Security
I'm Tom Ryan (A5omic), an independent security researcher. I find and report memory-safety and authorization flaws in widely-used software — the Linux kernel, V8/Chrome, and the infrastructure middleware that sits in front of everything else. Every entry below is public and credited; findings still under coordinated disclosure are listed here once their advisories publish.
Fixed upstream
| Date | Target | Finding | Reference |
|---|---|---|---|
| Linux kernel | io_uring SQE_MIXED out-of-bounds read | c76e0f1d77f8 — merged by Jens Axboe6.19-stable 09bf79466c00 — backport, Sasha Levinliburing a35e4943 — regression test | |
| V8 / Chrome | Maglev SaveCallSpeculationScope uninitialized read | 2d111040 — fixed by the V8 team, Chrome VRP panel |
Advisories
Reported through coordinated disclosure. Each advisory page becomes public when the maintainer publishes it.
| Date | Target | Finding | Status | Reference |
|---|---|---|---|---|
| Vaultwarden | SSO "email verified" account takeover | Reported · in triage | GHSA-j4j8-gpvj-7fqr | |
| Plane | Cross-workspace IDOR | Reported · in triage | GHSA-6cw7-h92q-p9hg |
Further findings — including a cluster of authorization-layer path-normalization bypasses — are in coordinated disclosure now and will appear here on publication.
Programs & acknowledgements
- Apple
- Five security submissions: WebKit (3 WGSL, 1 JSC) and XNU (a NECP use-after-free).
- Keycloak
- Two ROPC brute-force reports via the U.S. DoD HackerOne VDP.
How I work
The edge is targeting and proof, not volume. I aim AI-driven fuzzers and test harnesses at the specific surfaces that look wrong, then reproduce every promising hit in the target's own compiled code before it leaves my desk. As automated scanners flood maintainers with plausible-but-wrong reports, the bar that matters is a real, reproducible PoC — not a screenshot. That verification step is the work.
Reporting & contact
For coordinated disclosure, email overboardapps@gmail.com, open a private security advisory on the affected repository, or reach me through HackerOne, Bugcrowd, or GitHub. I follow coordinated disclosure and publish writeups only after a fix ships and any embargo lifts. A security.txt is published at the canonical location.
For sensitive reports, encrypt to my PGP key
(Ed25519, fingerprint
2ED8 B42D B037 A499 0967 7B3E C8A3 D6B6 D952 A47C).