Security Research

Independent vulnerability research.

Coordinated disclosure across regional financial, government, and critical-infrastructure systems. Findings are reported to vendors first and published only with remediation confirmed and written permission granted.

86Findings
31Critical
10Engagements
2026Active since
Open-source disclosures

Named contributions.

Where the affected project is open source and the vendor response is on the record, findings can be named. These are coordinated disclosures to public projects.

VLC media player

VideoLAN / June 2026
Acknowledged
Memory safetyOpen sourceCoordinated disclosure

A source review of VLC's development branch surfaced a set of memory-safety issues across several demuxers. The lead finding was a critical heap buffer overflow and pointer hijack in the MP4/MOV demuxer, reachable simply by opening or auto-probing a crafted file - no playback or interaction required. Reported privately under coordinated disclosure with minimized proof-of-concept files and AddressSanitizer logs.

  • CriticalHeap memory-safety vulnerability in the MP4/MOV demuxer, reachable when opening a crafted file.
  • HighHeap out-of-bounds write in HEIF grid-image assembly.
  • MediumOut-of-bounds read in ATSC EIT descriptor parsing (MPEG-TS demuxer).
  • DesignAdd-on installer lacks integrity / authenticity verification for downloaded add-ons.
  • LowFurther code-review findings across the RTP, MKV, and Ogg demuxers, plus dependency-hygiene notes.

Reported privately with proof-of-concept files and AddressSanitizer logs. As VLC 4.0 is still in development, the findings are tracked by VideoLAN rather than assigned CVEs.

Rules of Engagement

Research scope & boundaries.

Every finding documented on this page was discovered under the following operating rules. They apply without exception.

  1. 01

    Testing is limited to publicly accessible surfaces identified through passive reconnaissance.

  2. 02

    Authentication is bypassed only where an existing misconfiguration already permits it - never through active attack on correctly-configured auth.

  3. 03

    Credentials are not brute-forced, guessed, phished, or obtained through social engineering.

  4. 04

    Proof-of-concept stops at the minimum access required to verify impact. No bulk exfiltration. No lateral movement beyond what a finding strictly requires.

  5. 05

    No destructive testing. No data is written, modified, or deleted. No availability impact.

  6. 06

    Findings are reported to the affected vendor first, with a standard 90-day window before publication is considered.

Anonymised / No proof-of-concept

Disclosures.

Partial remediationRegional

National social-insurance agency

3 Critical3 High1 Medium7 total
  • Authentication bypass via signing-key disclosure
  • IDOR mass-extraction of contribution records
  • CORS reflection with auth-header allowance

Chain demonstrating full-database extractability without valid credentials. Disclosed; partial fixes applied; core issues remain.

Partial remediationMultilateral

Regional public-health data platform

4 Critical1 High2 Medium7 total
  • Unauthenticated national-registry API
  • Source-code & secrets disclosure
  • SQL injection in legacy login endpoint

Special-category patient data exposed via a combination of web-server misconfiguration and an unauthenticated development endpoint. Partial remediation; residual exposure outstanding.

DisclosedMultilateral

Regional capital-markets institution

5 Critical1 High2 Medium8 total
  • Application-root disclosure
  • Debug-log PII retention over multi-year window
  • Directory-listed document repositories

Misconfigured web server exposing deployment artefacts and sustained logging of customer data. Disclosure sent to vendor; awaiting acknowledgment and remediation.

AcknowledgedMulti-campus

US-accredited medical school

6 Critical4 High3 Medium13 total
  • Unauthenticated REST API with full PII read
  • Directory-listed HR document archive with IDOR chain
  • Active LMS compromise - SEO-spam injection indicator

Multiple subsystems exposing student PII, a complete HR document archive, and evidence of an already-compromised learning-management system. Vendor acknowledged disclosure; detailed findings shared with assigned engineer for triage.

DisclosedMulti-tenant

Regional banking-platform vendor

0 Critical2 High2 Medium4 total
  • Hardcoded vendor-wide AES key in pre-auth response
  • Cross-tenant IDOR on shared banking backend
  • Unauthenticated configuration bundle exposure

Banking-platform vendor shipping a hardcoded AES key in an unauthenticated response across a multi-bank fleet; hundreds of compromised customer sessions already visible in public infostealer telemetry. Disclosure sent to vendor; awaiting acknowledgment and remediation.

AcknowledgedMultilateral

Regional education credentialing authority

2 Critical1 High5 Medium8 total
  • Mass identity-document exposure via CMS media library
  • Dev-mirror cloning production PII without edge protection
  • ASP.NET framework & path disclosure on legacy portals

Public CMS media library used as a storage tier for exam-candidate identity documents; tens of thousands of records enumerable without authentication and duplicated on an unprotected development mirror. Disclosure acknowledged by asset owner; remediation in progress.

DisclosedRegional

Caribbean delivery SaaS

4 Critical1 High3 Medium8 total
  • Production cloud credentials leaked via unauthenticated config endpoint
  • Cross-tenant cloud-storage write via leaked operator IAM
  • Unauthenticated merchant directory enumeration

A single unauthenticated API response on a regional food-delivery platform exposes the operator's production cloud credentials, payment-gateway test secrets, and a multi-tenant storage bucket with no per-tenant access scoping. Coordinated credential rotation and bucket-policy hardening pending.

DisclosedMulti-tenant

Multi-tenant delivery / ride-hailing SaaS template

3 Critical1 High3 Medium7 total
  • Per-tenant secrets retrievable via shared config route across the operator fleet
  • Suffix-based authentication exemption pattern in route handler
  • Multi-tenant cloud storage without per-tenant IAM scoping

Architectural defects in a SaaS delivery and ride-hailing platform template that ships to operators across the Americas, the Caribbean, MENA, and South Asia. Per-tenant credentials, payment-gateway secrets, and cross-tenant write capability are reachable without authentication on every unpatched deployment. Disclosure sent to template vendor.

DisclosedRegional

Eastern Caribbean social-insurance authority

3 Critical6 High3 Medium12 total
  • End-to-end RCE chain via exposed source-control directory
  • Web-server account holds latent authority over monitoring stack
  • Public-facing software stack 11+ years past end-of-support

Eastern Caribbean public-sector social-insurance host running a public web stack 11+ years past end-of-support. A source-control directory in webroot leaks production database credentials; the database super-user is reachable from the public internet; remote code execution is possible via this chain.

Cards stay anonymised unless the affected party grants written permission to be named.

Vendor-first, evidence-based, no surprises

How disclosure works.

01

Discovery & Validation

Finding is reproduced, scoped, and severity-rated. Impact is measured using the minimum access required to prove the issue. No data exfiltrated beyond what the report needs.

02

Responsible Disclosure

Written report sent directly to the affected organisation through the most senior appropriate channel. Includes reproduction steps, impact, and suggested remediation. No third parties notified.

03

Remediation Window

Standard 90-day window, flexible where vendors are engaged and progressing. Retesting offered free of charge. Findings are re-verified before any fix is considered closed.

Reporting a vulnerability in a KG3N system.

If you believe you have found a vulnerability in one of the systems KG3N Dynamics operates or publishes, our full coordinated-disclosure policy - including scope, safe-harbour terms, response SLAs, and reporting instructions - can be accessed here. A written acknowledgment is sent within 72 hours of any in-scope report.