DELTA OBSCURA
We are the team behind Mission Cyber Sentinel, a mission dedicated to securing 446,000 digital assets globally.
Mission Vector Zero
Mission Vector Zero is dedicated to uncovering high-impact vulnerabilities in 30+ targets, each demonstrably affecting over 250,000 users or digital assets, and meeting the severity threshold of CVSS 6.0 or VRT P1-P3 classification.
Mission Details
Start Date: Nov 02, 2025
Status: Ongoing
Contributors: 7
Description
Through Mission Vector Zero, we aim to identify vulnerabilities in widely used systems and software. Our focus spans the entire technology stack, from web applications to hardware with deliberate emphasis on high-impact, widely adopted targets. Every finding must meet strict, verifiable criteria for impact and adoption.
Scope (for our team)
In scope (examples):
- Web applications
- Binaries and executables
- Servers and server software
- Frameworks and operating systems
- Libraries, extensions, and packages
- Hardware and firmware
- Closed & open-source software
- Public and private bug bounty targets
Note: Inclusion in scope does not mean every category will be actively tested. These are potential target types available for selection.
Objectives
- Identify at least one 0-day vulnerability across 30 high-value targets.
- Each target must have a documented and verifiable user base of ≥ 250,000 users.
Vulnerability Acceptance Criteria
We will not pursue low-impact or trivial issues. Each vulnerability considered for this mission must meet the following standards:
- Must be scored using the CVSS v3 calculator, confirming a severity score of 6.0 or higher
- Alternatively, when using Bugcrowd’s Vulnerability Rating Taxonomy (VRT), only P1-P3 vulnerabilities qualify
Transparency
Unlike previous missions focused on CVE hunting, we cannot always disclose full details of the vulnerabilities identified, especially for private bug bounty or government engagements (e.g., Department of Defense).
Instead, for institutional verification, we will provide the following metadata:
- Reporter name
- Timestamp
- Report ID
Progress
Current mission progress:
| Researcher | Target | Vulnerability | Submission Date | Severity | Report ID/CVE |
|---|---|---|---|---|---|
| Alasdair Gorniak | NASA | Sensitive Data Exposure | 16 Sep 2025 | P3 | 49ee435c-5e66-4093-ac6d-e76835e9fba0 |
| Xoriath | ProjectSend | Cross-Site Scripting | 24 Jun 2025 | High (8.8) | CVE-2025-13232 |
| Daeda1us | Apache Druid | Weak PRNG | 20 Jul 2025 | Critical (9.8) | CVE-2025-59390 |
| oblivionsage | Node.JS | Path Traversal | 23 May 2025 | High (7.5) | CVE-2025-27210 |
| cristibtz | Xibo CMS | Server-Side Template Injection | 3 Oct 2025 | High (7.2) | CVE-2025-62369 |
| Actuator | Color Phone: Call Screen Theme | Escalation of Privilege | 1 Dec 2024 | Critical (9.1) | CVE-2024-53932 |
| Actuator | Video Downloader Pro & Browser | Cross Site Scripting | 1 Sep 2024 | High (8.1) | CVE-2024-46966 |
| KhanMarshai | OpenCart CMS | Race Condition | 10 Dec 2025 | High (7.5) | CVE-2025-15116 |
| Alasdair Gorniak | Microsoft | Remote Code Execution | 17 Jan 2025 | High (8.0) | CVE-2026-20960 |
Milestones
Contributors
| Name | Date Joined |
|---|---|
| Alasdair Gorniak | Nov 02, 2025 |
| Alexandru Ionut Raducu (Xoriath) | Nov 23, 2025 |
| Luke Smith (Daeda1us) | Nov 30, 2025 |
| Halil Oktay (oblivionsage) | Dec 21, 2025 |
| Cristian Branet (cristibtz) | Dec 21, 2025 |
| Edward Warren (Actuator) | Dec 22, 2025 |
| Muhammad Taha Khan (KhanMarshai) | Dec 28, 2025 |
Timeline of Events
Oct 27, 2025
Alasdair Gorniak identified a sensitive data exposure vulnerability on one of the National Aeronautics and Space Administration (NASA) subdomains. The vulnerability was submitted on Sep 16, 2025 and was resolved on Oct 27, 2025.
Nov 23, 2025
Alexandru Ionut Raducu identified a XSS vulnerability in ProjectSend and later increased the severity of the vulnerability from a simple XSS to full administrator account takeover.
Nov 30, 2025
Luke Smith (Daeda1us) discovered that Apache Druid versions through 34.0.0 use a weak, guessable fallback secret for signing Kerberos authentication cookies when druid.auth.authenticator.kerberos.cookieSignatureSecret is not configured. Because the system relies on ThreadLocalRandom, a non-cryptographic PRNG, attackers may be able to predict or forge tokens. The issue also results in each node generating its own secret, causing inconsistent authentication behavior in distributed clusters.
Dec 19, 2025
On October 3rd, 2025, Cristian Branet (cristibtz) reported a Server-Side Template Injection vulnerability on Xibo CMS that was later escalated to Remote Code Execution (RCE), this vulnerability effectively allowed low-privileged users access to the entire server.
Dec 21, 2025
On May 23, 2025, Halil Oktay (oblivionsage) discovered a path traversal vulnerability in node.js that allowed reading system files outside its intended folder. This vulnerability affects all Node.js apps on Windows that use path.normalize() or similar functions to sanitize user-provided file paths
Dec 22, 2025
Around December 2024, Edward Warren (Actuator) discovered that "Color Phone: Call Screen Theme" mobile app is vulnerable to insecure permission handling via an exported Android activity. As a result, malicious applications can invoke this activity directly to initiate phone calls on behalf of the user.
Dec 22, 2025
Around September 2024, Edward Warren (Actuator) discovered that "Video Downloader Pro & Browser" 1.0.42 is vulnerable to arbitrary JavaScript execution via an exported Android activity. The exploitation led to Cross-site Scripting (XSS) vulnerability.
Dec 28, 2025
In later December 2025, Muhammad Taha Khan (KhanMarshai) discovered a race condition vulnerability on OpenCart CMS that allows malicious customers to bypass business logic restrictions, specifically allowing a single-use coupon to be redeemed multiple times and enabling the sale of products beyond available inventory (overselling).
Jan 17, 2026
Alasdair Gorniak found a Remote Code Execution (RCE) vulnerability in Microsoft Power Apps allows an authorized attacker to execute code over a network.