Over the course of the last decade or so, I discovered and reported dozens of
security bugs in popular software packages. By necessity, the list below
contains just a subset of those; multiple security reports had never gotten
a CVE number assigned to them for various reasons.
I generally focus on low-level application security, and that covers projects like: the Linux kernel, various input parsing libraries (images, PDF, media, etc.), web browsers, system services, Internet network services and similar.
The most frequent tool I use to discover software flaws is Honggfuzz, which you can read more about in the Software section of this site.
In 2016 I was nominated for a Pwnie Award for publishing a flaw in the AMD CPUs. The flaw enabled unprivileged users of a VM to execute code at the host's CPU ring0. The Register published a short article on how the bug was discovered.
Again, in 2017 I was nominated for the same Pwnie Award for finding a vulnerability on the OpenSSL suite (pre-auth) which potentially allowed to achieve remote code execution rights on a vulnerable system.