Backend Engineer | Security Researcher | Fuzzing Enthusiast

Iranian software engineer passionate about making open-source software more secure and reliable through fuzzing, vulnerability research, and code contributions.

Good at breaking things to make them stronger, finding crashes, memory bugs, and security flaws in widely-used software, then writing the patches to fix them.

Python, Rust, Go, and Care my daily tools. Come for the bugs, stay for the fixes.

CPython: Active contributor to CPython's security and robustness through fuzzing and bug fixing.

• Filed 9+ security-critical issues: use-after-free, NULL dereferences, type confusion, race conditions, memory leak, heap overflow and undefined behavior in core modules (_csv, _sqlite3, pyexpat, _json, ssl, datetime, lexer, _hashlib).
• Submitted 6+ PRs with corresponding fixes for the bugs I found.
• Contributions focus on C-level memory safety bugs discovered through targeted fuzzing.

Django: Contributed 6 PRs to the main Django repository.

• Fixed OverflowError in SQLite queries, session handling bugs, authentication form improvements, and code quality issues.

OpenSSL: Filed 3 issues including memory leaks and NULL pointer dereferences in crypto subsystems.

HarfBuzz: Submitted 2 PRs fixing a memory leak in get_glyph_from_name() and a missing nullptr check in glyf.

LibVNC: Fixed buffer overflow issues in both libvncserver and x11vnc.

OWASP DevSecOps Guideline: Contributed 4 PRs improving container vulnerability scanning and SAST documentation.

Security bug reports across the ecosystem:

• libass — Integer overflow leading to OOB write in ass_add_font()
• ppp-project — Overflow in sockaddr struct
• fluent-bit — NULL dereference on memory allocation error
• Flask — Dev server open redirect via double slash
• jQuery — Location.hash XSS vulnerability
• Rust lang — Option::unwrap() panic issue
• golang/go — os/exec path handling issue
• SQLAlchemy — Thread parallelism connection crash
• crash-utility, google/syzkaller, google/sanitizers — Various kernel tooling issues and fixes

I believe in making the software we all depend on more secure. My approach is simple: fuzz it, break it, fix it, upstream it. Every crash report and patch makes the ecosystem a little safer for everyone. I focus on memory safety bugs because they have the highest real-world impact — use-after-free, NULL dereferences, buffer overflows, and type confusion are the vulnerabilities that attackers exploit.

Open source security is a public good. I contribute because reliable, safe infrastructure benefits everyone.