Han Zheng

PhD Student at HexHive
École Polytechnique Fédérale de Lausanne
Switzerland

prof_pic_50.jpg

I’m a PhD Student at HexHive@EPFL, advised by Prof. Mathias Payer. I received my master degree in University of Chinese Academy of Science in 2023 and my bachelor in Xidian University in 2020. I’m broadly interested in Software and System security. Specifically, my work focus on 1) finding bugs in open-source software by fuzzing and static analysis 2) improving the automatic program repairing techniques to reduce the developer efforts.

I actively contribute to community by submitting bug reports and intergrating my research prototypes. So far I reported over 50 CVEs for widely used open source softwares and integrated my research prototypes in AFL++, one of the most widely used greybox fuzzing framework.

I enjoy bug hunting on complex software system for fun and profits. By leveraging static analysis, fuzzing and code auditing, I successfully found a series of vulnerbilities in web browsers and rank #42 in Google VRP 2024, receiving 25,000 USD bug bounties. Beside memory corruption, I discovered several logical vulnerabilities in Microsoft products.

Feel free to drop me an email in case of any questions!

news

May 17, 2025 MendelFuzz receive available and reusable (subsumes functional) badges!
Mar 11, 2025 I’m honored to be invited to serve on the FUZZING’25 Program Committee.
Mar 01, 2025 I ranked #42 in Google VRP 2024, and received 25,000 USD bounty from Chrome VRP last year.
Jan 14, 2025 MendelFuzz was accepted by Foundations of Software Engineering 2025!
Apr 26, 2023 FishFuzz was accepted by USENIX Security 2023!

selected publications

  1. FSE’25
    MendelFuzz: The Return of the Deterministic Stage
    Han Zheng, Flavio Toffalini, Marcel Böhme, and 1 more author
    In Proceedings of the ACM International Conference on the Foundations of Software Engineering, 2025
  2. Security’23
    FishFuzz: Catch deeper bugs by throwing larger nets
    Han Zheng, Jiayuan Zhang, Yuhang Huang, and 6 more authors
    In 32nd USENIX Security Symposium (USENIX Security 23), 2023