Richard Hyunho Im (@richeeta)

I’m a security researcher who specializes in uncovering logic vulnerabilities, uncommon attack surfaces, and race conditions. My discoveries and work have been publicly credited by Apple, OpenAI, Microsoft, Google, and the BBC.

I am scheduled to present Siri-ously Leaky: Exploring Overlooked Attack Surfaces Across Apple’s Ecosystem at DEF CON 33 and HOU.SEC.CON 2025.

I am also scheduled to co-host the Hacker v. Triage panel discussion with Denis Smajlović at DC 33 Bug Bounty Village.

I am OSCP-certified and am ranked (as of July 2025) in the Top 25 of OpenAI’s bug bounty program.

Some of my published CVEs include:

• CVE-2025-24225 — a Mail spoofing vulnerability in iOS 18.5 and iPadOS 17.7.7
• CVE-2025-24198 — a Siri lock screen data exposure issue across iOS, macOS, and visionOS
• CVE-2024-44235 — sensitive information disclosure via Spotlight in iOS and iPadOS 18

My main research domains include iOS/iPadOS, macOS, and visionOS, particularly where user experience collides with security boundaries: Shortcuts, Siri, SpringBoard, Face ID, and deep link chains. I also poke at cloud auth flows, buried Apple ID logic, CoreText, and anything else that trusts input a little too eagerly.

Although I have been and remain allergic to Java, I have (somehow) managed to build two Burp extensions:

• AI Auditor — a lightweight plugin that integrates GPT-4o, Claude, and Gemini into Burp’s active scanner to enrich automated findings with AI-assisted context
• 0xGUID Scanner — a passive Burp plugin that detects UUID misuse, classifies format entropy, and surfaces subtle implementation flaws in ID generation

Also: I have a one year old toy poodle named Peanut, who shares my passion for bug hunting (more literal in his case).