read vulnerability that allows the theft of Starbucks Korea's PG private key, database credentials and webapp source code.
      • Starbucks Multiple XSS: Medium severity rewarded $4,770 USD (total)
    • Bugcamp
    • GNUBOARD5

  • 2020
    • Bugcrowd
      • Atlassian Jira Service Desk XSS: rewarded $600 USD
      • Bitdefender XSS: rewarded $300 USD
    • HackerOne
      • Starbucks: rewarded $1,500 USD
      • Steam(store.steampowered.com) Stored XSS: rewarded $400 USD
    • Naver Bug Bounty Program
      • found 15+ vulns - total rewarded $2,000 USD

  • 2019
    • HackerOne
      • μtorrent: Reflected XSS
      • afreecaTV: found 13+ vulns including SQL Injection
    • Naver Bug Bounty Program
      • found 8+ vulns: total rewarded $1,200 USD
    • GNUBOARD5
      • SQL Injection (<=5.4.0.1) - 2019.09.08
      • XSS (<=5.4.0.1) - 2019.09.08
      • Authentication bypass (<=5.4.0.1) - 2019.09.08
    • DVP Bug Bounty
      • Gate.io: SQL Injection (DVP-2019-30029) - rewarded 4.5 ETH
      • Gate.io: DOM-based XSS (DVP-2019-30165, DVP-2019-30149) - rewarded 0.250 ETH

  • 2018
    • KISA Bug Bounty Program
      • NAVER: SQL Injection(KVE-2018-1301) - rewarded $1,000 USD

  • 2017
    • NAVER PER(Privacy Enhancement Reward)
      • found 25+ vulns (XSS, Open Redirect)

Work Experience


  • SAMSUNG SDS, 통합보안센터(Samsung Security Center)  
    • Position: Security Researcher
    • Date: Jan, 2024 – Present
    • Task: Penetration Testing, Vulnerability Research on Samsung Products

  • RAON Whitehat, 핵심연구팀(Core Research Team)  
    • Position: Security Researcher
    • Date: Sep, 2021 – Dec, 2023 (2 year 3 months)
    • Task: Penetration Testing, Vulnerability Research

  • Best of the Best 8th, KITRI  
    • Position: Mentee, 취약점분석트랙(Vulnerability Analysis Track)
    • Date: Jul, 2019 – Apr, 2020 (9 months)
    • Detail: KITRI, BoB

  • CSSA IoTcube, 고려대학교 소프트웨어보안연구소(CSSA)  
    • Position: Internship
    • Date: Jul, 2018 – Sep, 2018 (2 months)
    • Task: Security vulnerability analysis of an open-source blockchain project.

Speakers


  • CODEGATE 2019(Junior Best Presentation Award)    
    • Title: PHP Trick Trip
    • Content: PHP의 다양한 보안 이슈와 취약점이 웹 해킹 공격으로 이어지는 과정을 다루며,
      Zend 엔진 분석 경험을 토대로 버그가 발생하는 논리적 원인과 그 분석 과정을 소개하는 발표
    • Content(eng): This presentation covers various security issues and vulnerabilities in PHP that can lead to web hacking techniques,
      and based on my experience analyzing the Zend Engine, it discusses the logical reasons for bugs and the process of analyzing them.
    • Date: Mar 27, 2019
    • Detail: CODEGATE Official Website, Presentation (pdf)
    • Award: 한국인터넷진흥원장상

  • 빗썸 청소년 사이버 보안 캠프, Bithumb    
    • Title: 쉽고 간단하게 배워보는 정보보안 Tip
    • Content: 개인정보가 유출될 수 있는 여러 상황을 예를 들며 이를 사전에 예방하는 방법을 소개
    • Date: Nov 23, 2018
    • Detail: Articles, Bithumb Official Website

  • HackingCamp 18, PoC Security    
    • Title: Security option bypass 101
    • Content: PHP의 보안 옵션(open_basedir, disable_functions)을 우회할 수 있는 여러 방법에 대해 소개
    • Date: Sep 02, 2018
    • Detail: HackingCamp Official Website

Publications


  • 2019
    • Automatic Analysis for Node.js Modules, (Best of the best 8th / NerdJS)
      • Title: DAPP: automatic detection and analysis of prototype pollution vulnerability in Node.js modules
        Journal: Springer, International Journal of Information Security (SCIE)
        Author: Hee Yeon Kim, Ji Hoon Kim, Ho Kyun Oh, Beom Jin Lee, Si Woo Mun, Jeong Hoon Shin & Kyounggon Kim
      • https://link.springer.com/article/10.1007/s10207-020-00537-0
    • Node.js 취약점 분석 방법론에 대한 연구, (Best of the best 8th / NerdJS)

Contact me at [email protected]
© Siwoo Mun. All Rights Reserved