[ Memory-corruption verification · Critical infrastructure ]

Verified vulnerability research for critical infrastructure software.

Stella audits C/C++ infrastructure code and delivers only verified findings: reproducible PoCs, sanitizer evidence, source-citation validation, and coordinated-disclosure support. No unverified AI reports.

Request a pilot auditDownload sample report
  • 32 CVEs
  • $75K+ bounties
  • Verified findings only
  • 40+ targets audited
lilith@stella — bash — 80×24

[Why verification]

Discovery is becoming abundant. Trust is becoming scarce.

AI security tools, fuzzers, and CodeQL now generate more candidate vulnerabilities than maintainers can triage. In January 2026, curl ended its bug bounty program. The Internet Bug Bounty paused new submissions. The new bottleneck isn't finding bugs — it's proving they are real, reproducible, and reachable, then turning them into engineering outcomes your team can actually patch.

>_ Stella sits in that gap.

  • [Unverified candidates]

    Verified findings

    Filtered by Lilith's verification harness before a finding leaves the pipeline.

  • [Every PoC]

    ASAN-gated

    Reproduces on isolated GCP VMs with AddressSanitizer / UBSan / MSan before delivery.

  • [Disclosure]

    CVE-ready

    Disclosure language, vendor contacts, and embargo timeline drafted for every finding.

[Start here]

Stella Verified Audit Pilot

A two-week, fixed-scope audit of one repository or component. We deliver only verified findings — reproducible, sanitizer-backed, and ready for your engineers to patch.

[Scope]

  • 1 repository or component
  • C/C++ infrastructure
  • 2-week engagement
  • $15,000 fixed fee
  • NDA + coordinated-disclosure scope authorization included

[Deliverable]

  • Verified findings only
  • Reproducible PoCs on isolated GCP infrastructure
  • AddressSanitizer / UBSan / MSan evidence
  • Source-citation validation (no hallucinated lines)
  • CVSS / CWE drafts
  • Patch guidance + 1-week patch-validation window
  • Coordinated disclosure support

[Guarantee]

No unverified AI reports. No production testing. No public disclosure without your authorization.

Start a pilot audit

[How Stella delivers]

From a pinned revision to a verified, reproducible finding.

Stella runs four stages with verification gates between each one. Candidates that fail any gate are dropped rather than forwarded, so the final report contains only candidates that passed reproduction, evidence, and citation checks.

[01]

Scope

You share the target codebase and the in-scope component. Stella agrees scope, timeline, and disclosure path; NDA and coordinated-disclosure authorization are signed before audit work begins.

[02]

Lilith explores

Parallel LLM explorers build a threat model, cross-reference the code against protocol specs (TLS, X.509, HPKE, QUIC, and more), and generate adversarial attack hypotheses. An evaluator phase filters weak candidates before expensive verification.

[03]

Lilith verifies

Every surviving candidate is compiled with AddressSanitizer / UBSan / MSan and reproduced on isolated GCP instances. An evidence gate rejects hallucinated stack traces, and a source-citation gate validates every code reference against the actual repository revision — only machine-verified, citation-clean candidates continue.

[04]

Stella reports

You receive CVE-ready write-ups — CWE classification, CVSS scoring, runnable proof-of-concept code, and coordinated-disclosure guidance — reviewed and signed off by Haruto Kimura before delivery. A 1-week patch-validation window follows so we confirm the fix holds.

[Why Lilith]

What scanners miss. What verification catches.

Fuzzers can't reason about specifications. Static analyzers can't hypothesize. Manual audits take months. LLM-only tools generate noise. Stella's verification harness combines spec-aware LLM reasoning with deterministic sanitizer-backed verification.

Memory corruption, hunted by reasoning

Stella specializes in memory-corruption vulnerabilities — buffer overflows, use-after-free, integer underflow, out-of-bounds access — in C/C++ infrastructure code. Lilith's parallel LLM explorers read RFCs, build threat models, and generate attack hypotheses that fuzzers need millions of inputs to stumble into.

Sanitizer-backed proof-of-concept

Every candidate is built with AddressSanitizer / UBSan / MSan and reproduced on isolated GCP instances. Lilith's evidence gate rejects hallucinated stack traces, and a source-citation gate drops candidates whose line references don't exist in the audited revision. No AI slop reaches your engineers.

Verification-first delivery

Stella delivers reports, not triage queues. Every finding ships with a verified PoC, a patch suggestion, disclosure language, and a 1-week patch-validation window. The work is reviewed and signed off by a human auditor before it leaves Stella — AI-augmented, not AI-autonomous.

[What you receive]

Every finding is a CVE-ready disclosure your team can patch on the spot.

Lilith Engine doesn't return a triage queue. Each finding ships as a single Markdown document with a verified AddressSanitizer crash, an executable proof-of-concept, and the disclosure language already drafted — delivered to your inbox, GitHub Issues, Slack, or Jira.

  • CVE-ready Markdown disclosure

    CWE classification, CVSS v3.1 vector, technical details, call-path data flow, and remediation guidance — formatted for vendor or platform submission.

  • AddressSanitizer-verified PoC

    Reproducible crash on isolated Ubuntu 22.04 GCP infrastructure. Hallucinated traces are rejected by Lilith's evidence gate before they ever reach you.

  • One-click reproduction script

    A Bash script that clones the target, applies the build flags, compiles with ASAN, and runs the PoC. Self-contained, under 200 lines.

  • Coordinated-disclosure guidance

    Vendor security contacts, affected version ranges, and a disclosure timeline drafted to match each vendor's policy.

  • Delivered where your team works

    Email, GitHub Issues, Slack, or Jira — pick one or all. Critical findings escalate within 24–72 hours on Verified Audit and Triage Retainer engagements.

Real disclosure · publisheddisclosure.md

CVE-2026-6766

Integer underflow in tls13_AEAD → wild-address write via SSL_AeadDecrypt

Vendor
Mozilla — Firefox NSS (libssl3)
Severity
Medium · CVSS 5.3
CWE
CWE-191 (Integer Underflow / Wraparound)
Verified on
GCP e2-standard-4 · Ubuntu 22.04 · ASAN
Time to patch
Fixed in Firefox 150 and Firefox ESR 140.10

## Technical summary

When SSL_AeadDecrypt() is called with a ciphertext shorter than the AEAD tag length (16 bytes for AES-128-GCM), an unsigned subtraction in tls13_AEAD wraps around to ~4GB. The resulting wild tag pointer drives a SEGV during the Intel AES-GCM decrypt path. Reachable from any remote QUIC peer; affects deployments using external PKCS#11 modules.

## lib/ssl/tls13con.c:5150 — vulnerable AEAD decrypt path

/* tls13_AEAD() — decrypt path */
if (decrypt) {
    inLen = inLen - tagLen;        /* BUG: no check that inLen >= tagLen */
    tag = (unsigned char *)in + inLen;  /* wild pointer when underflow occurs */
}
rv = PK11_AEADOp(context, ivGen, fixedbits, ivOut, ivLen,
                 aad, aadLen, out, (int *)outLen, maxout,
                 tag, tagLen, in, inLen);

## AddressSanitizer output (excerpt)

==2914==ERROR: AddressSanitizer: SEGV on unknown address
The signal is caused by a WRITE memory access (wild-addr-write).
    #0 intel_aes_gcmDEC        intel-gcm.S:1186
    #1 platform_AES_GCM_DecryptAEAD  intel-gcm-wrap.c:503
    #2 sftk_AES_AEAD           softoken/sftkmessage.c:321
    #3 PK11_AEADRawOp          pk11/pk11cxt.c:1426
    #4 tls13_AEAD (decrypt=1)  lib/ssl/tls13con.c:5151  inLen=0xFFFFFFF5
SUMMARY: Wild-address write from unsigned (inLen - tagLen) underflow

[01]

32

CVEs Assigned

32 published

[02]

59

Findings Accepted

[03]

40+

Targets Audited

[04]

$75K+

Bounty Awards

Mozilla · Intel · Intigriti · YesWeHack

[Proven Results]

Real vulnerabilities, real impact.

Thirty-two CVEs publicly disclosed across CVE.org, NVD, and vendor advisories — spanning memory corruption, certificate validation, denial-of-service, routing-protocol parsing, and authorization bypasses — credited to Haruto Kimura (Stella). Nine FRRouting IDs (CVE-2026-39265–39274) were assigned on 2026-05-28 and are awaiting CNA publication.

$ lilith feed --top
  • CRITCVE-2026-34875·CVSS 9.8·Arm Mbed TLS/PSA Crypto FFDH

    Buffer overflow in FFDH public key export

    psa_export_public_key() fails to verify the caller-provided output buffer is large enough for FFDH public keys, overflowing the buffer during export. Credited to Haruto Kimura (Stella); fixed in Mbed TLS 3.6.6 and TF-PSA-Crypto 1.1.0.

    NVDMbed TLS
  • CRITCVE-2026-6665·CVSS 9.8·PostgreSQL/PgBouncer SCRAM

    Stack buffer overflow (CWE-121)

    PgBouncer's SCRAM authentication path assembles the client-final-message with strlcat() but ignores the return value, so a malicious PostgreSQL backend supplying an oversized nonce in server-final-message overflows the on-stack response buffer. Affects PgBouncer prior to 1.25.2.

  • HIGHCVE-2026-25833·CVSS 7.5·Arm Mbed TLS/x509_inet_pton_ipv6()

    Buffer underflow / underread

    The fallback IPv6 parser can walk before the start of the input buffer when handling IPv4-mapped portions, causing a small buffer underread and rare denial-of-service conditions. Credited to Haruto Kimura (Stella); fixed in 3.6.6 and 4.1.0.

    CVENVDMbed TLS
See all 32 published disclosures →

[Recognized]

$75K+ in paid or confirmed bounty awards.

Stella's vulnerability research is rewarded by enterprise security teams across the industry. Every bounty is backed by a reproducible, ASAN-verified finding — not a triage queue full of noise.

$ stella ledger --bounties

[ Σ ] Paid or confirmed bounty awards

$75K+

  • [+]Mozilla

    Firefox NSS · mozpkix

    Memory-corruption findings rewarded by Mozilla's bug bounty for the cryptographic core that ships in every Firefox install.

  • [+]Intigriti

    European bounty platform

    Findings validated and paid through Intigriti's enterprise programs covering cryptographic libraries and infrastructure software.

  • [+]YesWeHack

    Public & private programs

    Vulnerabilities accepted across YesWeHack programs spanning critical infrastructure and protocol implementations.

  • [+]Intel

    OpenVINO

    OpenVINO vulnerability research accepted by Intel's security program, adding another enterprise validation path to Stella's infrastructure research ledger.

  • [+]Red Hat

    Coordinated disclosure partner

    GnuTLS findings coordinated through Red Hat Product Security under embargo, with downstream impact assessed across RHEL and OpenShift before public CVE assignment.

Per-program totals withheld for disclosure-policy reasons. Combined figure includes USD payouts, EUR awards converted to USD, and confirmed awards in Stella's submission ledger. Red Hat coordination is not a paying bounty program — listed as an ecosystem partner.

[Who we serve]

Built for the teams that ship critical infrastructure.

Stella's customers are the specialist teams who maintain the C/C++ software the internet depends on, and the security organizations who triage what AI tools now send them.

  • Product Security / PSIRT teams

    At infrastructure software vendors who need an independent verification layer between AI submissions and their engineers.

  • Engineering leaders

    Maintaining C/C++ protocol parsers, TLS libraries, VPN daemons, DNS servers, embedded TCP/IP stacks, and database infrastructure.

  • CTOs at commercial OSS infrastructure companies

    Facing CVE pressure or procurement security questionnaires that demand evidence-backed audits.

  • Security teams adopting AI code-review tools

    Running Mythos, GPT-5.5-Cyber, CodeQL, or Semgrep at scale and needing an independent verification layer between AI output and engineering work.

  • OSS foundations and security funders

    Alpha-Omega, the Linux Foundation, and others underwriting audits of critical open-source projects in C/C++.

[The team]

Built by a memory-corruption specialist.

Stella is founded by Haruto Kimura, a security engineer who specializes in memory-corruption vulnerabilities in C/C++ infrastructure software.

  • Security Engineer, Cyber Defense team, LY Corporation (LINE × Yahoo Japan)
  • 32 CVEs assigned across TLS, VPN, DNS, routing, proxy, and database infrastructure
  • Coordinated disclosure with Mozilla, Arm PSIRT, Intel, ISC/BIND, PowerDNS, strongSwan, FRRouting, and Red Hat Product Security

[Disclosure terms]

Stella's research is conducted under formal coordinated-disclosure terms. Every engagement includes scope authorization, embargo coordination, and liability terms before audit begins.

[Stack]

Built on production-grade cloud infrastructure.

Lilith Engine is a cloud-native product. Audits run on isolated Google Cloud VMs, specialist model passes drive threat modeling and exploration, and deliverables route into the tools your team already uses.

  • Google Cloud Platform

    Isolated audit VMs · ASAN-instrumented reproduction · ephemeral per-target sandboxes

  • Model orchestration layer

    Specialist reasoning for threat modeling, exploration, and evidence-gated finding evaluation

  • GitHub

    Repository ingestion · finding routing via Issues · coordinated-disclosure workflows

  • Slack & Jira

    Critical-finding escalation channels · 24h response on Verified Audit and Triage Retainer engagements

  • PagerDuty

    On-call paging for high-severity findings (Verified Audit and Triage Retainer)

[Service menu]

Services priced for verified outcomes.

Stella sells verification work — not seats, not scans. Most teams start with a fixed-scope Pilot Audit ($15,000, two weeks). Customers who continue can choose a Focused Audit, a Full Verified Audit, a Triage Retainer, or per-class Patch Validation. Open-source maintainers run free under an approval-based contribution track.

Start here

Stella Verified Audit Pilot

Fixed-scope entry audit

$15,000fixed fee · 2 weeks

The starting point for first customers and teams who want to see Stella's deliverable quality on one repository or component before expanding scope.

  • 1 repository or component
  • Verified findings only
  • Reproducible PoCs · sanitizer evidence · source-citation validation
  • CVSS / CWE drafts
  • Patch guidance + coordinated disclosure support
Start a pilot audit

Focused Audit

Deeper work on a narrow surface

$18K–$25K2–3-week engagement

For teams that want more depth than the pilot but are not ready for a full 4-week audit. Best for one library, firmware component, parser, protocol surface, or robotics / embedded component.

  • 1 focused library, parser, protocol, firmware, or embedded component
  • Depth beyond the pilot without a full product-area commitment
  • Reproducible PoCs · sanitizer evidence · source-citation validation
  • CVSS / CWE drafts and patch guidance
  • Coordinated disclosure support when findings qualify
Scope a focused audit
Full scope

Full Verified Audit

Full-scope verification of one product area

From $30K4-week engagement

One product area or protocol surface you ship. Best for product-security teams that need a full-scope verification cycle ending in patch validation, embargo coordination, and CVE submission support.

  • 1 product area or protocol surface
  • Full-scope C/C++ verification
  • Reproducible PoCs · sanitizer evidence · source-citation validation
  • Patch validation sprint included
  • Embargo coordination + CVE submission
Talk to us

Triage Retainer

Verify incoming AI-generated reports

$8K–$20Kper month

PSIRTs and bug-bounty programs drowning in AI-generated submissions. We classify each incoming report as real, duplicate, false positive, or security-relevant, and return the engineering-actionable shortlist.

  • Verify your incoming AI reports, fuzzer crashes, and external submissions
  • Classification: real / duplicate / false-positive / sec-relevant
  • Coordinated reply drafts back to the submitter
  • Best for PSIRTs and bug-bounty programs
  • Monthly engagement, scale up/down as volume changes
Talk to us

Patch Validation

Confirm the fix holds — no variants left

$5K–$12Kper vulnerability class

Vendors with embargoed CVEs or compliance pressure who need an independent check that the patch actually fixes the root cause and that no variant remains in adjacent code paths.

  • We validate your patch fixes the root cause
  • Variant analysis across the affected component
  • Per-class deep dive, retainer available
  • Useful for vendors with embargoed CVEs or compliance pressure
  • Delivered alongside the original disclosure timeline
Talk to us

Open Source

Our contribution to critical OSS security

Freeapproval-based

Maintainers of significant open-source C/C++ infrastructure projects. Not the primary offering — this is how Stella gives back to the upstream ecosystem we depend on.

  • 1 codebase, approved per project
  • Coordinated disclosure handled by Stella
  • CVE submission and vendor coordination
  • "Powered by Lilith" credit in advisories
  • Limited capacity — review takes ~1 week
Apply for OSS access

Early-stage and first-time customer scopes can start smaller. We are happy to scope a narrow component before expanding into a full product-area audit.

[Approach]

How a Stella engagement compares.

Traditional specialist audits can be expensive and calendar-heavy. Stella starts with a fixed-scope pilot and delivers verified, reproducible findings on a faster cadence.

[+]Stella Verified Audit

Cost
$15K Pilot; $18K–$25K Focused Audit; Full Verified Audit from $30K
Time to Results
2-week pilot · 2–3-week focused audit · 4-week full audit
Proof Quality
ASAN / UBSan / MSan-verified PoCs · source-citation validated
Analysis Method
AI-augmented verification harness, human-reviewed
Deliverable
CVE-ready report with PoC, patch guidance, disclosure language

Manual Boutique Audit

Cost
Traditional specialist audits can reach $50K–$150K
Time to Results
Often calendar-heavy; multi-month scopes are common
Proof Quality
Varies by auditor
Analysis Method
Human intuition
Deliverable
PDF report

[Get started]

Three steps from sign-up to your first finding.

No CLI to install, no SDK to integrate. Lilith Engine runs entirely on Stella's infrastructure — you connect a Git repository and findings arrive in the channels your team already uses.

  1. 01

    Start with a Pilot Audit

    Two weeks, $15,000, fixed scope, one repository or component. Begin via the pilot CTA above or request a Focused Audit, Full Verified Audit, Triage Retainer, or Patch Validation. Open-source maintainers apply for the approval-based OSS track.

  2. 02

    Scope, NDA, authorization

    30-minute scoping call to confirm the target fits Stella's specialization (C/C++ infrastructure software). NDA and coordinated-disclosure scope authorization are signed before audit begins. You grant Stella read-only access to the repository — no agent to install, no code copied outside Stella's GCP infrastructure.

  3. 03

    Verified findings, then patches

    Lilith's verification harness gates every candidate on AddressSanitizer / UBSan / MSan before it leaves the pipeline. Verified findings ship as CVE-ready Markdown with reproducible PoCs and disclosure language. A 1-week patch-validation window follows so we confirm the fix holds.

See the service menuRequest a pilot audit