The criteria I used to rank:
- The level of complexity of the research. (How hard for me to do the same research?)
- The usefulness of the research to other security researchers.
- Novelty, scale of exploitation and impact
Top candidates
- Exploiting Hardened .NET Deserialization: New Exploitation Ideas and Abuse of Insecure Serialization
- https://github.com/thezdi/presentations/blob/main/2023_Hexacon/whitepaper-net-deser.pdf