CYBERSECURITY RESEARCHER

Hamizan Azman

Security research at Singapore Management University, supervised by Prof Xiaofei Xie with Dr Lili Quan. Working on publishing a first-author paper on vulnerabilities LLMs miss, incoming DIS Cyber Specialist, awarded with four paid bug bounties.

Singapore Management University
NTUCyberSG R&D Programme Office
Temasek PolytechnicDigital & Intelligence Service
Google.orgThe Asia Foundation

01 // ABOUT

I'm a 20-year-old in Singapore with a Diploma in Cybersecurity and Digital Forensics from Temasek Polytechnic.

Since February 2026 I have been a research intern at Singapore Management University under Prof Xiaofei Xie, with Dr Lili Quan. I'm working on a first-author paper studying vulnerabilities LLMs miss across real-world open-Source software and targeting a top security or software-engineering venue.

On the disclosure side, I have been awarded one CVE published at CVSS 6.8 Medium, a second vulnerability at CVSS 6.9 Medium, third at CVSS 6.8 Medium, and a fourth at CVSS 4.8 Medium. Four paid bug bounties total across three programmes, eight valid duplicate findings, and was active in an invite-only GovTech Bug Bounty Programme.

I helped found the TP Cybersecurity Clinic as its first Lead Student Ambassador from August 2025 to February 2026, helping run Singapore's first cybersecurity clinic for MSMEs. I oversaw 38 MSMEs being supported and 40 ambassadors trained, with 12 on-site engagements I personally led. I was behind its admittance into the CyberSG Consortium.

I'm also an incoming DIS Cyber Specialist through the DIS University Work-Learn Scheme in 2026.

LocationSingapore
EducationTP Cybersecurity & Digital Forensics
GraduatedMay 2026
RoleResearch Intern @ SMU
SupervisorsProf Xiaofei Xie, Dr Lili Quan
FocusLLM Security & Vulnerability Research
Disclosure4 paid bounties, 1 CVE published
DIS UWLSIncoming Cyber Specialist

02 // TESTIMONIALS

“His contribution has been well beyond what I usually see from a student before university… I recommend Hamizan very strongly. I would be happy to continue working with him in my research group during his undergraduate studies.”

Prof Xiaofei Xie

Assistant Professor, Singapore Management University

Prof Xiaofei Xie recommendation letter, page 1Prof Xiaofei Xie recommendation letter, page 2

“I recommend him without reservation and am confident he will continue to excel in any academic or professional setting he chooses to pursue. He is a capable leader, a reliable team member, and a young professional of integrity and promise.”

Mehreen Tanvir

Program Manager, The Asia Foundation

Mehreen Tanvir recommendation letter, page 1Mehreen Tanvir recommendation letter, page 2

03 // RESEARCH

FIRST-AUTHOR PAPER IN PROGRESS

An Empirical Study of Vulnerabilities Missed by LLM-Based Code Review

I'm conducting an empirical study of real-world open-source vulnerability fixes, looking at which vulnerabilities LLM-based code reviews miss and what that means for future AI security tooling. I'm aiming for a top security or software-engineering venue, supervised by Prof Xiaofei Xie and Dr Lili Quan.

1st

Author

2026

SMU Internship

LLM SecurityVulnerability ResearchGitHub Vulnerability FixesEmpirical StudySoftware Engineering
COLLABORATIVE PAPER

Disclosure Audit and Submissions

I responsibly submitted disclosures of vulnerabilities found from a collaborative LLM application security project. I audited every piece of evidence, grouped genuine candidates and disclosed issues. I tracked an accurate record which kept the research claims conservative and accurate.

297

Rows Audited

56

Candidates Grouped

Responsible DisclosureVulnerability TriageEvidence TrackingGitHub IssuesResearch Ops
COLLABORATIVE PAPER

Vulnerability PoC Reproduction Framework

Related lab work continued. Reproduced 231 vulnerability PoCs from the lab's library-CVE dataset as Dockerised shooting ranges. Each PoC bundles a vulnerable server, attack script, Dockerfile, README, and reproduction notes. Anyone can clone and run.

231

PoCs Reproduced

100%

Completion Rate

DockerPythonFlaskHTTP ExploitationVulnerability Research
COLLABORATIVE PAPER

Open-Source LLM Application Deployments

I worked on a collaborative empirical study on the reproducibility of open-source LLM applications. I triaged 102 apps and got 79 of them deploying as pinned Docker images for the research group's use. Written failure analysis for the remaining 23, which were Python or CUDA version mismatches and upstream submodule rot.

102

Apps Triaged

79

Deployed

83

Docker Images

DockerPythonDependency PinningDocker HubWSL2
EARLY ALPHA CONTRIBUTION

TrustChain PenTest Engine

I contributed to the first alpha version of the lab's automated application pentest engine, before Prof Xiaofei Xie reworked the platform. My part was the exploit-generation flow and CVE search hooks, plus DOCX report generation and progress streaming. The source is private.

Alpha

Early Version

8

Tasks Delivered

DockerMicroservicesLLM AgentsCVE SearchReport Generation

04 // DISCLOSURES

I started my bug bounty hunting journey right after joining SMU as a research intern. Yuelin Wang, a PhD student in Prof Xie's group, inspired me to get into it. I worked closely with his vulnerability research and was impressed with how well he was doing across many YesWeHack leaderboards. It made me want to try it myself. So I treated it like my own passion project and did it every weekend. When I began, I struggled with a lot of my findings coming back as duplicates. Since they were still valid findings, I kept pushing through. My bug bounty hunting journey has been paused since April, when I took on my own first-author research project.

1

CVE Published

Dovecot CVE-2026-27855 (CVSS 6.8 Medium)

3

Further Awarded Bugs

CVSS 6.9, 6.8, and 4.8 via HackerOne

4

Paid Bounties

Across 3 programmes

8

Valid-but-Dupes

Accepted impact, duplicate reports

Published

CVE-2026-27855 (Dovecot)

CVE-2026-27855 (Dovecot)

auth_cache_remove() uses the wrong username field, allowing OTP replay when passdb rewrites the username during improper authentication. CVSS 6.8 Medium. Monetary reward via YesWeHack. Acknowledged on Dovecot's security disclosures page.

Rewarded

Three further HackerOne findings

Three further HackerOne findings

Three further bug bounties rewarded via HackerOne, at CVSS 6.9 Medium, CVSS 6.8 Medium, and CVSS 4.8 Medium. CVE assignment depends on vendor coordination.

Past invite-only programme

GovTech Bug Bounty Programme 17 (GBBP17)

Was invited into and active in GBBP17, the GovTech Bug Bounty Programme. Invite-only. Programme details remain under NDA.

Research practice

Eight valid-but-duplicate findings

Eight additional findings were accepted as valid but duplicate. They did not become bounty wins, but they reflect repeated real vulnerability discovery and report quality.

05 // EXPERIENCE

LLM Security Research Intern

Singapore Management University

Selected via NTU CRPO Cyber Translation Internship Programme

FEB 2026 - PRESENT

Research intern under Prof Xiaofei Xie, with Dr Lili Quan as day-to-day supervisor. First author on an empirical paper still in the works, studying vulnerabilities LLMs miss across real-world GitHub vulnerability fixes.

  • First-author paper still in the works, studying vulnerabilities LLMs miss across real-world vulnerability fixes and targeting a top venue.
  • Collaborative LLM application security paper contributions: triaged 102 open-source LLM and AI applications. 79 are reproducible Docker images with pinned dependencies.
  • Research artifact contributions: reproduced 231 vulnerability PoCs as Dockerised shooting ranges.
  • Disclosure workflow contributions: built the audit and submission workflow, separating paper evidence from maintainer-reportable issues and tracking outcome states.
  • Contributed to the first alpha version of the lab's automated pentest engine before it was substantially reworked and revamped by Prof Xiaofei Xie.
AI/LLM SecurityPrompt InjectionMCPSupply Chain SecurityDockerVulnerability Research

Lead Student Ambassador

TP Cybersecurity Clinic

Sponsored by The Asia Foundation, supported by Google.org

AUG 2025 - FEB 2026

Founding Lead Student Ambassador with pre-pilot involvement before the August 2025 launch. Ran Singapore's first polytechnic-led cybersecurity clinic for micro, small, and medium enterprises.

  • Conducted 12 on-site cybersecurity engagements personally, the most of any ambassador
  • Recruited, trained, and mentored 40 ambassadors
  • Clinic supported 38 MSMEs across Singapore, with three companies returning for up to four engagements
  • Two MSMEs offered me internships on the spot during engagements
  • Represented the Clinic in monthly online meetings with peer cyber clinics at UT Austin, UC Berkeley, and other global institutions
  • Drove the Clinic's admittance into the CyberSG Consortium and ongoing collaboration with NTU CRPO
LeadershipCybersecurity ConsultingMSME SupportTraining

Malware Analyst Intern

TP Malware Analysis Centre

MAY 2025 - AUG 2025

Researched deepfake detection methods. Represented Temasek Polytechnic at national and international events. Also conducted independent malware reverse engineering.

  • Selected to present DeepVysion+ (TP 2024-cohort Best Major Project) at GovWare 2025 to an international audience
  • Selected to present DeepVysion+ at SWITCH 2025 (Marina Bay Sands). A booth interview with an NTU CRPO researcher led directly to the SMU research internship offer.
  • Selected to present DeepVysion+ to David Neo, Major-General (MG) Lee Yi-Jin, and other SAF and DIS staff at SAF Day 2025
  • Presented at TP MAC to Singapore Police Force, Lifelong Learning Institute, NUS School of Computing leadership, and multiple overseas delegations
Malware AnalysisReverse EngineeringDeepfake DetectionPublic Speaking

07 // EVENTS

GovWare 2025

Presenter, DeepVysion+

Selected to present DeepVysion+, the Temasek Polytechnic 2024-cohort Best Major Project, to an international cybersecurity audience.

SAF Day 2025

Presenter, DeepVysion+

SAF Day 2025

Selected to present DeepVysion+ to David Neo, Major-General (MG) Lee Yi-Jin, and other SAF and DIS staff.

TP Malware Analysis Centre visits

Presenter

Selected to present DeepVysion+ and lab capabilities at TP MAC to visiting groups including Singapore Police Force, Lifelong Learning Institute, and NUS School of Computing leadership.

Common ICT Taster Programme 2025

Student speaker and coordinator

Spoke to the entire Temasek Polytechnic freshman cohort in an auditorium. Coordinated and led other senior students who presented across other cybersecurity and IT modules.

TP Open House

Speaker

Spoke as a representative during Temasek Polytechnic's Open House.

TP x HK IIT Inaugural International Hackathon 2025

Volunteer staff

Volunteer staff supporting the inaugural Temasek Polytechnic x Hong Kong IIT International Hackathon.

08 // ACHIEVEMENTS

  • 2026

    DIS University Work-Learn Scheme

    Digital and Intelligence Service (Singapore)

    Incoming DIS Cyber Specialist for the 2026 University Work-Learn Scheme.

  • 2025

    PolyFinTech100 API Hackathon (NETS track)

    Singapore FinTech Festival

    Runner-up.

  • 2024

    GovTech AI Hackathon

    GovTech Singapore

    Top 20% of participants.

09 // COMMUNITY

  • Jun 2024 - Present

    Malay Activity Executive Committee, Punggol Community Club

    Volunteer on the MAEC. Helped run Hari Raya events, food and care distributions, and community get-togethers.

  • Sep 2025 - Present

    Homage Care Professional

    Daily care shifts on Homage across Singapore which included overnight and full-day patient care.

  • Mar 2026

    Tarawih4Youth at Masjid Sultan

    Staff member during the Tarawih4Youth programme at Masjid Sultan, Ramadan 2026.

  • Feb 2026

    Ramadan 2026 food distribution at Masjid Ghufran

    Helped distribute food to the needy during Ramadan 2026.

  • Nov 2025

    Secondary 4 mentoring

    Hosted a Secondary 4 student for a one-week shadow programme at Temasek Polytechnic. Taught throughout the week and motivated him to begin HTB CPTS and Cisco CCNA. He is now around halfway through both at age 15.

10 // CONTACT

Let's connect.

I'm open to research collaborations, mentorship opportunities, and conversations about AI/LLM security. Currently based in Singapore.

20 · Cybersecurity & Digital Forensics graduate · LLM security and vulnerability research