One of my personal favorites. I've used it for parsing SAP's RPC network protocol, reverse-engineering Garmin apps [0], and more recently in a CTF challenge that involved an unknown file format, among others. It's surprisingly quick to pick up once you get the hang of the syntax.
The serialization branch for Python [1] (I haven't tried the Java one) has generally done the job for me, though I've had to patch a few edge cases.
One feature I've often wished for is access to physical offsets within the file being parsed (e.g. being able to tell that a field foo that you just parsed starts at offset 0x100 from the beginning of the file). As far as I know, you only get relative offsets to the parent structure.
It's really about striking a balance: giving vendors a fair chance to patch, while also not leaving users in the dark indefinitely. That's also why the 90-day disclosure policy has become common in the industry (e.g., Google's Project Zero). I've had cases where I tried reaching out via email, LinkedIn, Twitter, you name it, and got radio silence for months and months. Then, when you make the difficult decision to go public, the vendor finally reacts... That sudden urgency only shows up when there's a bit of spotlight.
SAP can mean so many things that it's easy to get lost in the weeds, and I'm just talking about getting familiar with their landscape... While working on that post, I found new vulnerabilities that SAP is now addressing.
I'll be honest, I've never been on the other side dealing with red tape. It'd probably drive me mad. But from the researcher/consultant side, it's definitely gotten easier to report vulnerabilities. Vendors now have security contacts, coordinated disclosure policies, and even bug bounty programs. Not all vendors, of course. But compared to 10 years ago, it's night and day.
The serialization branch for Python [1] (I haven't tried the Java one) has generally done the job for me, though I've had to patch a few edge cases.
One feature I've often wished for is access to physical offsets within the file being parsed (e.g. being able to tell that a field foo that you just parsed starts at offset 0x100 from the beginning of the file). As far as I know, you only get relative offsets to the parent structure.
0: https://github.com/anvilsecure/garmin-ciq-app-research/blob/...
1: https://doc.kaitai.io/serialization.html