dmk.sh /research
Advisories

Coordinated security advisories

Published after vendor coordination, with reproducible technical detail and remediation timelines where available.

CVE
Severity
Title
Score
Disclosed
CVE-2010-2484
medium
PHP strrchr() userspace interruption — reference mutation during error handling
5.0
Jul 22, 2010

Disclosure policy

I report findings privately to vendors with a 90-day disclosure window from initial contact. I extend the window for vendors who acknowledge receipt within 72 hours and demonstrate progress. PGP key in the footer.

Related vulnerability research

Historical note · not a coordinated advisory
The PHP concat operator interruption — a bug I sat on for thirteen years

A first-person account of an unreported bypass of CVE-2010-2191 I found around 2010, never disclosed, and which lived on in shipped PHP until 8.3.0 in November 2023. What I did, what I didn't, and what the project did and didn't.