Security Research

Independent vulnerability research.

Coordinated disclosure across regional financial, government, and critical-infrastructure systems. Findings are reported to vendors first and published only with remediation confirmed and written permission granted.

The Practice

Research on its own terms.

Most production systems are assembled under deadline pressure. Security gaps are the predictable result, not the exception. Independent research exists to find those gaps before adversaries do and to give the operators a chance to close them quietly.

Every engagement here follows coordinated vulnerability disclosure. No destructive testing. No data exfiltrated beyond what is needed to prove impact. No technical detail published until the affected organisation has remediated and granted written permission to be named.

The page below is what is safe to share now. As remediation lands and permissions clear, entries move from "Active" to the Hall of Fame and, where applicable, to full technical writeups.

Rules of Engagement

Research scope & boundaries.

Every finding documented on this page was discovered under the following operating rules. They apply without exception.

  1. Testing is limited to publicly accessible surfaces identified through passive reconnaissance.
  2. Authentication is bypassed only where an existing misconfiguration already permits it - never through active attack on correctly-configured auth.
  3. Credentials are not brute-forced, guessed, phished, or obtained through social engineering.
  4. Proof-of-concept stops at the minimum access required to verify impact. No bulk exfiltration. No lateral movement beyond what a finding strictly requires.
  5. No destructive testing. No data is written, modified, or deleted. No availability impact.
  6. Findings are reported to the affected vendor first, with a standard 90-day window before publication is considered.
39
Findings
18
Critical
5
Engagements
2026
Active since
Active Engagements

Disclosures in progress.

Anonymised while remediation or permission is pending. Severity and vulnerability class only - no organisation names, endpoints, or proof-of-concept material.

Partial_remediation

National social-insurance agency

Regional

7 total
3 crit 3 high 1 med
  • Authentication bypass via signing-key disclosure
  • IDOR mass-extraction of contribution records
  • CORS reflection with auth-header allowance

Chain demonstrating full-database extractability without valid credentials. Disclosed; partial fixes applied; core issues remain.

Partial_remediation

Regional public-health data platform

Multilateral

7 total
4 crit 1 high 2 med
  • Unauthenticated national-registry API
  • Source-code & secrets disclosure
  • SQL injection in legacy login endpoint

Special-category patient data exposed via a combination of web-server misconfiguration and an unauthenticated development endpoint. Partial remediation; residual exposure outstanding.

Disclosed

Regional capital-markets institution

Multilateral

8 total
5 crit 1 high 2 med
  • Application-root disclosure
  • Debug-log PII retention over multi-year window
  • Directory-listed document repositories

Misconfigured web server exposing deployment artefacts and sustained logging of customer data. Disclosure sent to vendor; awaiting acknowledgment and remediation.

Acknowledged

US-accredited medical school

Multi-campus

13 total
6 crit 4 high 3 med
  • Unauthenticated REST API with full PII read
  • Directory-listed HR document archive with IDOR chain
  • Active LMS compromise - SEO-spam injection indicator

Multiple subsystems exposing student PII, a complete HR document archive, and evidence of an already-compromised learning-management system. Vendor acknowledged disclosure; detailed findings shared with assigned engineer for triage.

Disclosed

Regional banking-platform vendor

Multi-tenant

4 total
0 crit 2 high 2 med
  • Hardcoded vendor-wide AES key in pre-auth response
  • Cross-tenant IDOR on shared banking backend
  • Unauthenticated configuration bundle exposure

Banking-platform vendor shipping a hardcoded AES key in an unauthenticated response across a multi-bank fleet; hundreds of compromised customer sessions already visible in public infostealer telemetry. Disclosure sent to vendor; awaiting acknowledgment and remediation.

Organisation names, dates, and acknowledgment letters appear in the Hall of Fame below once remediation is confirmed and written permission is granted.

Hall of Fame

Named disclosures.

Published only after the affected organisation has remediated the issue and granted written permission to be acknowledged.

No named entries yet. Active disclosures are tracked above. As each organisation remediates and grants permission, entries are added here with date, severity, vulnerability class, and acknowledgment letter.
Technical Writeups

Post-remediation analyses.

Long-form technical writeups of each disclosure, published once the vendor has confirmed remediation and approved the sanitised content.

No writeups published yet. Each Hall of Fame entry is accompanied by a technical writeup when the vendor grants permission. Writeups omit live credentials, working proof-of-concept, and any detail that enables re-exploitation.
Process

How disclosure works

Vendor-first, evidence-based, no surprises.

Discovery & Validation - Finding is reproduced, scoped, and severity-rated. Impact is measured using the minimum access required to prove the issue. No data exfiltrated beyond what the report needs
Responsible Disclosure - Written report sent directly to the affected organisation through the most senior appropriate channel. Includes reproduction steps, impact, and suggested remediation. No third parties notified
Remediation Window - Standard 90-day window, flexible where vendors are engaged and progressing. Retesting offered free of charge. Findings are re-verified before any fix is considered closed
Permission Request - After remediation is confirmed, written permission is requested to list the organisation publicly. The draft writeup - live credentials, endpoints, and payloads stripped - is shared with the vendor for review before publication
Publication - Entry added to Hall of Fame with severity, vulnerability class, and acknowledgment letter. Technical writeup published once approved. If permission is declined the entry stays anonymised permanently
Disclosure Intake

Reporting a vulnerability in a KG3N system.

If you believe you have found a vulnerability in one of the systems KG3N Dynamics operates or publishes, our full coordinated-disclosure policy - including scope, safe-harbour terms, response SLAs, and reporting instructions - can be accessed here. A written acknowledgment is sent within 72 hours of any in-scope report.

Read the Disclosure Policy Report a Vulnerability

Engage KG3N

Need the same rigour on your stack?

The research above is performed independently. The same methodology is available as a commissioned engagement.

Penetration Testing Services Get in Touch