Approach
We review a whole codebase and its dependencies rather than a single component. The method works in two
stages. First, an AI-assisted pipeline surfaces candidate vulnerabilities at scale, giving coverage across
every repository that one human auditor could not read by hand, and where possible builds a working proof
of concept for each. Second, every candidate is manually triaged, verified and traced to a root cause by a
human researcher. We tune the pipeline to minimize false positives, but they are unavoidable, which is
exactly why human review is essential. Many candidates are discarded as not exploitable. The validation,
the written report, and any fixes are led by humans, with AI helping along the way.
The outcome is a security report covering the components we review, a set of responsibly disclosed
findings, and, where feasible, upstream fixes contributed back to the project.
Track record
30+ CVEs and valid findings in widely deployed software
58 merged open-source pull requests
These findings span widely deployed software, from browsers to infrastructure and developer
tools. The bug classes range from native memory-safety issues in C and C++ to web and injection bugs in
JavaScript.
-
CVE-2026-8558
Google Chrome
Out-of-bounds write in the font path allowing remote code execution inside the
sandbox. Rated High, CVSS 8.8. Chrome VRP reward.
-
CVE-2026-4699
Mozilla Firefox
Incorrect boundary conditions in Layout, Text and Fonts. Rated High, published
as MFSA 2026-20.
-
CVE-2026-41148
Mermaid
CSS injection from improper sanitization in the JavaScript diagramming library.
Code injection, CWE-94. Fixed upstream.
Other confirmed findings span Keycloak, Apache ActiveMQ, Spotify, Rancher, Argo, Home
Assistant, Sentry, NetworkManager, Gitea and Vim and others.