Responsible disclosures
A record of vulnerabilities I’ve found and reported. Listed in reverse-chronological order. Where a CVE has been issued, it’s linked. Where the vendor has acknowledged but no CVE has been assigned, that’s noted.
I follow standard coordinated-disclosure practice: report privately to the vendor, agree on an embargo, publish only after fix or after a reasonable window has passed. If you’re a vendor and want to report something to me, see contact.
2026
Anthropic — Open-source MCP implementation
#Vulnerability discovered in Anthropic’s open-source MCP tooling. Reported via Anthropic’s security disclosure programme. Acknowledged by their security team.
- Status:
- Disclosed and acknowledged.
- Tooling used:
- Arbiter (web layer) and Aletheia (binary layer).
Cloudflare — Pingora
#Security issue identified in Cloudflare’s Pingora open-source HTTP infrastructure. Reported through Cloudflare’s responsible-disclosure programme.
- Status:
- Disclosed.
- Tooling used:
- Arbiter.
SecureDrop — SecureDrop finding
#Finding in SecureDrop disclosed to the project. Informed the design of Veilguard, the clean-room Rust rebuild.
- Status:
- Disclosed.
Earlier
Log4Shell incident response (2021)
Not a discovery — but worth recording: I led the Log4Shell incident response at Kobalt Music, founded the Security Incident Response Team there, and have referenced that work in subsequent role applications and talks. Not a disclosure in the formal sense; included for completeness.