From Finding to Fix: Submitting Security Patches to Open Source Projects

Posted on Wed 13 May 2026 in Thought, vulnerability research and discovery • Tagged with chronicles, vulnerability research, vulnerability discovery, QuickJS, open source, patch submission, methodology

Finding a bug is the first half. Getting the fix shipped is a different skill set entirely, and almost nobody writes about it.

Most security research ends at the proof of concept. You found the thing, you have a crash, maybe a writeup. What happens next is either a CVE …


Continue reading

When the Fix Is the Bug: Two QuickJS Findings from a WebKit Audit Harness

Posted on Mon 11 May 2026 in Thought, vulnerability research and discovery • Tagged with chronicles, vulnerability research, vulnerability discovery, QuickJS, JavaScript engines, patch auditing, methodology

I built this pipeline for WebKit. The idea was simple: stop reading patches and start attacking them. Every proposed fix gets treated as a hypothesis, if this commit closes off attack surface X, the job is to prove it, find the adjacent sites it missed, and explicitly challenge the "currently …


Continue reading