Responsible Disclosure
Disclosures
Coordinated vulnerability disclosures following a 90-day responsible disclosure policy. Each finding includes vendor response, CVE (where assigned), and full timeline.
PGP key available on request•Disclosure policy: 90 days + 30-day patch window•Contact for sensitive reports
No public disclosures yet
Active research in progress. First disclosure expected Q2 2026.
Hunting: MCP cross-server trust boundaries, CI/CD agent injection surfaces, intent-inversion in schema-validated tool-calling systems.