PhD students and Postdocs

We are constantly looking for motivated and talented PhD students and postdocs interested in these areas:

  • Web security, security testing, automated vulnerability analysis
  • Application of ML/AI for security
  • Metaverses/WebXR Security and Privacy

Please look at our recent publications to learn more of our areas of interest.

If you would like to know more, please send your questions to Giancarlo Pellegrino.

General Requirements

  • A BSc/MSc degree/PhD in Computer Science, Information/Cyber Security, Mathematics, or equivalent
  • English proficiency (knowledge of German is not required)
  • Excellent programming skills
  • (Depending on the topic of interest) Proven background in web security, program analysis, and/or reinforcement learning/machine learning

How to apply

All applications must be submitted through the CISPA application system and contain:

  1. A cover letter. As the CISPA application system is centralized, your cover letter must specify that you are applying for a position in the group of Dr. Pellegrino
  2. A CV
  3. A recent transcript of records
  4. Certificates
  5. Names, titles, and email addresses of your referees

It is recommended to submit PDF files only. Microsoft Office documents will be discarded.

To speed up the process, consider sending me a heads-up email for your submission to pellegrino@cispa.de.

Moar Instructions

Why submitting boring applications?!

Is sending a bunch of PDFs via email too boring for you? Would you like to spice your application a little bit up? Say no more. I got you covered!

Here is a challenge for you. This webpage is vulnerable! Your goal is to identify the vulnerability, write a vulnerability report called vuln_report.pdf, and attach it to your application email!

The report must convince me (the developer) about the problem and its potential risk. I would recommend to structure the report as shown below. Solving the challenge is strongly recommended.

1. Name

Insert the name of the vulnerability here

2. Description

Describe the vulnerable behavior.

3. Security risk

Describe how easily an attacker can exploit this vulnerability.

4. PoC

Assuming https://secwebdev.it/api/v1/delete_database is the web API that can wipe out a production database, please include a proof of concept that can reliably exploit the vulnerability.

5. (Optional) Past instances

Please show me the importance of this vulnerability by finding an example of a similar vulnerability that affected at least one famous website in the past!