human borrow checker (but logic bugs are best bugs). works at Google Project Zero. The density of logic bugs (compared to memory corruption bugs) goes down as the privilege differential between attacker context and target context goes up.
I find stack overflow security bugs fascinating; and on Linux, compilers still don't protect against stack overflows by default when stack frames are bigger than stack guard pages.
So I went looking around in Android, and thanks to how Android's RPC mechanism allows recursive synchronous callbacks in some cases, I managed to find a way to jump a thread guard page in system_server from shell context and (with very low success rate) get instruction pointer control:
https://project-zero.issues.chromium.org/issues/465827985