A former gardener turned security wizard. When not fuzzing native libraries and breaking modern AppSec, Raul can be found looking for ways to optimize his sourdough bread while enjoying the classic Belgian beer Delerium.
Security Labs
At Snyk, our Security Labs team is dedicated to improving application security through high-impact research. We aim to enhance developers’ and security teams’ expertise by offering comprehensive research and tools.
Our work has led to major CVEs in core container infrastructure, closed significant supply-chain attack vectors in popular open-source registries, and demonstrated novel attacks on emerging technologies like AI and LLMs.
Our values
Awareness
Bringing light to under-represented areas of security and help educate developers through research.
Impactful security
Finding and helping fix wide-impacting vulnerabilities in open-source software (OSS) and modern applications.
Scalability
Conducting security research at scale.
Community collaboration
Creating tools to help the community discover and mitigate vulnerabilities and threats.
Meet the team
Get to know our team of security researchers.
Long-time bug bounty hunter, ex-pentester, and AppSec engineer. Rory is passionate about race conditions and Linux exploitation.
Ex-pentester and AppSec engineer with a focus on anything web security. When not hacking, Elliot loves to skateboard and snowboard.
Featured research
Check out some of the recent high-profile research from the Security Labs team.
Blog
Call for action: Exploring vulnerabilities in Github Actions
In this blog post, we will provide an overview of GitHub Actions, examine various vulnerable scenarios with real-world examples, offer clear guidance on securely using error-prone features, and introduce an open source tool designed to scan configuration files and flag potential issues.
Blog
Leaky Vessels: Sicherheitslücken bei Docker und runc-Containern (Januar 2024)
Der Snyk-Sicherheitsforscher Rory McNamara vom Team der Snyk Security Labs hat vier Schwachstellen – die sogenannten Leaky Vessels (Undichte Container) – in zentralen Komponenten der Container-Infrastruktur identifiziert, die Container-Ausbrüche ermöglichen.
Blog
Gitpod remote code execution 0-day vulnerability via WebSockets
In this post, we present the first findings from our current research into Cloud Development Environments (CDEs) — which allowed a full account takeover through visiting a link, exploiting a commonly misunderstood vulnerability (WebSocket Hijacking), and leveraging a practical SameSite cookie bypass.
Found a vulnerability? We can help you report it.
Using our form, you can disclose vulnerabilities you’ve found or vulnerabilities that are missing from the Snyk Vulnerability Database. We’ll help you verify the vulnerability, contact the maintainer, and assign a CVE for the issue.
Before submitting a report, please review our disclosure policy, which can be found here.