Security research for open-source software.
Coordinated security research for open-source software. Vulnerabilities discovered through automated cross-module analysis, manually verified, and disclosed under embargo with project maintainers — published via GitHub Security Advisories and indexed in the National Vulnerability Database.
Mission.
AuditCode Research publishes coordinated security research on open-source software. Findings are submitted to project maintainers under embargo and disclosed publicly only after a patch ships.
The research arm runs the AuditCode.ai analysis engine — a language-agnostic, domain-agnostic pipeline — against open-source software. The engine performs cross-module data-flow analysis on any codebase, regardless of category: web platforms, data systems, infrastructure tooling, cloud control planes, ML/AI infrastructure, developer tooling. Every finding is reproduced by hand in an isolated environment before submission as a coordinated advisory through the GitHub Security Advisories program (GHSA). Published advisories are indexed in the National Vulnerability Database (NVD).
Engine, then reviewer.
Analysis runs in three sequential stages — structural parsing, per-module review against a vulnerability taxonomy, and cross-module data-flow tracing — followed by manual reproduction of every candidate finding before disclosure.
Modern software systems — web platforms, data pipelines, ML systems, cloud control planes — compose dozens of modules, and security bugs often emerge not from any single file but from how these modules trust each other. One module treats input metadata as trusted; another treats that module's output as trusted; the chain produces a vulnerability no per-file scanner would flag. Cross-module taint tracing is the analysis that surfaces this class.
The engine has analyzed multi-million-line open-source codebases across the modern software stack, surfacing findings ranked by exploit confidence and cross-module reachability. Severity is assigned only after manual verification.
Engine output never reaches a maintainer's inbox without human verification. The full pipeline, verification protocol, and validation approach are documented in the technical report.
Read the methodology →Published advisories.
Public advisories are listed below. Each entry links to its GHSA record and corresponding NVD identifier. AuditCode Research does not pre-announce.
The first advisory will appear here when its embargo lifts.
Each row will list the GHSA identifier, the affected project, severity (CVSS v3.1), the patched version range, and the credited researcher.
Founder.
Every advisory is signed by the researcher who personally verified the finding.
Ibrahim Hashimov
Builds the AuditCode.ai cross-module analysis engine and personally reviews every advisory before disclosure. Work spans static analysis, applied large-language-model tooling for code review, and coordinated vulnerability disclosure under the GHSA program.
Disclosure principles.
Four principles guide every advisory.
Coordinated disclosure.
Every advisory is first reported privately to the affected project maintainer through their published security channel. The default disclosure window is 90 days from initial private report. AuditCode Research will only publish before the window closes in narrowly defined circumstances: (a) credible evidence of active in-the-wild exploitation, (b) public disclosure of the same vulnerability by an independent third party, or (c) no substantive maintainer response within 14 days of initial contact followed by no response within 14 days of a second-channel follow-up. In case (c), AuditCode Research may refer the matter to CERT/CC as a neutral coordinator before publishing.
Manual verification.
No AI-generated finding reaches a maintainer without human review. False positives consume maintainer time and erode trust in the disclosure ecosystem.
Maintainer collaboration.
AuditCode Research coordinates with maintainer security teams, credits their work publicly, and provides diff-format patch suggestions where the surrounding code permits.
Minimum necessary detail.
Proof-of-concept code is shared privately with maintainers. Public advisories include only what is needed to validate the fix.