about | DTR Security

I'm Tim. I run an independent vulnerability research lab on my own gear.

stack

The lab runs on a Postgres + pgvector index. What's in it: mirrored vendor source trees and their commit history, upstream patches and stable backport queues, security advisories and CVE records, mailing list archives (oss-security, full-disclosure, lkml, vendor lists), and the social and community channels where security work actually happens in the open. That last bucket covers X, Mastodon, Bluesky, GitHub security discussions, HackerOne reports, conference talks and papers, vendor blogs, and the security newsletters worth reading.

Harnesses keep all of that current. New commits, new advisories, new posts in any of the indexed channels kick off whatever workflow fits: differential analysis, variant hunts in adjacent vendors, signal triage, hypothesis seeding.

Agents work on top of the index. Won't get into the orchestration layer above the agents. That part stays private.

Findings have to anchor to indexed source to come out of the pipeline. Inference without an anchor gets dropped at synthesis. That's what keeps the noise down for a solo operation.

process

I reproduce everything before reporting. If it doesn't reproduce in lab, it doesn't go to a vendor. Reproduction usually takes longer than the discovery, which is how it should be.

Reports go through the vendor's published security contact. Writeups stay embargoed until the vendor ships a fix and a bulletin is out.

PoC material here demonstrates impact in a lab and stops there. I don't publish material that converts cleanly into intrusion tooling.

scale

The system runs continuously, not in bursts. New upstream commits kick off differential analysis. New advisories kick off variant hunts in adjacent vendors. Social signals (a researcher posting about a finding, a conference abstract, a vendor blog hint) kick off targeted hunts against the area being discussed. The pipeline produces findings faster than I can write them up.

focus

Bug classes the system is good at: identity and capability scope confusion, broker and proxy authorization mistakes, parser and config confusion across language boundaries, incomplete fix variants, and the mess where operator policy meets daemon resource resolution.

Areas currently indexed: container runtimes, Kubernetes operators and proxies, identity overlays and IDP plumbing, secret management, source code automation, and parts of the Linux kernel adjacent to the io stack.

engagement

Coordinated disclosure: tim@dtrsecurity.com, PGP fingerprint on the contact page.

Looking for partners, funding to scale this up, or a full-time seat doing this kind of work for someone. Same address. I don't take undisclosed bug reports on behalf of other people.

Attribution URL for security bulletins: https://dtrsecurity.com/. Different format on request.