Security Research — Four Pre-Disclosure Reports in 30 Days
Four pre-disclosure vulnerability reports in thirty days — each written so an executive could act on it.
Unprompted, I went looking for the failure modes nobody had reported yet, across authentication, token generation, DNS posture and credential exposure on a platform trusted with high-stakes contracts.
- 01
Dangling-IP subdomain takeover: found a brand subdomain still resolving to a cloud IP the provider had since reassigned to an unrelated third party — who was unknowingly serving an authentication flow under our brand. Caught through DNS / IP archaeology.
- 02
Predictable CSRF tokens: identified that anti-CSRF tokens were derived from a non-cryptographic PRNG (Mersenne Twister), and showed that with enough observed outputs the generator's internal state — and therefore all future tokens — becomes recoverable. Traced the weak primitive's blast radius across its full import footprint.
- 03
Unauthenticated MFA-disable callback: found a callback path that required no authentication and could be used to disable a target user's SMS multi-factor authentication — an MFA-bypass / account-takeover chain.
- 04
Leaked-credential audit: ran an OSINT review of corporate email exposure across public breach datasets to quantify real, current risk to staff accounts.
- 05
Wrote each one in executive register, framed against ISO 27001, with a concrete remediation plan rather than just a finding.
Four pre-disclosure reports delivered inside thirty days, each landing as an actionable remediation brief for both engineering and leadership.
- Security
- ISO 27001
- Code archaeology
Specifics — exact endpoints, file paths, addresses and third-party identities — are withheld for responsible disclosure and client confidentiality. Described here at the vulnerability-class level only.