Research

Research and disclosures.

Technical writing from the lab.

Public vulnerability findings

Browse some of the publicly disclosed vulnerabilities autonomously discovered by Winfunc, with source-to-sink traces, impact notes, proof-of-concept details, and remediation context.

View Findings

Research·April 18, 2026·11 min read

Hacking the old HackerNews codebase

Auditing the old HackerNews codebase for security vulnerabilities with LLMs on a specialized harness.

Research·8 min read

What an automated vulnerability research system actually found

Thirteen patched bugs across nine projects, including Node.js, React, NGINX, Mattermost, Supabase, Bun, Gumroad, Anthropic's MCP SDK, and Better-Auth. What the system got right, where it still falls over, and why executable PoCs matter more than model reasoning.

Research·9 min read

How Asterisk Works

A repost of the original Asterisk architecture: how an AI security agent indexed code, generated attack ideas, verified vulnerabilities, and produced patches with low-noise reports.