Posts tagged methodology.

We took the parser-family lens that finds HTTP smuggling bugs and pointed it at the Linux kernel's network receive path, through Google's sanctioned bug-bounty programs. Then we measured our own opportunity honestly, and the honest answer was 'thin, for now.'

A timing hunch is not a finding. The discipline that separates real desync research from noise is the part nobody photographs: a lab of real proxies, a back-end you own that logs the literal forwarded bytes, and a hard line about who you're allowed to point any of it at.

The method we built for blockchain validator security turns out to be a general-purpose bug-finding method. We've started pointing it at two pieces of infrastructure everyone shares: the open-source HTTP proxy ecosystem, and the Linux kernel's packet path.

HTTP/3 request smuggling is almost unploughed ground. Not because the surface is small, but because nearly every tool speaks h1/h2 only, and the few that speak h3 do it through a conformant QUIC library that won't let you send the bug.

Our detector's 99% accuracy was memorisation, and the 0.32 we nearly published in its place was wrong too. The clean experiment found the real split: cross-chain detection generalises, attribution doesn't.

Making a node fall over is easy and proves nothing. The craft is building a reproducer that isolates the mechanism, measures it against an honest baseline, bounds the cost, and runs on one command, so the number actually means something.

We had a clean denial-of-service against consensus. Re-verification said the baseline was that low by config. No attack. So we pulled it. The discipline that catches our own mistakes is the reason our advisories are worth reading.

How we built a wire-shape detector that transfers across chains. V8 trained only on Sui hit 51 out of 51 zero-shot on Solana attacks it had never seen, because mechanism-class features carry across chains while host-telemetry features don't.

V1 of our trainer scored ROC = 1.000 across all 17 folds. Two minutes of audit found why. Eight leak surfaces later, here's the apparatus that stops you fooling yourself with one.