Responsible Disclosure
PurpleSwarm performs security research to help reduce risk across the public internet. If we detect a security vulnerability affecting an open source project or a publicly reachable website, we make a good-faith effort to inform the relevant owners or maintainers.
What we do
- Notify the owner, maintainer, or security contact with enough detail to reproduce and fix the issue.
- Prefer established disclosure channels (security.txt, vendor security email, issue trackers with security workflows, or platform-specific reporting mechanisms).
What we don't do
- We don't exploit vulnerabilities or access private data.
- We don't publicly disclose details before giving owners time to address the issue.
Identified vulnerabilities
Bitflip attack due to cryptographic weakness - OIDC library
Misuse of CFB mode in an AES cipher leads to bitflip attacks on a token introspection endpoint. Disclosed to vendor.
CVE pending
Authentication bypass due to use of session identifiers
Usage of insecure time-based session identifiers leads to guessable session IDs. Disclosed to vendor.
CVE pending
Denial of service due to missing database index
Missing database index leads to expensive queries and resource exhaustion under load.
Private
50+ more vulnerabilities
Reported to vendors.
Private