GK.Gergely Kovács
← Projects
Vulnerability researcher2026

Security Research — Four Pre-Disclosure Reports in 30 Days

Four pre-disclosure vulnerability reports in thirty days — each written so an executive could act on it.

01The problem

Unprompted, I went looking for the failure modes nobody had reported yet, across authentication, token generation, DNS posture and credential exposure on a platform trusted with high-stakes contracts.

02The elegant solution
  1. 01

    Dangling-IP subdomain takeover: found a brand subdomain still resolving to a cloud IP the provider had since reassigned to an unrelated third party — who was unknowingly serving an authentication flow under our brand. Caught through DNS / IP archaeology.

  2. 02

    Predictable CSRF tokens: identified that anti-CSRF tokens were derived from a non-cryptographic PRNG (Mersenne Twister), and showed that with enough observed outputs the generator's internal state — and therefore all future tokens — becomes recoverable. Traced the weak primitive's blast radius across its full import footprint.

  3. 03

    Unauthenticated MFA-disable callback: found a callback path that required no authentication and could be used to disable a target user's SMS multi-factor authentication — an MFA-bypass / account-takeover chain.

  4. 04

    Leaked-credential audit: ran an OSINT review of corporate email exposure across public breach datasets to quantify real, current risk to staff accounts.

  5. 05

    Wrote each one in executive register, framed against ISO 27001, with a concrete remediation plan rather than just a finding.

03The outcome

Four pre-disclosure reports delivered inside thirty days, each landing as an actionable remediation brief for both engineering and leadership.

Stack
  • Security
  • ISO 27001
  • Code archaeology

Specifics — exact endpoints, file paths, addresses and third-party identities — are withheld for responsible disclosure and client confidentiality. Described here at the vulnerability-class level only.