Featured image of post CVE-Hunters, The Journey of Aspiring Vulnerability Researchers
Cybersecurity Vulnerability Research CVE Hunters Open Source Security Security Education Penetration Testing

CVE-Hunters, The Journey of Aspiring Vulnerability Researchers

How a Brazilian project is revolutionizing the way cybersecurity is taught through real-world practice

Introduction

At #DEFCON33, one of the most prestigious security conferences in the world, Natan Morette presented the CVE-Hunters project, which represents a fundamental change in the way we approach cybersecurity education, transforming the classic dilemma of lack of experience into a concrete learning opportunity.

With 116 published CVEs, 170 discovered vulnerabilities, and 20 active members in less than a year, CVE-Hunters is a replicable model that is changing lives and improving the security of systems used by millions of people.

During his classes, Natan constantly faced the same question:

“How do I gain real-world experience in cybersecurity?”

The Problem of Experience in Cybersecurity

The answer included two options:

  • Participating in CTFs:

CTFs create a "competition mindset" that's different from the real world, focusing on solving artificial challenges that don't simulate the complexity of production systems.

  • Studying for certifications:

Certifications, in turn, are costly and focus on theory without immediate practical application.

The job market perpetuates this paradox. Even "junior" positions require prior experience, seeking professionals with experience in vulnerability assessment, practical knowledge of responsible disclosure, a demonstrable portfolio of security findings, and an understanding of business relevance.

The CVE-Hunters Philosophy

Was born from the simple premise:

“We got tired of waiting for opportunities, so we created our own.”

The difference lies in the selection of Open-Source projects, based on real social benefit, prioritizing projects used by organizations that serve vulnerable populations.

1st Wave – WeGIA Project

In November 2024, with just three people (Natan and two students), they chose #WeGIA as their first target. WeGIA is a Brazilian Open-Source platform used by social programs and NGOs, including orphanages, nursing homes, and adoption centers. The choice made sense: it had direct social relevance, accessible code, Brazilian developers facilitating communication, and it was a critical system protecting data from vulnerable populations.

The 1st Wave resulted in 48 published CVEs with an impressive distribution:

  • 34 Cross-Site Scripting (70.8%);
  • 8 SQL Injection (16.7%);
  • 2 Broken Access Control (4.2%);
  • 1 Remote Code Execution (2.1%);
  • 1 Open Redirect (2.1%);
  • 1 Denial of Service (2.1%);
  • 1 CSRF in sensitive action (2.1%).

A special highlight was Elisangela Silva de Mendonça, a student who single-handedly discovered 29 of the 48 CVEs (60% of the total). Her journey perfectly exemplifies the project's potential: she started as a beginner in vulnerability research, developed a systematic analysis methodology, landed her first job in cybersecurity, and today serves as a reference point for new members within the group.

The impacts went beyond the number of CVEs published, creating ripples of real change in the community. The first two students landed their first jobs in cybersecurity, validating in practice that the experience they gained was recognized by the market. Simultaneously, WeGIA developers not only fixed the discovered vulnerabilities but also implemented best security practices throughout the project. What began as a one-off collaboration evolved into a lasting relationship, with other independent researchers feeling inspired to contribute to the project.

2nd Wave – Portabilis Projects

This initial validation paved the way for an ambitious expansion. With 10 new students, the team identified its next challenge: #Portabilis, a company that develops Open-Source software for educational management.

i-Educar represents an impressive story in terms of social reach:

  • The system connects more than 80 Brazilian municipalities;
  • Manages 2,050 schools;
  • Impacts 500,000 students.

Even the Brazilian Air Force uses it for critical simulations.

The discovery of CVE-2025-8789 illustrates how simple vulnerabilities can have devastating consequences.
This flaw allowed unprivileged users to change student grades through direct API calls. The irony was cruel: while the interface blocked unauthorized actions, the APIs operated as open doors, validating only whether the user was logged in, ignoring their specific permissions. The process revealed the systematic methodology developed: analysis of limited flows, request interception, bypass testing, and confirmation of true severity.

The results of the 2nd Wave reflect scale and depth:

  • 42 vulnerabilities in i-Educar;
  • 19 in i-Diário;
  • 8 published CVEs;
  • 53 vulnerabilities in the disclosure process.

3rd Wave – Diversification and Maturity

The 3rd Wave marks remarkable maturity, managing eight simultaneous projects, from continuity with WeGIA and i-Educar to diversification into Centreon, Grav, Indico, and Scada-LTS. Among all the discoveries, the work on Scada-LTS stands out as an almost cinematic moment. This system, used by the Itaipu Dam to simulate cyberattacks on critical infrastructure, revealed two XSS vulnerabilities (CVE-2025-7728 and CVE-2025-7729) in less than a minute, demonstrating the refined efficiency of the methodology.

Structured Methodology

The process includes:

  • Careful selection (1-2 days) assessing social impact and maintainer responsiveness;
  • In-depth reconnaissance (3-5 days) mapping architecture and configuring environments;
  • Intensive vulnerability assessment (15-20 days) combining static analysis with dynamic testing;
  • PoC development (2-3 days);
  • Responsible disclosure (5-10 days), involving careful diplomacy.

The toolkit evolved organically: SonarQube and Semgrep for static analysis, Burp Suite and OWASP ZAP for dynamic testing, and custom Python scripts for specific gaps. Reporting via VulnDB, GitHub Security Advisories, and standardized templates ensured consistency and increased acceptance rates.

Each Wave brought unique challenges. The technological diversity required specialized expertise in record time. The interpersonal challenges, uncooperative maintainers, variable response times, and different levels of security maturity taught strategic patience and stakeholder management. Two lessons emerged as fundamental:

  • Detailed documentation with screenshots and a clear articulation of business relevance;
  • Collaboration exponentially amplifies results through peer review and mentoring.

Educational and Community Legacy

The educational legacy developed impressive technical skills, systematic code analysis, intuitive understanding of attack surfaces, development of functional PoCs, and professional skills such as multiple project management, stakeholder relationships, and professional documentation. The results validated the original hypothesis: multiple members landed their first jobs with demonstrable portfolios and community recognition through public CVEs.

The contribution to the community extended beyond fixing vulnerabilities, establishing security practices in projects that previously ignored them, inspiring similar groups, and demonstrating the viability of collaborative models.

The Future of CVE-Hunters

The future includes:

  • Expansion through University partnerships;
  • A formal mentoring program;
  • The development of proprietary tools.

For aspiring security researchers, the lessons are clear:

  • Initial focus on a single project with a measurable impact;
  • Sufficient time commitment, meticulous documentation;
  • Unwavering commitment to responsible disclosure.

Educators can revolutionize teaching by replacing simulations with engagement with real projects. The open source community can enhance results by establishing clear reporting channels and promoting a security-first culture.

Conclusion

CVE-Hunters project has democratized access to real-world security expertise, creating a replicable path for anyone who wants to make a difference.

The numbers:

  • 116 published CVEs;
  • 20 active members;
  • Millions of users impacted!

Quantify success, but the qualitative effect is more significant:

You don’t need to wait for opportunities when you can create your own.

"We weren't just looking for bugs, we were looking for a way to contribute"

And they have contributed profoundly to their own futures, to the security of systems that protect vulnerable populations, and to the next generation of security researchers armed with a tested roadmap to turn curiosity into a career.

Reference

Presentation "From Noobz to Vulnerability Researchers: The Journey of the CVE-Hunters" - DEF CON 33, 2025.

Presentation Author

Natan Maia Morette

Article written by

Elisangela Mendonça

Contributor

Karina Gante

By: CVE-Hunters

© 2020 - 2025 CVE-Hunters
Built with Hugo
Theme Stack designed by Jimmy