Security Research

Independent vulnerability research.

Coordinated disclosure across regional financial, government, and critical-infrastructure systems. Findings are reported to vendors first and published only with remediation confirmed and written permission granted.

The Practice

Research on its own terms.

Most production systems are assembled under deadline pressure. Security gaps are the predictable result, not the exception. Independent research exists to find those gaps before adversaries do and to give the operators a chance to close them quietly.

Every engagement here follows coordinated vulnerability disclosure. No destructive testing. No data exfiltrated beyond what is needed to prove impact. No technical detail published until the affected organisation has remediated and granted written permission to be named.

The page below is what is safe to share now.

Rules of Engagement

Research scope & boundaries.

Every finding documented on this page was discovered under the following operating rules. They apply without exception.

  1. Testing is limited to publicly accessible surfaces identified through passive reconnaissance.
  2. Authentication is bypassed only where an existing misconfiguration already permits it - never through active attack on correctly-configured auth.
  3. Credentials are not brute-forced, guessed, phished, or obtained through social engineering.
  4. Proof-of-concept stops at the minimum access required to verify impact. No bulk exfiltration. No lateral movement beyond what a finding strictly requires.
  5. No destructive testing. No data is written, modified, or deleted. No availability impact.
  6. Findings are reported to the affected vendor first, with a standard 90-day window before publication is considered.
74
Findings
30
Critical
9
Engagements
2026
Active since
Active Engagements

Disclosures

Anonymised | No proof-of-concept

Partial_remediation

National social-insurance agency

Regional

7 total
3 crit 3 high 1 med
  • Authentication bypass via signing-key disclosure
  • IDOR mass-extraction of contribution records
  • CORS reflection with auth-header allowance

Chain demonstrating full-database extractability without valid credentials. Disclosed; partial fixes applied; core issues remain.

Partial_remediation

Regional public-health data platform

Multilateral

7 total
4 crit 1 high 2 med
  • Unauthenticated national-registry API
  • Source-code & secrets disclosure
  • SQL injection in legacy login endpoint

Special-category patient data exposed via a combination of web-server misconfiguration and an unauthenticated development endpoint. Partial remediation; residual exposure outstanding.

Disclosed

Regional capital-markets institution

Multilateral

8 total
5 crit 1 high 2 med
  • Application-root disclosure
  • Debug-log PII retention over multi-year window
  • Directory-listed document repositories

Misconfigured web server exposing deployment artefacts and sustained logging of customer data. Disclosure sent to vendor; awaiting acknowledgment and remediation.

Acknowledged

US-accredited medical school

Multi-campus

13 total
6 crit 4 high 3 med
  • Unauthenticated REST API with full PII read
  • Directory-listed HR document archive with IDOR chain
  • Active LMS compromise - SEO-spam injection indicator

Multiple subsystems exposing student PII, a complete HR document archive, and evidence of an already-compromised learning-management system. Vendor acknowledged disclosure; detailed findings shared with assigned engineer for triage.

Disclosed

Regional banking-platform vendor

Multi-tenant

4 total
0 crit 2 high 2 med
  • Hardcoded vendor-wide AES key in pre-auth response
  • Cross-tenant IDOR on shared banking backend
  • Unauthenticated configuration bundle exposure

Banking-platform vendor shipping a hardcoded AES key in an unauthenticated response across a multi-bank fleet; hundreds of compromised customer sessions already visible in public infostealer telemetry. Disclosure sent to vendor; awaiting acknowledgment and remediation.

Acknowledged

Regional education credentialing authority

Multilateral

8 total
2 crit 1 high 5 med
  • Mass identity-document exposure via CMS media library
  • Dev-mirror cloning production PII without edge protection
  • ASP.NET framework & path disclosure on legacy portals

Public CMS media library used as a storage tier for exam-candidate identity documents; tens of thousands of records enumerable without authentication and duplicated on an unprotected development mirror. Disclosure acknowledged by asset owner; remediation in progress, regulator-escalation path remains pre-aligned with candidate-jurisdiction data-protection authorities.

Disclosed

Caribbean delivery SaaS

Regional

8 total
4 crit 1 high 3 med
  • Production cloud credentials leaked via unauthenticated config endpoint
  • Cross-tenant cloud-storage write via leaked operator IAM
  • Unauthenticated merchant directory enumeration

A single unauthenticated API response on a regional food-delivery platform exposes the operator's production cloud credentials, payment-gateway test secrets, and a multi-tenant storage bucket with no per-tenant access scoping. Disclosure sent to operator and SaaS host; coordinated credential rotation and bucket-policy hardening pending alongside the upstream template patch.

Disclosed

Multi-tenant delivery / ride-hailing SaaS template

Multi-tenant

7 total
3 crit 1 high 3 med
  • Per-tenant secrets retrievable via shared config route across the operator fleet
  • Suffix-based authentication exemption pattern in route handler
  • Multi-tenant cloud storage without per-tenant IAM scoping

Architectural defects in a SaaS delivery and ride-hailing platform template that ships to operators across the Americas, the Caribbean, MENA, and South Asia. Per-tenant credentials, payment-gateway secrets, and cross-tenant write capability are reachable without authentication on every operator deployment running the unpatched build. Disclosure sent to template vendor; upstream patch and coordinated rotation guidance pending.

Disclosed

Eastern Caribbean social-insurance authority

Regional

12 total
3 crit 6 high 3 med
  • End-to-end RCE chain via exposed source-control directory
  • Web-server account holds latent authority over monitoring stack
  • Public-facing software stack 11+ years past end-of-support

Eastern Caribbean public-sector social-insurance host running a public web stack 11+ years past end-of-support. A source-control directory in webroot leaks production database credentials; the database super-user is reachable from the public internet; remote code execution is possible via this chain. Disclosure sent; the source-control-exposure primitive repeats a class previously observed at a separate regional social-insurance agency.

Process

How disclosure works

Vendor-first, evidence-based, no surprises.

Discovery & Validation - Finding is reproduced, scoped, and severity-rated. Impact is measured using the minimum access required to prove the issue. No data exfiltrated beyond what the report needs
Responsible Disclosure - Written report sent directly to the affected organisation through the most senior appropriate channel. Includes reproduction steps, impact, and suggested remediation. No third parties notified
Remediation Window - Standard 90-day window, flexible where vendors are engaged and progressing. Retesting offered free of charge. Findings are re-verified before any fix is considered closed

Cards stay anonymised unless the affected party grants written permission to be named.

Disclosure Intake

Reporting a vulnerability in a KG3N system.

If you believe you have found a vulnerability in one of the systems KG3N Dynamics operates or publishes, our full coordinated-disclosure policy - including scope, safe-harbour terms, response SLAs, and reporting instructions - can be accessed here. A written acknowledgment is sent within 72 hours of any in-scope report.

Read the Disclosure Policy Report a Vulnerability
Engage KG3N

Need the same rigour on your stack?

The research above is performed independently. The same methodology is available as a commissioned engagement.

Penetration Testing Services Get in Touch