Hunting Variants: Finding the Bugs Behind the Bug

In this episode of The BlueHat Podcast, host Nic Fillingham is joined by George Hughey from Microsoft who returns to discuss his Blue Hat India talk on variant hunting, explaining how MSRC uses submission data from hacking competitions like Pwn2Own and Tianfu Cup to uncover additional security vulnerabilities in Windows. George shares how incentives in competitions differ from bug bounty programs, how tools like CodeQL assist variant hunting, and why collaborating with the security research community is key to improving Windows security. In This Episode You Will Learn : How hacking competitions help find real-world Windows vulnerabilities The role of MSRC in hunting variants beyond submitted vulnerabilities Why fuzzing is not always effective for modern edge cases Some Questions We Ask: How do you decide which cases to pursue for variant hunting? What advice do you have for researchers submitting variants? How does the CodeQL team collaborate with your team? Resources: View George Hughey on LinkedIn View Wendy Zenone on LinkedIn View Nic Fillingham on LinkedIn Related Microsoft Podcasts: Microsoft Threat Intelligence Podcast Afternoon Cyber Tea with Ann Johnson Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts Hosted on Acast. See acast.com/privacy for more information.

You can listen to Hunting Variants: Finding the Bugs Behind the Bug online on Radio and Podcast. Open the player on this page to stream the available audio.

Hunting Variants: Finding the Bugs Behind the Bug is an episode from Security Unlocked by Bruce Bracken.

This episode is 39:51 long.

This episode was published on Jul 9, 2025.

Yes. Use the heart button on the episode page to add it to your favorite episodes list.

Yes. This page shows related episodes from Security Unlocked when more episodes are available from the podcast feed.