This is where Safeguard publishes its own security research output: coordinated disclosure timelines, technical write-ups, and the structured-trace evidence the platform produced before a finding became an advisory. Every disclosure on this page was coordinated with the upstream maintainer before publication.
The principles below are what every advisory on this page was written under. They're the rules of engagement, not the marketing copy.
Every disclosure begins with a private notification to the upstream maintainer and any directly affected downstream packagers. Nothing is published until a fix is available or the disclosure window has elapsed in good faith.
We follow a 90-day default disclosure window from the day the maintainer acknowledges receipt. Extensions are granted on request when a fix is in active development; we say no when the window starts being used to defer the conversation.
Where the affected code is open source and we have a reasonable patch, we propose it with the report. A disclosure with a working patch attached is faster to land and easier for maintainers to triage on a quiet Friday afternoon.
Advisories name the upstream maintainer who shipped the fix, any external researcher who reported the underlying class, and the Safeguard engineers who carried the analysis. The work that lands the patch is the work that gets the byline.
A JSON sink in the structured-log transformer accepted attacker-controlled type tags, allowing remote code execution through a prototype-pollution gadget chained into the library's plugin loader. Reachable from any service that logged a request body before sanitisation. Patched in the maintainer's 4.2.1 release with a strict type allowlist; coordinated disclosure window was honoured to the day.
Read full disclosureA widely-used build helper resolved private package names against the public index before falling back to the configured mirror, so an attacker who registered a colliding name on the public index could intercept dependency resolution during build. We disclosed to the helper's maintainer and to three downstream package managers; the resolver now hard-fails on namespace collisions by default.
Read full disclosureRecursive merge accepted untrusted keys including __proto__ and constructor, polluting global object prototypes whenever the utility processed an attacker-shaped configuration file. Reachable from CI pipelines that ingested PR-author-controlled JSON. Maintainer shipped a sanitising fork; we proposed a one-line key-deny check that landed in the patch release.
Read full disclosureThree squatted package names matched a leading ORM by Levenshtein distance one. Each carried an install-time post-script that exfiltrated environment variables to a short-lived collector. Reported to the registry's security team alongside YARA signatures from the install scripts; takedown completed in under 36 hours, with affected installs surfaced to our customers ahead of public disclosure.
Read full disclosureThe library normalised user-supplied URLs without rejecting alternative IP encodings or short-form loopback aliases, so a webhook target string could redirect outbound calls into the metadata service of a cloud host. Coordinated with the maintainer for a default allowlist and an opt-out for callers that need full URL latitude.
Read full disclosureA catastrophic backtracking pattern in the cookie header parser turned a 2 KB attacker-controlled header into a 90-second event-loop stall. Reachable from any HTTP server exposing a cookie-reading middleware. We submitted a deterministic-regex rewrite that preserved the parser's grammar and shaved the worst case to constant time.
Read full disclosureCandidate findings start as ranked dataflow paths from Eagle across the open-source corpus we mirror. Reachability is a hard precondition — if the sink isn't reachable from any plausible source, the candidate doesn't reach a human reviewer.
Griffin Zero hypothesises an exploit chain, cites the path in the call graph, and runs an adversarial disproof pass. Survivors are the candidates that the model's own counter-arguments could not refute under sanitiser constraints.
A senior security engineer reproduces the chain end-to-end, writes a minimal proof, drafts a patch where possible, and opens a coordinated disclosure with the upstream maintainer. Publication waits for the agreed window and a shipped fix.
Nothing leaves the research team until the chain is reproduced by hand, the maintainer is in the loop, and a patch is proposed.
For coordinated disclosure intake, reach the research desk at research@safeguard.sh. A PGP key is available on request — reply to the first acknowledgement and we'll send it. We commit to an acknowledgement within one business day, a triage decision within five, and a public advisory within the coordinated window once a fix is shipped.
External researchers credited in our advisories are listed on a permanent hall-of-fame page, with optional handles and links to their own write-ups. We name people who name themselves, and we honour withhold-from-credit requests when asked.
Safeguard runs a bounty programme for vulnerabilities in our platform and the open-source code we maintain. Scope, payout bands, safe-harbour language, and intake live on a dedicated page for security researchers.
Programme detailsEvery advisory on this page started as a structured trace from the same pipeline you can run on your own repos.