Chris Wysopal

Early Life

Chris Wysopal was born in 1965 in New Haven, Connecticut, to a mother who worked as an educator and a father who worked as an engineer. He attended Rensselaer Polytechnic Institute in Troy, New York, where he earned a bachelor's degree in computer and systems engineering in 1987.

Career

Wysopal became the seventh member to join L0pht, the high-profile hacker think tank that gained widespread recognition in the late 1990s. During his time there, he worked as a vulnerability researcher, contributing development projects that included Netcat and L0phtCrack for Windows. He also served as webmaster and graphic designer for the L0pht website and for Hacker News Network, described as the first hacker blog. His research produced published security advisories covering vulnerabilities in Microsoft Windows, Lotus Domino, Microsoft IIS, and ColdFusion.

In 1998, Wysopal was one of seven L0pht members who testified before a United States Senate committee, stating that they could bring down the Internet within 30 minutes. The testimony drew significant public and governmental attention to the state of internet security.

When L0pht was acquired by @stake in 1999, Wysopal became manager of @stake's Research Group and later its Vice President of Research and Development. Following @stake's acquisition by Symantec in 2004, he served as Director of Development.

In 2006, Wysopal co-founded Veracode alongside Christien Rioux, serving as CTO. Veracode was acquired by CA Technologies in 2017 for $614 million, subsequently spun out and acquired by Thoma Bravo for $950 million, and later purchased by TA Associates for $2.5 billion. Wysopal continued as CTO through these transitions before moving into the role of Chief Security Evangelist in 2024. In 2018, he joined the board of directors of Humanyze.

Vulnerability Disclosure Policy

Wysopal played a significant role in shaping industry standards for the responsible disclosure of software vulnerabilities. He contributed to RFPolicy, recognized as the first vulnerability disclosure policy. In 2002, together with Steve Christey of MITRE, he co-proposed an IETF RFC titled "Responsible Vulnerability Disclosure Process." Although the IETF ultimately rejected the proposal as outside its purview, the framework became the foundation for the Organization for Internet Safety, an industry group uniting software vendors and security researchers, of which Wysopal was a founder.

In 2001, he founded VulnWatch, a non-profit full-disclosure mailing list, serving as its moderator. In 2003, he testified before a United States House of Representatives subcommittee on the subject of vulnerability research and disclosure.

Notable Work

Wysopal holds several U.S. patents related to software security, including patents covering the assessment and analysis of software security flaws, automated behavioral and static analysis using instrumented sandboxes and machine learning for mobile security, and security assessment in virtual machines.

He co-authored The Art of Software Security Testing (Addison-Wesley, 2006) with Lucas Nelson, Dino Dai Zovi, and Elfriede Dustin. He also edited Adam Shostack's Threat Modeling: Designing for Security (Wiley, 2014). His additional publications include articles on security debt, software security variation, and static detection of application backdoors, appearing in outlets such as ;login: The USENIX Magazine and Datenschutz und Datensicherheit - DuD.

Recognition

In 2008, Wysopal was named one of the 100 Most Influential People in IT by eWeek and selected as one of the InfoWorld CTO 25. He was named a SANS Security Thought Leader in 2010 and began serving on the Black Hat Review Board in 2012. Computer Reseller News named him one of the Top 25 Disruptors of 2013, and SC Magazine recognized him as one of five Security Thought Leaders in 2014. In 2023, CyberScoop named him a Cybersecurity Visionary.