Scalable AI security review,
verified by humans.

Loopcheck is a research project helping organizations secure their codebases by using AI to find and review vulnerabilities at scale.

What we do

Vulnerability research

Recent advances in AI allow us to review large codebases at scale. We use Claude Opus with custom markdown-based harnesses to find candidate vulnerabilities, which are then verified by a human researcher to minimize false positives.

We often focus on Open Source software, and contribute fixes upstream where feasible to improve the security of the wider ecosystem.

Knowledge sharing

We share our methods and lessons learned from using AI to find vulnerabilities in widely deployed software, and talk with teams interested in applying the same approach to their own work.

Approach

We review a whole codebase and its dependencies rather than a single component. The method works in two stages. First, an AI-assisted pipeline surfaces candidate vulnerabilities at scale, giving coverage across every repository that one human auditor could not read by hand, and where possible builds a working proof of concept for each. Second, every candidate is manually triaged, verified and traced to a root cause by a human researcher. We tune the pipeline to minimize false positives, but they are unavoidable, which is exactly why human review is essential. Many candidates are discarded as not exploitable. The validation, the written report, and any fixes are led by humans, with AI helping along the way.


The outcome is a security report covering the components we review, a set of responsibly disclosed findings, and, where feasible, upstream fixes contributed back to the project.

Track record

30+ CVEs and valid findings in widely deployed software
58 merged open-source pull requests

These findings span widely deployed software, from browsers to infrastructure and developer tools. The bug classes range from native memory-safety issues in C and C++ to web and injection bugs in JavaScript.

  • CVE-2026-8558 Google Chrome Out-of-bounds write in the font path allowing remote code execution inside the sandbox. Rated High, CVSS 8.8. Chrome VRP reward.
  • CVE-2026-4699 Mozilla Firefox Incorrect boundary conditions in Layout, Text and Fonts. Rated High, published as MFSA 2026-20.
  • CVE-2026-41148 Mermaid CSS injection from improper sanitization in the JavaScript diagramming library. Code injection, CWE-94. Fixed upstream.

Other confirmed findings span Keycloak, Apache ActiveMQ, Spotify, Rancher, Argo, Home Assistant, Sentry, NetworkManager, Gitea and Vim and others.

Team

Andrej

Vulnerability researcher

Penetration tester with 7 years of experience, focused on building AI pipelines that combine deterministic tooling and LLMs to find vulnerabilities in widely deployed software.

Matej

Vulnerability researcher

Security professional experienced in bug bounty and responsible disclosure programs, with a background in software development and code review.

Contact

Want us to look at your codebase, curious about our methods, or following up on one of our findings? Email us and we will get back to you.