Tavis Ormandy

Career

Tavis Ormandy is an English white-hat computer security researcher who was employed by Google until October 10, 2025. During his tenure, he was a member of Google's Project Zero team, a group dedicated to finding zero-day vulnerabilities in software and hardware used across the internet.

Notable Work

Ormandy has been credited with discovering severe vulnerabilities in a wide range of products and platforms throughout his career.

He identified critical security flaws in LibTIFF and in Microsoft Windows, as well as significant vulnerabilities in Sophos antivirus software. His research into Sophos products was extensive enough to produce a 30-page paper in 2012 titled Sophail: Applied Attacks Against Sophos Antivirus. The paper concluded that Sophos was "working with good intentions" but was "ill-equipped to handle the output of one co-operative security researcher working in his spare time," and recommended that its products not be deployed on high-value systems.

In 2014, Ormandy created an exploit demonstrating how a vulnerability in glibc — known since 2005 — could be leveraged to gain root access on a 32-bit Fedora system.

In 2015, working alongside fellow researcher Natalie Silvanovich, he discovered a severe vulnerability in FireEye products.

In 2016, Ormandy demonstrated multiple vulnerabilities in Trend Micro Antivirus on Windows, specifically related to its Password Manager component, as well as vulnerabilities affecting Symantec security products.

In February 2017, he found and reported a critical bug in Cloudflare's infrastructure that caused sensitive user data to leak alongside ordinary web requests, affecting millions of websites. The flaw was widely referred to as Cloudbleed, a name evoking the earlier Heartbleed vulnerability that Google had co-discovered.

In May 2023, Ormandy discovered and reported Zenbleed (CVE-2023-20593), a vulnerability affecting all processors based on AMD's Zen 2 architecture.

In September 2024, he was involved in uncovering a microcode vulnerability affecting certain AMD Zen-based processors, tracked as CVE-2024-56161.

Recognition

Ormandy's body of work spans over a decade of high-impact vulnerability research targeting antivirus engines, cloud infrastructure, and processor microarchitectures. His findings have prompted security improvements at some of the largest technology and cybersecurity companies in the world, and his detailed public disclosures have contributed to broader awareness of systemic weaknesses in widely deployed security products.