$ls -lht ./disclosures

Security Disclosures

Coordinated-disclosure advisories for vulnerabilities I've found and reported to vendors. Each entry tracks a single issue from triage through public disclosure, with the technical write-up published once the embargo lifts and the advisory is finalised.

Findings still under embargo are listed but not published — the advisory body goes up after the vendor has shipped a fix or the 90-day window expires. Only entries marked published link through to a full write-up.

── released · 0 advisories ──────────

soon first advisories release once embargoes lift

── pending · 1 finding ──────────

2026-04-15

Remote-controlled VS Code command execution via unauthenticated announcement channel in `antigravity-cockpit`

jlcodes.antigravity-cockpit (VS Code Marketplace) — https://github.com/jlcodes99/vscode-antigravity-cockpit · status reported · embargo lifts ~2026-07-26

high cwe-78 embargoed

1 finding tracked report something ↗