Lilith — the AI-augmented verification harness behind every Stella audit.
Lilith orchestrates frontier LLMs across a 20-phase pipeline with verification gates between every stage, then a human auditor reviews and signs off the deliverable. Every finding is reproduced on isolated GCP infrastructure with AddressSanitizer / UBSan / MSan, and every source citation is validated against the actual repository revision, before it ever reaches you.
[Company & business]
Stella is a public, digital-native verification security business.
Stella LLC runs verification-first vulnerability research on C/C++ infrastructure software through the Lilith engine. Scoping, execution, verification, and delivery happen online for open-source maintainers, security teams, and infrastructure vendors worldwide.
- Legal entity
合同会社Stella (Stella LLC)
Founded March 2026 · Japan company · Haruto Kimura, Representative Director
- Engine
Lilith engine
A 20-phase AI-augmented verification pipeline that gates every LLM handoff with sanitizer-backed and source-citation checks. A human auditor reviews and signs off every deliverable.
- Business model
Pilot audits + verified audits & retainers
Engagements start at a two-week $15K Pilot Audit; customers who continue choose a Focused Audit ($18K–$25K), Full Verified Audit (from $30K), Triage Retainer ($8K–$20K/mo), or per-class Patch Validation ($5K–$12K). OSS maintainers run free under an approval-based contribution track.
- Team
Haruto Kimura
Founder & CEO LY Corporation (LINE × Yahoo Japan)
- Availability
Global delivery from Japan
Runs on Stella-managed Google Cloud infrastructure and delivers findings through GitHub Issues, Slack, Jira, and email.
- Traction
32 CVEs · $75K+
32 published · 59 accepted findings · 40+ targets audited
- Contact
contact@stellasec.ai
Business email on the same stellasec.ai domain. Typical response within 24 hours.
[The product]
Lilith Engine — the implementation customers integrate with.
Lilith Engine is the SaaS-delivered version of Lilith that ships to paying customers. It runs entirely on Stella's GCP infrastructure, connects to your Git repository through a hosted control plane, and posts findings into the channels your team already uses. There is no agent for you to install, no OAuth dance, no CLI dependency — Stella owns the operational surface, you receive the deliverable.
- Execution layer
- Pure Python orchestration pipeline with provider-isolated model calls, deterministic verification gates, and production-oriented job control.
- Authentication
- Stella holds the API keys on our side; nothing for the customer to install or authenticate against. You connect a Git repo, we run the pipeline.
- Verification infrastructure
- Every candidate finding is rebuilt with AddressSanitizer on disposable Ubuntu 22.04 GCP VMs. Hallucinated traces are rejected by the evidence gate before they leave the pipeline.
- Integrations
- GitHub Issues, Slack, Jira, PagerDuty, email. Critical findings on Verified Audit and Triage Retainer engagements escalate within 24–72 hours.
- Verification model
- Stella prices the specialist verification work: reproduction, sanitizer evidence, source-citation checks, human review, patch guidance, and coordinated disclosure support.
[Inside Lilith]
Four stages, twenty phases, deterministic gates.
Lilith's pipeline runs under Python control. Every LLM handoff passes through a verification gate that cannot be bypassed, and a human auditor reviews the final deliverable before it leaves Stella.
Reconnaissance
Lilith ingests the target, classifies its threat model (library, daemon, parser), loads relevant protocol specifications, and surveys prior vulnerability patterns for the ecosystem.
Exploration
Parallel LLM explorers analyze code paths, cross-reference against RFCs, and generate adversarial attack hypotheses. An evaluator phase filters weak candidates before expensive verification.
Verification
Each surviving candidate compiles against an ASAN-instrumented build on isolated GCP instances. An evidence gate rejects hallucinated stack traces — only reproducible crashes continue.
Reporting
Lilith packages validated findings as CVE-ready markdown — CWE classification, CVSS scoring, runnable PoC code, and coordinated-disclosure guidance. A human auditor reviews the report and signs it off before delivery.
[Capabilities]
What Lilith finds.
Lilith targets vulnerability classes across memory safety, protocol compliance, cryptography, and application logic.
>_Memory safety vulnerabilities
Buffer overflows, use-after-free, null pointer dereferences, integer overflows, and other memory corruption issues.
>_Protocol compliance violations
Deviations from RFC specifications in TLS, DTLS, X.509, DNS, and other protocol implementations.
>_Cryptographic weaknesses
Key handling errors, padding oracle conditions, timing side channels, and cipher implementation flaws.
>_Logic and state machine errors
Authentication bypasses, state machine violations, race conditions, and improper input validation.
[Targets]
Battle-tested across infrastructure.
Codebases Stella has audited or is actively auditing, grouped by domain.
[Cryptographic libraries]
[VPN & tunneling]
[Routing & DNS]
[Inference & ML]
[Database infrastructure]
[Trust & security]
How Lilith Engine handles your code, your findings, and your disclosure.
Stella is a security company; we hold our own infrastructure to the standard we apply to our targets. The questions below are the ones a CISO asks before signing — answered concretely, not in marketing language.
- How does Lilith Engine access my code?
- Read-only access only. For GitHub repositories you grant Stella a fine-scoped GitHub App installation or a deploy key restricted to the target repository. For private mirrors we accept signed Git URLs or a one-time tarball. Stella never asks for organization-wide tokens, write access, or production credentials.
- Where is my code stored during analysis?
- Source is cloned into ephemeral Google Cloud VMs provisioned per audit, inside Stella's GCP project. VMs are destroyed when the audit completes. Code is not copied to laptops, third-party storage, or any non-GCP region. Stella's GCP organization uses customer-managed encryption keys (CMEK) for at-rest data and TLS 1.3 for everything in transit.
- What is retained after an audit ends?
- Findings (Markdown disclosures, PoC code, ASAN traces) are retained for your record-keeping and disclosure paper trail — these belong to you. Cloned source code is not retained beyond the audit window. Aggregated, anonymized statistics (number of findings, severity distribution) are kept for product improvement only — never tied to your codebase or organization.
- Who owns the findings, and what about IP?
- On paid tiers, all findings on your codebases are exclusively yours. You decide whether, when, and how to disclose. Stella will not publish anything about your codebase without your explicit written consent. For Open Source tier projects, Stella coordinates disclosure with the upstream maintainer and submits the CVE under standard coordinated-disclosure norms.
- How are critical findings handled?
- On Verified Audit and Triage Retainer engagements, findings rated High or Critical (CVSS 7.0+) are escalated within 24–72 hours via the channels you configure — Slack, PagerDuty, email, or Jira. Stella holds findings under embargo until you authorize disclosure, and respects vendor-specific coordinated-disclosure timelines (typically 90 days, extendable on request).
- Who has access to my data on Stella's side?
- Stella is a small team (founder + contractors under NDA). Only personnel directly assigned to your engagement have access to audit artifacts. Access is enforced via least-privilege IAM on GCP, audited via Cloud Audit Logs. Stella does not subcontract analysis to third-party vendors.
[Proven Results]
Real vulnerabilities, real impact.
Thirty-two CVEs publicly disclosed across CVE.org, NVD, and vendor advisories — spanning memory corruption, certificate validation, denial-of-service, routing-protocol parsing, and authorization bypasses — credited to Haruto Kimura (Stella). Nine FRRouting IDs (CVE-2026-39265–39274) were assigned on 2026-05-28 and are awaiting CNA publication.
Buffer overflow in FFDH public key export
psa_export_public_key() fails to verify the caller-provided output buffer is large enough for FFDH public keys, overflowing the buffer during export. Credited to Haruto Kimura (Stella); fixed in Mbed TLS 3.6.6 and TF-PSA-Crypto 1.1.0.
Stack buffer overflow (CWE-121)
PgBouncer's SCRAM authentication path assembles the client-final-message with strlcat() but ignores the return value, so a malicious PostgreSQL backend supplying an oversized nonce in server-final-message overflows the on-stack response buffer. Affects PgBouncer prior to 1.25.2.
Buffer underflow / underread
The fallback IPv6 parser can walk before the start of the input buffer when handling IPv4-mapped portions, causing a small buffer underread and rare denial-of-service conditions. Credited to Haruto Kimura (Stella); fixed in 3.6.6 and 4.1.0.
Divide-by-zero denial of service
Crafted DNSCrypt query triggers a divide-by-zero that crashes DNSdist. Affects 1.9.0–1.9.12 and 2.0.0–2.0.3; patched in 1.9.13 and 2.0.4.
Heap buffer overflow
DTLS handshake fragments with inconsistent message_length values can be merged into a buffer sized from a smaller fragment, causing an out-of-bounds heap write. Independently reported by Haruto Kimura (Stella); fixed in GnuTLS 3.8.13.
NULL pointer dereference
Allocation failure during mbedtls_x509_string_to_names() can drive memcpy() with a NULL destination, causing denial of service on protected platforms and possible address-0 writes on microcontrollers. Credited to Haruto Kimura (Stella); fixed in 3.6.6 and 4.1.0.
Infinite loop denial of service
Malformed TLS supported_versions extensions with odd byte length leave libtls stuck in process_client_hello(), allowing unauthenticated attackers to exhaust the daemon's thread pool. Affects strongSwan 5.9.2 and later; fixed in 6.0.6.
NULL pointer dereference
Zero-length plaintext in encrypted PKCS#5 or PKCS#7 containers reaches padding removal code that reads the last byte without checking that data exists. Remotely reachable via IKEv1 CERT payloads; fixed in 6.0.6.
NULL pointer dereference
TLS versions before 1.3 accept an empty ECDH ClientKeyExchange public value, which can crash the libtls server path during EAP-TLS processing. Affects strongSwan 4.5.0 and later; fixed in 6.0.6.
Integer underflow / infinite loop
RADIUS attributes with length 0 or 1 underflow attribute parsing state and can trigger an infinite loop or out-of-bounds read in libradius. Independently found by Haruto Kimura (Stella); fixed in 6.0.6.
Memory leak (CWE-401)
bgp_ls_attr_free() in bgpd/bgp_ls_nlri.c omits admin_group_term(), leaking the Extended Admin Group bitmap on every BGP UPDATE that carries a BGP-LS NLRI. Sustained UPDATE flooding exhausts heap memory and crashes bgpd, taking down all BGP routes. Affects FRRouting through 10.5.3; fixed in 10.6.0.
NULL pointer dereference (CWE-476)
PgBouncer crashes when a backend PostgreSQL server returns an ErrorResponse lacking the SQLSTATE field — the parser dereferences a NULL pointer, terminating the pooler and disconnecting every client multiplexed through it. Affects PgBouncer prior to 1.25.2.
X.509 name-constraint bypass
Case-sensitive matching in the constraints plugin lets certificates violate excluded X.509 name constraints by varying case while regular identity matching remains case-insensitive. Affects strongSwan 4.5.1 and later; fixed in 6.0.6.
Name-constraint bypass (CWE-295)
GnuTLS incorrectly ignored permitted name constraints when prior CAs in the chain carried only excluded constraints, letting a name-constrained CA escape its permitted namespace and enabling spoofing or MITM. Coordinated through Red Hat; affects RHEL 6–10 and OpenShift Container Platform.
Stack buffer overflow
Stack overflow in wc_HpkeLabeledExtract via oversized ECH config. Malicious ECH configs overflow the client stack during Encrypted Client Hello. Patched by wolfSSL within hours.
mozpkix name-constraint bypass
mozpkix matches wildcard DNS SANs against narrower dNSName name constraints, letting a name-constrained CA escape its permitted namespace. Fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Out-of-bounds read (CWE-125)
ospf_te_parse_te() in ospfd/ospf_te.c validates that each LINK sub-TLV fits in the LSA but does not check that the sub-TLV body is large enough for the fixed-size struct copy, and decrements the remaining-length counter by a fixed constant while advancing the pointer by the attacker-controlled length — desynchronizing the parser. An adjacent OSPF neighbor can crash ospfd with a crafted Opaque LSA type 10. Affects all FRRouting releases through 10.6.0; fix pending in PR #21303.
Out-of-bounds read (CWE-125)
get_ext_link_sid() and get_ext_prefix_sid() in ospfd/ospf_sr.c cast Extended Link / Extended Prefix sub-TLV bodies (Adj-SID, LAN-Adj-SID, Prefix-SID) to fixed-size structs without checking the declared body length covers those struct offsets. An adjacent attacker with Segment Routing enabled can crash ospfd via a crafted Opaque LSA type 10 carrying an undersized sub-TLV. Affects all FRRouting releases through 10.6.0; fix pending in PR #21303.
Out-of-bounds read (CWE-125)
ospf_sr_ri_lsa_update() in ospfd/ospf_sr.c stores SRGB (type 9) or SRLB (type 14) range TLV pointers inside its switch/case but accesses ri_sr_tlv_sid_label_range struct fields ~40 lines later, outside the per-TLV body-length check. A crafted Router Information Opaque LSA with an undersized range TLV triggers an out-of-bounds heap read in ospfd. Requires Segment Routing enabled. Affects all FRRouting releases through 10.6.0; fix pending in PR #21303.
Out-of-bounds read (CWE-125)
ospf_te_parse_ext_pref() and ospf_te_parse_ext_link() in ospfd/ospf_te.c cast the LSA body to ext_tlv_prefix / ext_tlv_link structs and read struct fields before validating the TLV body size. With OSPF_OPAQUE_LSA_MIN_SIZE = 0, a 4-byte opaque LSA body reads 12–16 bytes past the allocation. AddressSanitizer-verified heap-buffer-overflow READ. Affects all FRRouting releases through 10.6.0 when MPLS-TE is enabled; fix pending in PR #21303.
Reachable assertion (CWE-617)
eigrp_read_ipv4_tlv() in eigrpd/eigrp_packet.c performs 15–18 sequential stream_getw / stream_getl / stream_getc calls (26–29 bytes) on an IPv4 Internal Route TLV without any STREAM_READABLE() check. A crafted EIGRP packet with an undersized TLV exhausts the stream mid-read, triggering assert(0) and SIGABRT in eigrpd. No EIGRP authentication required. Affects FRRouting through 10.5.3; fixed in 10.6.0.
Reachable assertion (CWE-617)
unpack_tlv_router_cap() in isisd/isis_tlvs.c reads sub-sub-TLV bodies in the Flexible Algorithm Definition (FAD) loop based on the attacker-controlled subsubtlv_len without verifying the bytes remain in the stream; a uint8_t underflow in the loop counter also produces hundreds of spurious iterations. A single crafted IS-IS Hello PDU with a Router Capability TLV (242) and a FAD sub-TLV (26) crashes isisd via assert(0). No IS-IS authentication required in the default config. Affects all FRRouting releases through 10.6.0; fix merged after the 10.6.0 cut.
Integer underflow → reachable assertion (CWE-191)
eigrp_query_receive() in eigrpd/eigrp_query.c subtracts 4 from a uint16_t length when skipping an unknown TLV without checking length ≥ 4. A crafted EIGRP QUERY or SIAQUERY with length=2 wraps to 65534, driving a loop of stream_getc() calls that exhausts the stream and triggers assert(0) in eigrpd. No EIGRP authentication required. Affects FRRouting through 10.5.3; fixed in 10.6.0.
Reachable assertion (CWE-20)
eigrp_reply_receive() in eigrpd/eigrp_reply.c reads the 2-byte TLV type and, on any non-IPv4-internal type, executes 'continue' without consuming the length field or TLV body — leaving the stream pointer mid-TLV. Subsequent iterations misread bytes as TLV types and eventually call stream_getw() with one byte remaining, triggering assert(0) in eigrpd. No EIGRP authentication required. Affects FRRouting through 10.5.3; fixed in 10.6.0.
Unbounded NSEC(3) cache allocation
Crafted zone forces large allocations in the negative and aggressive NSEC(3) caches, exhausting recursor memory. Affects 5.2.0–5.2.8, 5.3.0–5.3.5, and 5.4.0.
Integer underflow in tls13_AEAD
Missing length guard in tls13_AEAD causes inLen - tagLen to underflow on short QUIC records, producing a wild-address write during AEAD decryption. Affects users with external PKCS#11 modules; fixed in Firefox 150 and Firefox ESR 140.10.
Heap buffer overflow
Heap overflow in wolfSSL_d2i_SSL_SESSION. Certificate and session ID lengths deserialized from untrusted input without bounds validation when SESSION_CERTS is enabled.
RPZ use-after-free
Concurrent transfers of the same RPZ desynchronize internal state, producing use-after-free and recursor crashes. Affects 5.2.0–5.2.8, 5.3.0–5.3.5, and 5.4.0.
Missing authorization (CWE-862)
PgBouncer's KILL_CLIENT admin command is reachable from any authenticated console session, not only from accounts listed in admin_users. A non-admin operator can sever arbitrary client sessions — an integrity gap against the pooler's documented privilege boundary. Affects PgBouncer prior to 1.25.2.
Certificate misuse
Certificates with oversized Subject Alternative Names could fall back to Common Name hostname checks, allowing validation behavior outside the intended SAN boundary. Independently reported by Haruto Kimura (Stella); fixed in GnuTLS 3.8.13.
Heap buffer overflow
Heap overflow in wc_ecc_import_x963_ex on the KCAPI path. A crafted oversized EC public key point writes attacker-controlled data past the pubkey_raw buffer.
Out-of-bounds heap read
1-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData triggered by CMS EnvelopedData with zero-length encrypted content. Affects wolfSSL 5.8.4 and earlier.
[ $ lilith run --target your-codebase ]
Audit your infrastructure with Stella.
Tell us about the codebase you want audited. We respond within 24 hours with scoping questions and an engagement proposal.