GovWare 2025
Presenter, DeepVysion+
Selected to present DeepVysion+, the Temasek Polytechnic 2024-cohort Best Major Project, to an international cybersecurity audience.
CYBERSECURITY RESEARCHER
Hamizan Azman
Security research at Singapore Management University, supervised by Prof Xiaofei Xie. First-author paper on LLM agent frameworks in the works. CVE-2026-27855 published in Dovecot at CVSS 6.8, plus three further bounties on HackerOne at CVSS 6.9, 6.8, and 4.8.
01 // ABOUT
I'm a 19-year-old cybersecurity researcher in Singapore, recently graduating with a Diploma in Cybersecurity and Digital Forensics at Temasek Polytechnic.
Since February 2026 I have been a research intern at Singapore Management University under Prof Xiaofei Xie, with Dr Lili Quan as day-to-day supervisor. First author on a paper proposing a bug-class taxonomy and fix-pattern design for LLM agent frameworks, targeting a top security or software-engineering venue.
I founded the TP Cybersecurity Clinic as its first Lead Student Ambassador from August 2025 to February 2026, running Singapore's first polytechnic-led cybersecurity clinic for MSMEs. I oversaw 38 MSMEs being supported and 40 ambassadors trained, with 12 on-site engagements I personally led. I was behind its admittance into the CyberSG Consortium.
On the disclosure side, I have one CVE published at CVSS 6.8 Medium, a second bug at CVSS 6.9 Medium, third at CVSS 6.8 Medium, and a fourth at CVSS 4.8 Medium. Four paid bug bounties total across three programmes, six valid-but-duplicate findings, and currently active in an invite-only GovTech Bug Bounty Programme.
I was accepted into the DIS University Work-Learn Scheme as a Cyber Specialist for 2026.
LocationSingapore
EducationTP Cybersecurity & Digital Forensics
GraduatedMay 2026
RoleResearch Intern @ SMU
SupervisorProf Xiaofei Xie
FocusLLM Security
DIS UWLSCyber Specialist (2026)
CertificationCompTIA Security+
02 // RESEARCH
FIRST-AUTHOR PAPER
Bug-Class Taxonomy for LLM Agent Frameworks
I'm first author on a paper mapping the kinds of bugs that show up in real LLM agent frameworks (LangChain, LangGraph, CrewAI, LlamaIndex) and proposing a small library of fix patterns developers can reach for. We treat reproducibility under model non-determinism as its own axis, which prior work (Zhang, Zhu, "When Agents Fail") does not. Supervised by Prof Xiaofei Xie and Dr Lili Quan.
4
Frameworks Studied
1st
Author
LLM AgentsLangChainLangGraphCrewAILlamaIndexSoftware Engineering
LIB2APP CONTRIBUTOR
Open-Source LLM Application Deployments
Work on Lib2App, led by Yuelin Wang (Tianjin University PhD), on reproducibility of open-source LLM applications. Triaged 102 apps and got 79 deploying as pinned Docker images, with 83 published on Docker Hub under hoomzoom. The 23 that wouldn't deploy each have a written failure analysis (mostly Python or CUDA version mismatches and upstream submodule rot).
102
Apps Triaged
79
Deployed
83
Docker Images
DockerPythonDependency PinningDocker HubWSL2
RESEARCH
TrustChain PenTest Engine
I help build the lab's automated application pentest engine led by a PhD researcher at SMU. It runs as 26 Docker services behind one entry port, doing exploit generation, CVE search, DOCX report writing, and SSE progress streaming. The platform exposes per-tool progress at stage 1 and a partial-automation mode with rerun. Source is private.
26
Microservices
8
Tasks Delivered
DockerMicroservicesLLM AgentsCVE SearchReport Generation
LIB2APP CONTRIBUTOR
Vulnerability PoC Reproduction Framework
Lib2App work continued. Reproduced 231 vulnerability PoCs from the lab's library-CVE dataset as Dockerised shooting ranges. Each PoC bundles a vulnerable server, attack script, Dockerfile, README, and reproduction notes. Anyone can clone and run.
231
PoCs Reproduced
100%
Completion Rate
DockerPythonFlaskHTTP ExploitationVulnerability Research
FINAL-YEAR PROJECT
Forward Proxy Security
Final-year project at Temasek Polytechnic on forward proxy security. A demanding architecture-level problem that took me deep into network-layer threat modelling and TLS interception.
Y3
FYP
Network SecurityForward ProxyTLSArchitecture
03 // DISCLOSURES
Active vulnerability research in open-source authentication and protocol code. One CVE published, three further bounties on HackerOne with CVEs pending assignment, and currently active in an invite-only GovTech programme.
1
CVE Published
Dovecot CVE-2026-27855 (CVSS 6.8 Medium)
3
CVEs In Process
CVSS 6.9, 6.8, and 4.8 via HackerOne, bounties paid
4
Paid Bounties
Across 3 programmes
6
Valid-but-Dupes
Sustained research practice
Published
CVE-2026-27855 (Dovecot)
auth_cache_remove() uses the wrong username field, allowing OTP replay when passdb rewrites the username during improper authentication. CVSS 6.8 Medium. Monetary reward via YesWeHack. Acknowledged on Dovecot's security disclosures page.
Rewarded, CVE pending
Three further HackerOne findings
Three further bug bounties rewarded via HackerOne, at CVSS 6.9 Medium, CVSS 6.8 Medium, and CVSS 4.8 Medium. CVE identifiers pending vendor coordination.
Active
GovTech Bug Bounty Programme 17 (GBBP17)
Invited into and currently active in GBBP17, the GovTech Bug Bounty Programme. Invite-only. Programme details under NDA.
Ongoing
Coordinated disclosure pipeline
Further open-source disclosures in progress alongside a collaborator. Details withheld until reports are public.
04 // EXPERIENCE
LLM Security Research Intern
Singapore Management University
Selected via NTU CRPO Cyber Translation Internship Programme
Research intern under Prof Xiaofei Xie, with Dr Lili Quan as day-to-day supervisor. First author on a paper proposing a bug-class taxonomy and fix-pattern design for LLM agent frameworks across LangChain, LangGraph, CrewAI, and LlamaIndex.
- First-author paper proposing a bug-class taxonomy and fix-pattern design for LLM agent frameworks (LangChain, LangGraph, CrewAI, LlamaIndex). Supervised by Prof Xiaofei Xie and Dr Lili Quan.
- Lib2App contributions (paper led by Yuelin Wang): triaged 102 open-source LLM and AI applications. 79 are reproducible Docker images with pinned dependencies. 83 are public on Docker Hub under hoomzoom.
- Lib2App contributions: reproduced 231 vulnerability PoCs as Dockerised shooting ranges. Anyone can clone and run.
- Helping build the lab's automated pentest engine of 26 Docker services. Covers exploit generation, CVE search, DOCX report generation, and SSE progress streaming.
AI/LLM SecurityPrompt InjectionMCPSupply Chain SecurityDockerVulnerability Research
Lead Student Ambassador
TP Cybersecurity Clinic
Sponsored by The Asia Foundation, supported by Google.org
Founding Lead Student Ambassador with pre-pilot involvement before the August 2025 launch. Ran Singapore's first polytechnic-led cybersecurity clinic for micro, small, and medium enterprises.
- Conducted 12 on-site cybersecurity engagements personally, the most of any ambassador
- Recruited, trained, and mentored 40 ambassadors
- Clinic supported 38 MSMEs across Singapore, with three companies returning for up to four engagements
- Two MSMEs offered me internships on the spot during engagements
- Represented the Clinic in monthly online meetings with peer cyber clinics at UT Austin, UC Berkeley, and other global institutions
- Drove the Clinic's admittance into the CyberSG Consortium and ongoing collaboration with NTU CRPO
LeadershipCybersecurity ConsultingCommunity ImpactTraining
Malware Analyst Intern
TP Malware Analysis Centre
Researched deepfake detection methods. Represented Temasek Polytechnic at national and overseas events. Also conducted independent malware reverse engineering.
- Selected to present DeepVysion+ (TP 2024-cohort Best Major Project) at GovWare 2025 to an international audience
- Selected to present DeepVysion+ at SWITCH 2025 (Marina Bay Sands). A booth interview with an NTU CRPO researcher led directly to the SMU research internship offer.
- Selected to present DeepVysion+ to David Neo, Major-General (MG) Lee Yi-Jin, and other SAF and DIS staff at SAF Day 2025
- Presented at TP MAC to Singapore Police Force, Lifelong Learning Institute, NUS School of Computing leadership, and multiple overseas delegations
Malware AnalysisReverse EngineeringDeepfake DetectionPublic Speaking
05 // EVENTS
SAF Day 2025
Presenter, DeepVysion+
Selected to present DeepVysion+ to David Neo, Major-General (MG) Lee Yi-Jin, and other SAF and DIS staff.
TP Malware Analysis Centre visits
Presenter
Selected to present DeepVysion+ and lab capabilities at TP MAC to visiting groups including Singapore Police Force, Lifelong Learning Institute, and NUS School of Computing leadership.
Common ICT Taster Programme 2025
Student speaker and coordinator
Spoke to the entire Temasek Polytechnic freshman cohort in a theatre setting. Coordinated and led other senior students who presented across cybersecurity and IT modules.
TP Open House
Speaker
Spoke as a representative during Temasek Polytechnic's Open House.
TP x HK IIT Inaugural International Hackathon 2025
Volunteer staff
Volunteer staff supporting the inaugural Temasek Polytechnic x Hong Kong IIT International Hackathon.
06 // RECOGNITION
- 2026
DIS University Work-Learn Scheme
Digital and Intelligence Service (Singapore)
Accepted as a Cyber Specialist for the 2026 intake, after passing IPPT Silver in December 2025.
- 2025
PolyFinTech100 API Hackathon (NETS track)
Singapore FinTech Festival
Runner-up. One spot away from the prize.
- 2025
AMP Education Bursary
AMP Singapore
Bursary recipient. Same body funded my CompTIA Security+ certification voucher.
- 2024
GovTech AI Hackathon
GovTech Singapore
Top 20% of participants.
- 2024
SparkCTF
Singapore Polytechnic
Participated.
07 // COMMUNITY
- Jun 2024 - Present
Malay Activity Executive Committee, Punggol Community Club
Volunteer on the MAEC. Helped run multiple Hari Raya events, food and care distributions, and community get-togethers.
- Sep 2025 - Present
Homage care work
Daily care shifts on Homage across Singapore. Mixed schedule of short visits, overnight, and full-day shifts. Have not missed a day except for declared holidays and illness.
- Mar 2026
Tarawih4Youth at Masjid Sultan
Staff member during the Tarawih4Youth programme at Masjid Sultan, Ramadan 2026.
- Feb 2026
Ramadan 2026 food distribution
Helped distribute food to the needy during Ramadan 2026.
- Nov 2025
Secondary 4 mentoring
Hosted a Secondary 4 student for a one-week shadow programme at Temasek Polytechnic. Taught throughout the week and motivated him to begin HTB CPTS and Cisco CCNA. He is now around halfway through both at age 15, and sent a thank-you email to TP lecturers about the mentorship.
08 // CERTIFICATIONS
CompTIA Security+ SY0-701
CompTIA
Industry standard cybersecurity certification. Funded by AMP Singapore.
HTB Certified Penetration Testing Specialist (CPTS)
Hack The Box
Sponsored by AMP Singapore.
09 // MEDIA
Human Resources Online
Temasek Polytechnic Students Step In to Strengthen MSME Cybersecurity
Temasek Polytechnic
TP Launches Cybersecurity Clinic, Empowering Students to Strengthen MSME Digital Resilience
TP IIT (Facebook)
First Batch of DIS Cyber Specialists Under Work-Learn Scheme
TP IIT (Facebook)
Cybersecurity Clinic Video Feature
10 // TESTIMONIAL
“I recommend him without reservation and am confident he will continue to excel in any academic or professional setting he chooses to pursue. He is a capable leader, a reliable team member, and a young professional of integrity and promise.”
11 // IMPACT
1
CVE Published
Dovecot CVE-2026-27855, CVSS 6.8 Medium
3
CVEs In Process
CVSS 6.9, 6.8, and 4.8 via HackerOne, bounties paid
4
Paid Bug Bounties
Across 3 programmes
6
Valid-but-Dupes
Sustained research practice
231
Vulnerability PoCs Reproduced
Full dataset rebuilt as runnable shooting ranges
79
LLM Apps Containerised
83 pinned images on Docker Hub under hoomzoom
38
MSMEs Supported
Through the TP Cybersecurity Clinic
40
Ambassadors Trained
Recruited and mentored as Lead Student Ambassador
12
On-Site Engagements
Personally led, the most of any ambassador
12 // CONTACT
Let's connect.
I'm open to research collaborations, mentorship opportunities, and conversations about AI/LLM security. Currently based in Singapore.
19 · TP Cybersecurity & Digital Forensics graduate · focus on LLM security
Built by Hamizan Azman · hamizanazman.com