Proprietary Tooling

Built to measure what vendors conceal.

These tools do not exist anywhere else. They represent years of methodology development and the only systematic approach to measuring vendor disclosure compliance at scale.

01
Ghost Patch Scanner
TypeDetection
InputGit Repository
OutputPatch Inventory

Silent Patch Detection at Scale

The Ghost Patch Scanner analyzes commit histories to identify security-relevant code changes that lack corresponding public disclosure. It classifies commits by their actual code change patterns, not by commit message labels or vendor-provided metadata.

A vendor changes a function from accepting arbitrary input to validating against a whitelist. The commit message says “code cleanup.” The scanner classifies the change as a security fix based on the diff pattern: an authorization boundary was added where none existed before.

What It Detects

Authentication bypasses patched without advisory. Authorization changes without CVE. Input validation additions with no changelog entry. Cryptographic implementation fixes with no disclosure. Denial-of-service condition removals with no notification to downstream users.

Scale

The scanner has processed over 6,700 security-relevant commits across 9 major projects in a single sweep. It operates on any Git repository and produces a complete inventory of patched-but-undisclosed vulnerabilities with severity classification.

02
Cascade Engine
TypePropagation
InputPatch Database
OutputFork Exposure Map

Fork Propagation Analysis

The Cascade Propagation Engine takes the output of the Ghost Patch Scanner and maps it across every known fork of the target project. For each fork, it identifies which patches have been incorporated, which are missing, and the exposure window for each gap.

Go-ethereum silently patches a critical ECIES vulnerability. The Cascade Engine identifies that Arbitrum, Polygon, and BSC are all running forks that have not incorporated the fix. It calculates the exposure window: 6 months for Arbitrum, 8 months for Polygon, 11 months for BSC. None of them know.

What It Maps

Exact commit-level gap analysis per fork. Exposure window duration for each missing patch. Severity distribution across the fork ecosystem. Combined financial exposure across all affected networks.

03
Fork Drift Analyzer
TypeDivergence
InputFork + Upstream
OutputDrift Report

Upstream Divergence Measurement

The Fork Drift Analyzer measures how far a fork has diverged from its upstream source, with specific focus on security-relevant divergence. A fork that is 1,554 commits behind upstream is not just outdated. It is carrying a quantifiable security debt that grows with every upstream release cycle it skips.

Polygon’s Bor client is forked from go-ethereum v1.14.13. The Fork Drift Analyzer calculates: 1,554 total commits behind upstream, 488 of which are security-class. Four major release cycles skipped. The drift is accelerating, not converging.

What It Measures

Total commit divergence from upstream. Security-class commit gap. Release cycles skipped. Drift velocity (accelerating or converging). Estimated remediation effort to close the gap.

6,700+
Patches Scanned
Across 9 major infrastructure projects in a single sweep
0.44%
Disclosure Rate
The industry average we measured and published
9
Years
Since go-ethereum’s last comprehensive audit (the tools found what the absence of audits hid)
Access

The tools are proprietary. The results are available.

Silent Patch Intelligence subscriptions deliver monthly reports powered by these tools. Engagement clients receive full tool output for their target ecosystem.

Inquire About AccessOur Methodology