Ever happened upon code that just smells and you know something isn’t right? Many times when we adopt open source packages & projects - even well-maintained ones, backed by industry giants, this happens. In this talk, Rotem will tell a tale of going down the hacker rabbit hole when you encounter code that just doesn’t feel right or behave as you would expect. He’ll talk about two different exploit journeys - with both NGINX and Open Distro for Elasticsearch, and how to find, identify and isolate the code that is misbehaving. The process involved with researching and validating the exploit, and ultimately proper methods for disclosure, triage and remediation.