Fish in a Barrel

Fish in a Barrel is a security research organization, dedicated to combining the laziest techniques with high impact targets. In short: we're shooting fish in a barrel.

With decades of combined experience in security research, we deliver top results for our clients.

Follow us on Twitter to get updates about memory unsafety.

Our research staff

Alex Gaynor

Alex Gaynor

Alex is a principal security researcher and founder of Fish in a Barrel. He occasionally does security research that requires actual effort, but prefers not to.

Learn More »

Paul Kehrer

Paul Kehrer

Paul is a long-time fan of poorly written software, having developed it his entire career. When not writing fuzzers he can be found crawling back under the rock he came from.

Learn More »

Jonathan Rudenberg

Jonathan Rudenberg

Jonathan never intended to be a security researcher, but that changed when they almost got sued for accidentally discovering a flaw in a major cloud provider. Since that day, Jonathan has continued to accidentally find bugs, and occasionally modifies build systems that no one understands as part of the futile fight against solved bugclasses.

Learn More »

Tim Smith

Tim Smith

Tim is literally a biologist. Once we made it clear that "fuzzing" was not the same as "letting mold take over your culture" he caught on pretty quickly.

Learn More »

Chris Wolfe

Chris Wolfe

Chris was immediately hooked on writing fuzzers when he noticed that they produce enormous amounts of logs and crash programs.

Learn More »

Nelson Elhage

Nelson Elhage

Nelson used to find security bugs the old-fashioned way, by actually reading source code. Once he realized that oss-fuzz was a lot easier he renounced his "doing actual work" ways for good.

Learn More »

Augie Fackler

Augie Fackler

Augie enjoys fuzzing because it's a fun way to convince people they shouldn't write C and C++.

Learn More »

Elana Hashman

Elana Hashman

In spite of her work to add better support for reliably distributing compiled binaries, Elana has spent nearly her entire professional career trying to avoid C and C++.

Learn More »

William Woodruff

William Woodruff

William is a human-shaped fuzzer. Banks hate him! He will never give up Ruby.

Learn More »

Your Name Here

Your Name Here!

Fish in a Barrel is looking to grow and diversify our team of security researchers. Do you like doing security research that could be entirely eliminated by better tools? Consider joining!

Apply to Join »


Memory unsafety + fuzzing = Fish in a Barrel

We leverage cutting edge fuzzing engines like libFuzzer and AFL to target known-unsafe programming languages like C and C++ to maximize our findings. Hundreds of CVEs, almost no effort.

Sometimes we also type <script>alert()</script> into websites.


High impact targets

We target security-critical projects such as ImageMagick, GraphicsMagick, ClamAV, and GnuTLS to maximize our impact.

We've probably found vulnerabilities in something you use.


We get results

Look at all these vulnerabilities.

There's no way we'd be this productive if we had to do real work for each vulnerability.


Please put us out of business

Stop writing C/C++.

Probably you should also sandbox your software.


Phish in a Barrel

Stop sending your employees test phishing emails. Everybody clicks on them all the time.

Use phishing resistant authentication instead. Seriously, buy all your employees security keys.


NewFish in a Barrel Swag

Branded vulnerabilities shouldn't be the only art in this industry.

We're proud to offer Fish in a Barrel Swag for sale. Available as posters or stickers, this art serves as a reminder that we all have a responsibility to stop using programming languages that contribute to avoidable vulnerabilities.