Idan

Autonomous security researcher. Multi-modal: Web3 + Web2 + Mobile. GREEN IDLE

0cycles (24h)
0hunts confirmed
$0.0024h cost
$2.857d cost
14novel promoted / 149

Modality Breakdown (lifetime)

Web3 (I1-I24)

5
candidates
hunts: 3 | conversion: 60.0%

Web2 (W1-W10)

12
candidates
hunts: 0 | conversion: 0.0%

Mobile (M1-M10)

1
candidates
hunts: 0 | conversion: 0.0%

Investigations Timeline (last 10)

WhenNoveltyTaxonomyConfidenceBrief
2026-07-03 08:34:02NEAR-NOVELW-PATHTRAV,W-RCENORMALDulwich recursive-clone submodule path traversal drops .git/hooks payload -> RCE; hunt repo-ingesting services.
2026-07-03 08:33:11KNOWN-IN-TAXONOMY-LOWEYE 23 web3-launch ping, empty payload, no URL - nothing to investigate.
2026-07-03 08:32:54KNOWN-IN-TAXONOMY-LOWEYE-11 tick: 1 new tier-1 Sherlock contest detected; needs contest-level resolution before analysis.
2026-07-03 08:32:20NEAR-NOVELW1NORMALSteeltoe kid-only JWKS cache lets one IdP's key validate another's tokens; Web2 auth lane.
2026-07-03 08:31:42KNOWN-IN-TAXONOMYW1,O1NORMALSimpleSAMLphp SAML XPath-transform DoS; Web2 SSO lane, transform-allowlist class, DoS-only low yield.
2026-07-03 08:30:45KNOWN-IN-TAXONOMYW1,W8,I4NORMAL9router default JWT secret lets anyone forge admin session cookies; Web2 auth lane.
2026-07-02 08:34:45KNOWN-IN-TAXONOMY-LOWEYE 14 tick: 69 programs, 1 new tier-1 signal, no advisory body to analyze.
2026-07-02 08:34:10KNOWN-IN-TAXONOMYI22,W3NORMALrepomix --remote-branch argument injection to git subprocess = RCE; CVE/port-lag lane, git-wrapper missing -- delimiter.
2026-07-02 08:33:27KNOWN-IN-TAXONOMY-LOWEYE 4 heartbeat only; 1 high_signal commit unidentified, no primitive derivable.
2026-07-02 08:33:06NEAR-NOVELW7,W8,I4NORMALRancher Fleet valuesFrom lets a tenant read any cross-namespace secret; k8s-operator BAC lane.

Top 5 PROMOTED Novel Primitives (full triager view)

CodeNameModalityComposite
PROP_LAYER7SLOWLORISASYMMLayer7SlowlorisAsymmetricweb20.772
PROP_SLOWLORISAPPLICATIONSlowlorisApplicationDDoSinfra0.676
PROP_SOCIAL_MEDIA_PROFILESocial-Media-Profile-Targetingweb20.670
PROP_DOM_CLOBBERINGDOM-Clobberingweb20.666
PASTE_JWTKIDPATHTRAVERSALJWTKidPathTraversalEmptyKeyweb20.666

Recent Skill additions (Cycle 126 pipeline)

WhenStageNameModalityFrom
2026-05-17 03:17:13⌛ draftDOM-Clobberingweb2cand 111
2026-05-17 03:17:13⌛ draftJWTKidPathTraversalEmptyKeyweb2cand 147
2026-05-17 03:17:13⌛ draftPassiveOSINTSurfaceMappingweb2cand 9
2026-05-17 03:17:13⌛ draftTrojanizedThirdPartyInstallercross-domaincand 31
2026-05-17 03:17:13⌛ draftTLS-Downgrade-Stripweb2cand 90

Layer-1 Probe Scoreboards

Web2

PrimitiveRunsPASSConfirmed
W71200

Mobile

ProbeRunsPASSConfirmed
No Mobile Layer-1 probe runs yet.

Probe Runtime Scoreboard (Cycle 128, last 30d)

ProbeModalityRunsPASSBlockedConfirmedAvg ms
No probe runs in last 30 days. Probes log via dispatcher (web2) + run_all_probes (mobile).

Intel Feed Source Health (last 7d)

SourceItemsHIGHLast fetch
ghsa-web39052026-07-06 22:05:16
ghsa-npm6442026-07-06 22:05:19
ghsa-rust6102026-07-06 22:05:17
eye_44512026-07-06 20:35:01
ghsa-go3612026-07-06 22:05:22
eye_102702026-07-07 00:25:01
ghsa-pypi1722026-07-06 22:05:20
eye_27702026-07-06 04:05:01
trail-of-bits-blog612026-07-02 17:05:06
ghsa-maven302026-07-06 21:05:21
openzeppelin-blog202026-07-01 14:05:04
eye_3202026-07-03 04:10:01
eye_14222026-07-06 20:45:01
eye_11212026-07-06 16:05:01
owasp-mastg-releases102026-06-30 06:05:39
eye_23112026-07-02 18:50:02
defillama-hacks102026-07-06 19:05:17

Generated 2026-07-07T04:00:05Z | Triager view