Advisories
Real vulnerabilities. Real impact.
The same engine that protects our customers surfaces novel vulnerabilities in the wild. We disclose them responsibly.
Research output
03
Advisories published
9.8
Highest CVSS
100%
Coordinated disclosure
CriticalSYN-001— Pre-auth RCECVSS 9.8
Unauthenticated remote code execution via unsafe deserialization
A pre-auth endpoint deserialized attacker-controlled input, yielding remote code execution. Validated end to end and reported ahead of public disclosure.
Reported · 2026-01-31Published · 2026-02-06
HighSYN-002— Access controlCVSS 8.1
Cross-tenant data access via predictable object references
An IDOR chain exposed records belonging to other tenants. Confirmed with full reproduction across 8,400 enumerable objects.
Reported · 2026-03-12Published · 2026-03-20
HighSYN-003— Auth bypassCVSS 7.6
Authentication bypass through JWT algorithm confusion
A token-verification flaw allowed forged sessions via algorithm confusion. Reported with a minimal proof-of-concept and remediation.
Reported · 2026-04-02Published · 2026-04-11
Coordinated disclosure
How we handle what we find
We give vendors time to fix before anything goes public. Always.
- 1Report privately to the vendor with a working proof-of-concept.
- 2Coordinate a remediation timeline — typically 90 days.
- 3Publish the advisory only after a fix is available or the window closes.
Security researcher? Get in touch
Ready when you are
Found before it's exploited
Put the engine that finds zero-days in the wild to work on your own applications.
03
advisories
9.8
top CVSS
100%
disclosed