published CVEs, GHSAs & security PRs
security research in software supply chain trust infrastructure
all research follows coordinated vulnerability disclosure (cvd). public statements reference only published advisories and released fixes.
how findings are found
found via ai-augmented detection pipeline. deterministic proof, human-verified — every finding has reproducible artifacts that maintainers can rerun independently.
no llm in the decision path. detection generates hypotheses; local harness confirms or rejects with canonical/control logs and witness files.
research focus
- sigstore ecosystem — cosign, rekor, sigstore libraries
- certificate transparency — certificate-transparency-go (ct-go)
- tuf implementations — go-tuf and related update frameworks
- chainguard toolchain — apko, melange, malcontent
- kubernetes trust tooling — cert-manager (acme dns01)
CVEs
GHSAs (no CVE)
published security advisories without a known cve id.
security fixes & hardening PRs
public security PRs: vulnerability fixes and security hardening.
credited upstream fixes
upstream PRs merged with explicit credit to @1seal.
credit pending
merged upstream PRs expected to add explicit credit soon (shown here to avoid misattribution until visible).
testing contributions
upstream fuzzing/testing contributions (not counted as security fixes).
disclosure policy
1seal follows coordinated vulnerability disclosure (cvd). findings are reported to maintainers first, with reasonable time for patches before public disclosure.
no testing on production systems with real user data. no trading on non-public vulnerability knowledge. no pressure tactics or threats of disclosure.