research · found by sekura
findings we proved — anonymized, with evidence.
Real vulnerabilities surfaced by Sekura in design-partner engagements. Disclosed privately first; published anonymized once cleared. No scores, no spam — proof.
- Critical
Reachable ReDoS in a web-facing identity service
Across a 5-repository platform (SAST + live DAST), Sekura proved a transitive dependency ([email protected]) was reachable from a login-path service and that a single crafted, unauthenticated request pinned a worker via catastrophic regex backtracking. Delivered with evidence, a verdict, and a one-line lockfile fix.
how we disclose
- Every finding is proven, not scored — we confirm exploitability and show the evidence.
- We disclose privately to the affected party first; public writeups are anonymized until cleared.
- No AI bug-spam: a finding ships only after the pipeline produces a reproducible verdict.