Ruikai Peng

I do security research (bug-hunting) on projects I think is fun.

I found bugs in Transformers, Llama.cpp, TensorFlow...
Governmental, Google, Microsoft, Evernote...

Specific bugs and projects I worked on:
25 CVEs, $20,000 in bounty

Remote-Code Executions (RCEs)
• Llama.cpp RPC Heap-overflow Remote-Code Execution (Dec 2024 - Feb 2025)
• Evernote Remote-Code Execution (Jul 2024)
• Tenda AC8 Router Remote-Code Execution (Jun 2024)
• Llama-cpp-python Remote-Code Execution (May 2024)
• Microsoft Semantic Kernel Remote-Code Execution (May 2024)
• Youdao Note Remote-Code Execution (Apr 2024)
• TensorFlow Remote-Code Executions (Aug 2024)
• Transformers tools Remote-Code Execution (Mar 2024)
• Transformers checkpoint Remote-Code Execution (Feb 2024)
• Intel neural-compressor Remote-Code Execution (Jun 2024)
• PrivateGPT sagemaker Remote-Code Execution (Feb 2024)
• LoLLMs 11 Remote-Code Executions, 5 LFIs (Mar 2024)

Others
• Governmental Education System Privilege Escalation (CNVD-2024-15472)
• Managebac XSS (Feb 2024)
• Youdao Note XSS (Oct, 2023)
• REACH XSS (Feb 2025)
• ...

Machine-Learning Security Automation
• AutoGDB.io: Exploit a binary using your LLM (April 2025 - Jun 2025)
• FuzzML: Continuous fuzzing for GGUFs (April 2025 - Present)
• AutoGDB: Recursive Agency with GDB (Dec 2023 - Mar 2024)
• BinaryChat: Chat to your binary (Jan 2023 - Apr 2023)
• PwnBERT: Semantic based vuln detector (Mar 2023 - Apr 2023)