173 public security records across 83 projects

security research in software and hardware trust infrastructure

all research follows coordinated vulnerability disclosure (cvd). public statements reference only published advisories and released fixes.

57 CVEs published
14 GHSAs (no CVE)
25 security PRs
18 upstream security contributions
59 reported fixes merged upstream

top infrastructure brands in the current portfolio by public footprint include:

Linux Google AWS Microsoft Telegram Signal OpenSSL Mozilla Ledger Trezor Prometheus HashiCorp Sigstore

how findings are found

found via ai-augmented detection pipeline. deterministic proof, human-verified — every finding has reproducible artifacts that maintainers can rerun independently.

no llm in the decision path. detection generates hypotheses; local harness confirms or rejects with canonical/control logs and witness files.

research focus

  • trust infrastructure — certificate validation, transparency, signing, update security, attestation, and policy enforcement
  • focus — boundary failures in systems that decide what is authentic, authorized, and safe to run across software, cloud, and hardware-backed environments

advisories

detailed technical write-ups for selected findings.

1SEAL-2026-011

torvalds/linux · no CVE/GHSA

Linux Bluetooth SMP legacy pairing can satisfy BT_SECURITY_HIGH without MITM — CVSS 7.1, CWE-287.

high

1SEAL-2026-010

theopolis/uefi-firmware-parser · PR #145 · no CVE/GHSA

two critical out-of-bounds writes in the imported Tiano decompressor — CRITICAL, CWE-787.

critical

1SEAL-2026-009

openssl/openssl · PR #30323 · no CVE/GHSA

OpenSSL 3.6 stapled OCSP verification can accept unauthorized responders from the peer chain — HIGH, CWE-295.

high

1SEAL-2026-008

TelegramMessenger/Telegram-iOS · fix commit c5a0ad267cbd2a61a0d4548490f6af5521fa55df · release-12.4

Telegram iOS Web App bridge exposed to third-party iframes via all-frame injection and missing main-frame validation — CWE-863, CWE-346.

medium

1SEAL-2026-007

TelegramMessenger/Telegram-iOS · fix commit 8e9cd79855683efb9a3cbf14a1ecd637cfbf7b54 · release-12.4

heap buffer over-read in TL deserialization from operator precedence bug — CVSS 5.3, CWE-125.

medium

1SEAL-2026-003

tektoncd/pipeline · CVE-2026-33211 · GHSA-j5q5-j9gm-2w5c

path traversal in git resolver — tenant to cluster-wide secret access. CVSS 9.6, CWE-22.

critical

1SEAL-2026-006

moby/buildkit · CVE-2026-33747 · GHSA-4c29-8rgm-jvjj

ContainerID path traversal in gateway frontend can escape runc executor root — CVSS 8.4, CWE-22.

high

1SEAL-2026-001

awslabs/aws-c-event-stream

remote out-of-bounds write in streaming decoder — CVSS 8.1, CWE-787. fixed in v0.6.0.

high

1SEAL-2026-002

aws/aws-lc · GHSA-3jrg-j22w-mpmc · GHSA-394x-vwmw-crm3

Name Constraints bypass via CommonName fallback — CVSS 7.4, CWE-295. wildcard + Unicode CN gaps.

high

1SEAL-2026-005

LedgerHQ/app-bitcoin-new

signing-path integrity gate bypass via merkle preimage binding break — CWE-825. fixed in commit 0586ab2.

high

CVEs

GHSAs (no CVE)

published security advisories without a known cve id.

security fixes & hardening PRs

public security PRs: vulnerability fixes and security hardening.

upstream security contributions

explicitly credited upstream fixes plus authored testing, fuzzing, and hardening contributions.

reported upstream — fixes landed publicly

reported via security contacts or public trackers; fixes landed upstream.

disclosure policy

1seal follows coordinated vulnerability disclosure (cvd). findings are reported to maintainers first, with reasonable time for patches before public disclosure.

no testing on production systems with real user data. no trading on non-public vulnerability knowledge. no pressure tactics or threats of disclosure.

research policy 1seal systems policy report a vulnerability