Methodology

Security research is a trust business. This page explains how we work, in enough detail that you can decide whether to trust us.

Humans lead

Models and tools help with code navigation, hypothesis generation, and triage. Human researchers pick the targets, verify every finding, decide severity, write the reports, and handle disclosure. Nothing ships on a model's word alone.

Automation is bounded

Our automation does passive intake, local code indexing, static analysis, and report preparation. It does not do unsupervised exploitation, credential collection, persistence, lateral movement, mass scanning, or data exfiltration. It never touches anything outside explicit authorization.

Every target is authorized

We work on our own infrastructure, on bug bounty programs within their published scope, and on open-source projects under coordinated disclosure. If it is not ours and not in scope, we do not touch it.

Findings are verified, not guessed

A finding counts when it reproduces: a real build, a minimal proof of concept, sanitizer output or a debugger trace to show the root cause. If we cannot reproduce it, we say so instead of shipping it.

Disclosure is coordinated

Private report first. Maintainers get time to fix, we follow the standard windows, and public write-ups come after the fix ships or the window closes. Credit is nice; safer software is the point.