Seokchan Yoon
ch4n3.yoon@gmail.com
Offensive Web Security Researcher
GitHub, GitLab, Python, Django, FastAPI(Starlette), Apache Airflow, Ruby, Ruby on Rails, Java Spring 보안 기여자
DEF CON 33 CTF 결선 진출: 2016년부터 활동 중인 CTF 경쟁자(약 10년)
수상: 국방부 장관 표창(2024), 국가보안기술연구소장 표창(2022, 2021), 사이버작전사령관 표창(2019), 교육부 장관상(2018)
Google, Naver 버그 바운티 명예의 전당 등재
경력
Zellic.io
USA - remote
Security Researcher
2025년 4월 - 현재
Web2 Infrastructure & Application Auditing
Conducted comprehensive security assessments on complex Web2 architectures, ranging from SaaS platforms to crypto-exchange infrastructures.
Performed manual source code review and grey-box testing to identify potential vulnerabilities (e.g., SQL Injection, Business Logic Flaws, Denial-of-service)
Security Consulting & Risk Management
Collaborated directly with clients to define practical remediation strategies.
Advised on security trade-offs, balancing robust defense mechanisms with product usability and business operational requirements.
Airflow Security Team, Apache Software Foundation
USA - remote
Security Team Member
2025년 7월 - 2026년 1월
Reviewing and addressing security vulnerabilities in Apache Airflow
Collaborating with the open-source community
Maintaining the security posture of the project in accordance with ASF guidelines
PWNLAB (System Security Lab), Kyung Hee University
S.Korea
Undergraduate Research Intern
2025년 3월 - 2026년 1월
Developed a multi-cloud security audit tool for Samsung Electronics to automate compliance checks across AWS, GCP, and Azure
Implemented 260+ security inspection checks (IAM, Network, Container, Database, Storage, Monitoring, Logging) using Python and FastAPI, aligned with IaC principles
Engineered an agentless, multi-threaded scanning engine optimized for large-scale enterprise environments
Conducted black-box penetration testing on 19+ Samsung corporate web services; identified 10 vulnerabilities
Found several medium-impact issues including IDOR, file upload bypass, and reflected XSS
Advisor: Prof. Daehee Jang
[REDACTED] Institute under the Ministry of National Defense
S.Korea
Unit [REDACTED], Private [REDACTED]
2023년 9월 - 2025년 3월
- Conducted research and development on [REDACTED]
STEALIEN
S.Korea
R&D / Proactive Response Team, Security Researcher
2020년 7월 - 2023년 6월
Web Penetration Testing / Red Teaming
Conducted numerous penetration tests over 3 years targeting web services across major industries including finance, enterprises, and government agencies
Performed black-box assessments on diverse environments such as KB Kookmin Bank, Hana Bank, Ministry of Culture, Sports and Tourism and Ministry of Foreign Affairs-affiliated services, and Lotte Castle IoT systems
Executed a penetration testing engagement for the City of Bandung, Indonesia web services
CTF Platform Development and Operation
Designed and developed a custom web-based CTF platform (Django + React)
Managed the full pipeline of distributing, collecting, and uploading challenges across ~20 problem setters
Operated on-site competitions including the Ministry of Education Cybersecurity Competition and Ko-World CTF at Dubai GITEX
Internal Security Infrastructure
Designed and built internal GitLab, tech blog, deployment systems, and internal network environment to prevent external leakage of exploits
학력
KyungHee University
S.Korea
Computer Science & Engineering
2020년 3월 - 2026년 2월
Best of the Best 6th
S.Korea
Vulnerability Analysis Track
2017년 7월 - 2018년 5월
Korea Digital Media High School
S.Korea
Department of Hacking Defense
2017년 3월 - 2020년 2월
기술
Web Security & Vulnerability Research
- Web penetration testing
- Red-teaming
- Security auditing
- Vulnerability disclosure (CVE, HackerOne, Google VRP)
Development & Operations
- Educational system development (Cyber Drill System, Django + React)
- CTF competition operation
- Internal tools, technical blogs, deployment systems
수상
2025 DEF CON CTF 33
2025년 1월
2025 Cyber Conflict Exercise (CCE) General Division (사이버공격방어대회)
Korea
2025년 1월
2024 White Hat Contest Soldier Division (화이트햇 콘테스트)
Korea
Awarded the Minister of National Defense Award
2024년 1월
2023 CODEGATE University Division
Korea
2023년 1월
2022 CODEGATE University Division
Korea
2022년 1월
2022 Cyber Conflict Exercise (CCE) Public Institution Sector Division (사이버공격방어대회)
Korea
Awarded the Director of National Security Research Institute Award
2022년 1월
2022 HACKTHEON SEJONG National University Cybersecurity Competition
Korea
Awarded the Director of National Security Research Institute Award
2022년 1월
2021 Cyber Conflict Exercise (CCE) Public Institution Sector Division (사이버공격방어대회)
Korea
Awarded the Director of National Security Research Institute Award
2021년 1월
2019 Cyber Operations Challenge Student Division (사이버작전경연대회)
Korea
Awarded the Cyber Operations Commander Award
2019년 1월
2018 Cybersecurity Competition Individual Preliminary Round (정보보안경진대회)
Korea
Awarded the President of Seoul Women's University Award
2018년 1월
2018 Cybersecurity Competition Team Finals (정보보안경진대회)
Korea
1st Place, hosted by the Ministry of Education, Korea
Awarded the Minister of Education Award
2018년 1월
2017 Cybersecurity Competition Team Finals (정보보안경진대회)
Korea
Awarded the Director of Korea Education and Research Information Service Award
2017년 1월
오픈소스
CPython
- CVE-2024-7592: Denial of Service due to quadratic complexity parsing when handling cookies containing backslashes.
Django
CVE-2023-36053: Regular Expression Denial of Service in EmailValidator and URLValidator.
CVE-2024-24680: Denial of Service in the intcomma template filter.
CVE-2024-27351: Regular Expression Denial of Service in Truncator.words() function.
CVE-2024-21520: Cross-Site Scripting in Django Rest Framework's browsable API.
CVE-2024-41991: Denial of Service in urlize function and AdminURLFieldWidget.
CVE-2024-53908: SQL Injection in HasKey function when using Oracle databases.
CVE-2025-48432: Potential log injection via unescaped request path
CVE-2025-64458: Potential denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows
CVE-2025-64460: Potential denial-of-service vulnerability in XML serializer text extraction
CVE-2026-25673: Potential denial-of-service vulnerability in URLField via Unicode normalization on Windows
FastAPI / Starlette
CVE-2025-62727: O(n^2) DoS via Range header merging in starlette.responses.FileResponse
Apache Airflow
CVE-2024-39877: Code Execution vulnerability in the scheduler allowing DAG authors to execute arbitrary code
CVE-2024-39863: Potential Cross-Site Scripting in the web interface
CVE-2024-45034: Authenticated DAG authors can execute arbitrary code on scheduler nodes
CVE-2024-56373: Apache Airflow: SSTI to Code Execution in Airflow through Shared DB Information
Ruby
CVE-2024-41123: Denial of Service in REXML due to crafted XML inputs
Ruby on Rails
- CVE-2024-47887: Regular Expression Denial of Service in Action Controller's HTTP token authentication.
- CVE-2024-41128: Regular Expression Denial of Service in Action Dispatch's query parameter filtering.
Java Spring
- CVE-2024-38809: Denial of Service through crafted conditional HTTP requests.
GitHub
HackerOne#2646500: Pre-authenticated DoS Vulnerability in GitHub Enterprise
GitLab
HackerOne#3550632: OO disclosure via OO in gitlab.com (expected to receive CVE in March 2026)
Google VRP
Ranked at 20th in South Korea
Website