Open Positions: PhD Positions in Automatic Vulnerability Discovery

At the Max Planck Institute for Security and Privacy, two PhD positions are to be filled as soon as possible in cooperation with the RUB and the TU Braunschweig.

The Max Planck Institute for Security and Privacy (MPI-SP) in Bochum is a research institute of the Max Planck Society for the Advancement of Science that conducts interdisciplinary research into the many aspects of IT security and data protection. The newly founded and expanding institute will eventually comprise 18 research groups and employ approximately 200 staff and guests. The institute cooperates with the Faculty of Computer Science at the Ruhr-Universität Bochum (RUB). Bochum is one of the world's leading research locations for cybersecurity and home to Europe's largest educational institution in this field as well as a vibrant start-up scene.

One PhD position is available for each of the following two research projects, funded under the Cluster of Excellence CASA and conducted by MPI-SP in cooperation with RUB and the Technische Universität Braunschweig (TU Braunschweig):

Research project: Testing and Explaining the Limits of Machine Learning for Automated Vulnerability Discovery:
In this project, we aim to open the black box that is machine learning for automatic vulnerability discovery. We are interested in understanding why a classifier would flag a code fragment as vulnerability and how it reasons about the program’s behavior without any formal semantics. Our goal is to systematically assess the capabilities and limitations of learning-based approaches for vulnerability discovery, thereby establishing a better understanding of their role in software security. While the PhD student will be based at MPI-SP in Bochum, the project will be performed across three research groups at CASA, including Prof Konrad Rieck’s group at TU Braunschweig and Kevin Borgolte’s group at RUB.


  • Strong system building skills (C/C++, Python, ML frameworks)
  • Experience in machine learning (e.g., classification, embeddings, DNNs)
  • Some background in bug finding (testing, fuzzing, static analysis, reversing, or CTFs)

Research project: A Bayesian Framework for Automatic Vulnerability Discovery:
In this project, we aim to tackle the precision-recall challenge of program analysis for automated vulnerability discovery: While overapproximate static analysis reports too many bugs that do not exist (false positives), underapproximate dynamic analysis does not report bugs that do indeed exist (false negatives). Our goal is to develop novel techniques that allow the security engineer to dynamically adjust just how conservative the program analysis is allowed to be. On any given program, if our analysis returns too many false bugs (or not enough true bugs), the security engineer can dynamically adjust the analysis accuracy to a reasonable level.


  • Strong system building skills (C/C++, Python, Docker)
  • Experience in program analysis (SAST/DAST), fuzzing, and/or reversing
  • Some background in statistics.

Please send your detailed application in a single PDF file (max. 5 MB) by July 31, 2022, to Marcel Böhme: marcel.boehme(at)

The Max Planck Institute for Security and Privacy stands for a collaborative, diverse and inclusive workplace culture and promotes equal opportunities. We strongly encourage applications from members of any underrepresented group in our research area. In particular, we invite and motivate women and individuals with disabilities to apply.

General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.