A 21 y.o. sophomore (also a former secondary vocational school student) from China. Expected to be unavailable in a short period due to health issues.
Blog: https://blog.canyie.top/
Research Outputs (such as papers, presentations, etc.):
- Parcel Mismatch Demystified: Addressing a Decade-Old Security Challenge in Android
The 32nd ACM Conference on Computer and Communications Security (ACM CCS 2025) - Parcel Mismatch - The History, Mitigation and Vulnerabilities
Google bugSWAT Mexico City 2025 (Closed-Door Conference) - VsyncBreaker: Subverting Screen Trust via State Disruption and ONE-WAY Flooding
BlackHat Asia 2026
Also see my blog which contains many informal research articles.
Acknowledgements & Rankings:
- As of 2026/02/08 I am currently ranked #21 in the world on the entire Google Bug Hunters platform, #7 in the 2024 year, #6 in the 2025 year, and #5 in the entire Android Program. I'm also the champion of the Android Vulnerability Reward Program in 2025, see my name in Google VRPs in Review – 2025!
- Nickname "canyie" on Android Security Acknowledgements, Google Bug Hunters Leaderboard, Xiaomi Security Center, Huawei Bug Bounty Program, Huawei Security Acknowledgement, and Samsung Mobile Security
Bugs & Vulnerabilities:
- Android & Google Devices: contributed to CVE-2024-0044 (PoC & writeup), CVE-2024-31318, CVE-2024-43080, CVE-2024-43081, CVE-2024-43088, CVE-2024-43090, CVE-2024-43762, CVE-2024-49733, CVE-2024-49741, CVE-2024-49743, CVE-2024-49744, CVE-2025-0076, CVE-2025-0100, CVE-2025-22432, CVE-2025-26464, CVE-2025-32323, CVE-2025-36889, CVE-2025-48524, CVE-2025-48535, CVE-2025-48545, CVE-2025-48554, CVE-2025-48569, CVE-2025-48570, CVE-2025-48573, CVE-2025-48575, CVE-2025-48580, CVE-2025-48582, CVE-2025-48611, CVE-2025-48615, CVE-2025-48635, CVE-2025-48645, CVE-2025-48648, CVE-2026-0014
- Huawei: CVE-2025-31175
(This list may be out of sync. Search "canyie" in Android acknowledgements for all!)
Disclaimer: Although I'm a member of LSPosed Team, all repositories hosted by this account are owned by myself. They are maintained by me alone and have no affiliation with the LSPosed team nor are they part of the LSPosed community.