Awards and CVEs

Awards:

• 2025: NDSS Distinguished Reviewer (NDSS 2025)
• 2022: CCS’22 Best Paper Honorable Mention (ACM CCS 2022)
• 2021: The First Prize, Outstanding Research Paper Award of Guang Dong Computer Federation (“DeepChain: Auditable and Privacy-Preserving Deep Learning with Blockchain-based Incentive.”)
• 2020: Excellent Graduate Students of Guangdong Province [0.25%]
• 2019: The First Prize, Outstanding Research Paper Award of Guang Dong Computer Federation (“CrowdBC: A blockchain-based decentralized framework for crowdsourcing.”)
• 2019: Best Paper Award, IEEE International Conference on Industrial Internet
• 2019: One paper was listed on Essential Science Indicators (ESI) ranking as “Highly Cited Paper” from Web of Science
• 2018: National scholarship for Ph. D Students in Cyber Security, 50000 RMB
• 2016: Outstanding Graduates
• 2015: National scholarship for Master Students, 20000 RMB
• 2015: Reaching Fund on Android Security, 4000 RMB
• 2014: The Third Prize, Microsoft ImagineCup for College Students in Shannxi Province,1000RMB
• 2014: The First Prize, Science and Technology Contest for College Students, Zhongxing Telecommunication Equipment Corporation
• 2014: The Second Prize , Software Design Competition, Programmable System Inc, Shanghai, China

Selected CVEs & Vulnerabilities:

• 2025: A bug bounty of $5000 (0.05154318 BTC).
• 2024: We analyzed 26 TB of traffic, revealing 45 vulnerabilities, including 29 zero-day exploits with 25 CVE-IDs assigned (5 CRITICAL, 3 HIGH, 16 MEDIUM, and 1 LOW) and an estimated value of approximately $312,000. These vulnerabilities affect around 12.71 million devices across 148 countries, exposing them to severe risks such as information disclosure, authentication bypass, and arbitrary command execution. The findings have attracted significant attention, sparking widespread discussion in cybersecurity circles, reaching the top 25 on Hacker News, and generating over 190,000 views.
• 2022: Tencent has confirmed with 6 vulnerabilities, ranked 3 low, 2 medium and 1 high, and awarded us with bug bounties (5,000 USD).
• 2021: We discovered two vulnerabilities in Mosquitto version 2.0.7 (CVE-2021-28166 and CVE-2021-34432).
• 2020: We identified a vulnerability with wide-reaching implications across Bluetooth specifications (CVE-2020-35473), impacting all Bluetooth devices.
• 2020: We have identified a few Bluetooth vulnerabilities of Apple products. Apple acknowledged our findings and released a patch. Details can be tracked via CVE-2020-9770;
• 2020: The Google Android Security Team also acknowledged the Bluetooth design flaws and rated the identified Android vulnerabilities as High severity Details can be tracked via Android ID 130833727.
• 2019: TI’s PSIRT has released a patched SDK to “Update authentication parameters when transitioning between authenticated/non-authenticated pairing’’ based on the reported vulnerabilities of TI’s BLE stack (CVE-2020-16630).
• 2019: Two CVEs (CVE-2019-18388 and CVE-2019-18389) were assigned to track the bugs identified in QEMU/KVM Virtio Devices.
• 2018: The accessibility abusing vulnerabilities could be tracked through AndroidID-79268769 and CVE-2018-9376.
• 2016: We explored the design flaws that severely undermine the security of Cloud Drives. The findings were widely reported by mainstream media in China, including China Central Television (CCTV), Weibo, Sohu and various other presses. [▶ refer to news from CCTV]