The numbers
are the proof.
Every statistic on this page is backed by reproducible evidence: commit hashes, MITRE filings, regulatory submissions, and verified platform records.
or in MITRE Pipeline
Identified
Compliance Rate
At Risk
on Record
Exposed
These are not estimates. Every number is documented and reproducible.
165+ CVEs means 165 distinct vulnerability identifiers filed with MITRE or in active pipeline. Each one represents a confirmed security flaw that a vendor knew about and did not disclose. The filings are public record.
4,103 silent patches means 4,103 security-relevant code changes across nine major open-source projects that were merged without a CVE, without a security advisory, and without notifying downstream users. We identified these using proprietary instrumentation that scans commit history against 30+ security signatures.
0.44% disclosure rate is the measured compliance rate across the projects we studied. For every security fix that was properly disclosed, 227 were concealed. This is not an estimate. It is a count.
$7.16B at risk is the total value of assets running on infrastructure we proved is vulnerable, from a single finding set in the CometBFT consensus engine. Four zero-days. Fifty-plus blockchain networks. The value is calculated from on-chain data at time of discovery.
Vendors assessed.
Partial list. We do not disclose targets with active regulatory proceedings.
Public record.
CometBFT consensus zero-days
Four zero-day vulnerabilities discovered in the CometBFT consensus engine. Fifty-plus blockchain networks exposed. $7.16B in dependent value documented. CVEs filed with MITRE. Active regulatory filing with the Ontario Securities Commission.
CriticalSilent patch measurement at scale
First systematic measurement of vendor disclosure compliance across nine major open-source projects. 4,103 undisclosed security patches identified. 0.44% disclosure rate documented. Proprietary instrumentation built to perform the sweep in under ten minutes.
Industry FirstVendor misconduct documentation
Documented pattern of vendor misconduct across nine-plus vendors: theft of researcher findings, silent patching post-disclosure, evidence concealment techniques, and retaliatory conduct toward security researchers.
RegulatoryGo-Ethereum fork exposure
733 undisclosed patches identified in Go-Ethereum. Three major forks confirmed vulnerable: Arbitrum, Polygon, BSC. $6.1M in combined bounty pool exposure documented.
HighOSC regulatory filing
Filed with the Ontario Securities Commission regarding systemic disclosure failures in blockchain infrastructure affecting Canadian investors. First known regulatory complaint of this category in Canadian jurisdiction.
EnforcementHow we find what others miss.
Proprietary instrumentation. Three tools built in-house for detecting concealed vulnerability disclosures at scale. Ghost Patch Scanner, Cascade Engine, and Fork Drift Analyzer. No off-the-shelf equivalent exists.
Structured kill-loop. Every finding undergoes forced negative confirmation. Three passes from different angles: intended behavior, production reachability, and concrete proof-of-concept. If it does not survive all three, it does not reach the record.
100% validity standard. We do not submit findings that might be valid. We submit findings that are valid. The 100% validity rate is not a marketing claim. It is the result of killing weak findings before they leave the lab.
Adversarial scrutiny. Every finding is packaged as though it will be cross-examined. Because it will be. Evidence is structured for regulatory and legal proceedings, not just bug bounty triage.
Work with us.
For regulators, enforcement bodies, and organizations that need technical proof of what vendors are hiding.