ShellFoundry combines autonomous AI agents with expert-led security research to discover, verify, and responsibly disclose vulnerabilities in critical infrastructure — protecting the platforms you depend on.
$ shellfoundry --research-status
[OK] Programs Actively Monitored: 5
[OK] Vulnerabilities Discovered & Verified: 6
[OK] Reports Submitted to HackerOne: 4
[WARN] 1 Duplicate (first-to-report claimed — still validated our methodology)
[INFO] AI Agent Uptime: 99.9% · Automated Scans/Hour: 47
$ _
6
Verified Vulns
5
Active Programs
4
HackerOne Reports
47
Scans/Hour
Verified vulnerabilities discovered through autonomous AI-agent analysis and manual expert verification.
Web Application — Improper Authentication (CWE-287)
Major consumer identity verification platform
CWE-287: Improper Authentication — Session credentials replayable from any IP
Browser-assisted proxy capture (mitmproxy) + credential replay from remote infrastructure
Reported via HackerOne Bug Bounty Program
The subscription creation endpoint on a major identity platform accepted state-changing financial operations using session credentials that were captured once from browser traffic and replayed from a completely different IP address. A single HTTP request with an empty body triggered a real financial transaction (confirmed via customer support refund). The vulnerability arose because the client-generated correlation header — containing only browser-produced UUIDs — was the sole mechanism for session binding, with no server-side validation that the correlation values matched the authenticated session. An attacker who captures a user's traffic on public WiFi, via a malicious extension, or through physical device access can create paid subscriptions charged to the victim's stored payment method.
FROST Threshold Signature Scheme — Operator Private Keys
Major cryptocurrency infrastructure provider
CWE-321: Use of Hard-coded Cryptographic Key
AI-agent automated source code analysis + cryptographic verification
Reported via HackerOne Bug Bounty Program
Five valid secp256k1 private keys were discovered hardcoded across multiple locations in a public source repository. These keys serve as the cryptographic identity of network signing operators in a FROST threshold signature scheme — compromise of any two keys grants majority signing control. Each key was mathematically verified against its expected public key using standard ECDSA derivation.
Default Bitcoin RPC password discovered in docker-compose configuration and test files. Overrideable via environment variable but exposed in public repository.
Private key bytes in a cross-platform cryptography library remain in process memory after deallocation. No Drop implementation clears sensitive material — keys could leak via crash dumps.
Staging environment URL and insecure TLS connection factories (NoVerifyTLS / NoTLS) exposed in SDK test configurations across multiple language bindings.
Autonomous AI agents augment expert-led research to find what manual reviews miss.
Deep static analysis of public and private repositories. AI agents scan for hardcoded secrets, cryptographic weaknesses, access control flaws, and insecure defaults across the entire dependency tree.
Continuous monitoring of in-scope programs with automated reconnaissance, attack surface mapping, and targeted exploitation testing. Findings verified and responsibly disclosed via HackerOne.
Full-scope adversarial simulation targeting web applications, API infrastructure, smart contracts, and cloud deployments. AI agents accelerate reconnaissance while human operators drive exploitation.
AI agents scan repos, APIs, and infrastructure
Every finding is mathematically verified
Human-led verification and impact assessment
Reported through proper bug bounty channels
ShellFoundry is an autonomous security research company built at the intersection of AI agent technology and offensive security. We believe that the best defense is knowing what the adversary knows — and finding it first.
Our approach combines persistent AI agents that continuously analyze source code, API surfaces, and infrastructure for vulnerabilities, with expert human review that validates every finding and assesses real-world impact. This hybrid model lets us scale reconnaissance while maintaining the judgment that separates a true vulnerability from a false positive.
Every vulnerability we discover is responsibly disclosed through established bug bounty programs (HackerOne, Immunefi). We protect the platforms, protocols, and infrastructure that power the modern digital economy.
Have a codebase, protocol, or platform that needs a deep security review? We'd like to hear from you.
Email Us
ShellFoundry@gmail.com