Auditor Core v2.2.1 Responsibly Disclosed Real Findings Only
Responsible Disclosure Record

Public Security Audits

Real vulnerabilities found in open-source projects, manually verified, and responsibly disclosed. Every finding here was confirmed before publication — no automated output was published unreviewed.

30
Critical findings
2
Projects audited
15+
Vulnerabilities fixed
5
PRs / releases
<24h
Avg fix time

Disclosure Log

Sorted by date — newest first
April 2026
ShowPilotFPP / ShowPilot
Fixed
·
v0.18.13 & v0.18.14 released
23
CRITICAL
SQL Injection SSRF Session Security Secrets Mgmt SPI 50.55 / Grade C

Full-stack Node.js application audit. 23 CRITICAL and 23 HIGH findings across SQL injection patterns, SSRF via audio proxy, missing authentication on streaming endpoints, insecure session cookies, path traversal, and plain-text secret storage. AI validation dismissed 10 false positives from initial scan. Maintainer shipped two releases directly in response — rate limiting, helmet headers, SSRF defense, path traversal fix, and a layered secret resolution chain.

SOC 2 Audit Impact

A SOC 2 Type II auditor reviewing this codebase would flag SQL injection patterns under CC6.1 and CC6.6, and plain-text secret storage under CC6.7. These findings typically trigger a qualified opinion or require additional compensating controls — delaying certification by weeks and adding remediation cost discovered late in the audit cycle. The SSRF vector in an authenticated endpoint would additionally surface under CC7.1 as an unmonitored external communication channel.

What an Auditor Would Ask
  • How are database credentials and API secrets managed across environments?
  • Is there a centralized secret rotation policy with documented evidence?
  • Are outbound HTTP requests from the application logged and monitored?
  • What controls prevent unauthenticated access to streaming or media endpoints?
Business Exposure Scenarios
  • Discovered during audit → Management letter issued, compensating controls required before opinion issued, certification delayed.
  • Discovered post-report → Customer notification obligation triggered, trust service criteria re-evaluated, re-audit scope expansion.
  • Exploited in production → Incident disclosure requirement under applicable data protection law, potential breach of customer SLA.
18 findings reported
10 false positives removed by AI
2 releases shipped
Issue #1
April 29 – May 1, 2026
oxsecurity / megalinter
Fixed
·
3 PRs merged
7
CRITICAL
CI/CD Script Injection GitHub Actions SPI 75.5

GitHub Actions script injection via untrusted pull request contexts. Seven confirmed vulnerabilities across 6 workflow files — both github.event.pull_request.title and github.head_ref interpolated directly into run: shell steps. Two additional files (mega-linter.yml, mega-linter-for-runner.yml) were missed in the initial fix and reported separately. All three fix PRs merged within 24 hours.

SOC 2 Audit Impact

Any team using MegaLinter in their CI/CD pipeline inherited this injection vector. Under SOC 2, an unpatched CI/CD script injection falls under CC8.1 — change management controls — and CC6.6 — logical access controls over infrastructure. An auditor discovering this post-certification would require immediate remediation evidence and could trigger a scope expansion. Teams relying on MegaLinter for their own compliance pipelines were unknowingly running a compromised gatekeeper.

What an Auditor Would Ask
  • How are third-party CI/CD tools vetted before being introduced into the pipeline?
  • Is there a process for monitoring upstream dependency vulnerabilities in workflow tooling?
  • What evidence exists that pull request inputs are sanitized before use in shell execution?
  • Are pipeline secrets scoped to minimum privilege and rotated on a documented schedule?
Business Exposure Scenarios
  • Discovered during audit → CC8.1 finding raised, change management controls deemed insufficient, auditor requires pipeline remediation evidence before issuing opinion.
  • Discovered post-report → Inherited vulnerability from third-party tool triggers scope re-evaluation, potential management letter addendum.
  • Exploited in production → Attacker gains persistent access to CI environment and secrets store via malicious PR title — full pipeline compromise.
6 workflow files
2 injection vectors
Fix: <24h
Issue #7657 Issue #7659 Full report
More disclosures in progress — published after verification

How Every Audit Works

No finding is published based solely on automated output. Every entry in this log passed all four stages below.

Step 01

Deterministic scan

Auditor Core v2.2.1 runs 11 detectors — SAST, secrets, IaC, CI/CD, dependency, license.

Step 02

Manual triage

Every flagged finding is reviewed against the live repository. Intentional patterns are excluded.

Step 03

Independent verification

Each surviving finding is independently confirmed as exploitable before any disclosure.

Step 04

Responsible disclosure

Reported per the project's SECURITY.md policy. Public only after maintainer acknowledgment or fix.

Want This Level of Analysis For Your Codebase?

Auditor Core v2.2.1 runs fully local — no cloud, no telemetry. SOC 2, CIS Controls v8 and ISO 27001 mapped findings out of the box.

Request an Audit View Demo Report