DELTA OBSCURA

We are the team behind Mission Cyber Sentinel, a mission dedicated to securing 446,000 digital assets globally.

Our Partners

Mission Vector Zero

Mission Vector Zero

Mission Vector Zero is dedicated to uncovering high-impact vulnerabilities in 30+ targets, each demonstrably affecting over 250,000 users or digital assets, and meeting the severity threshold of CVSS 6.0 or VRT P1-P3 classification.

Mission Details

Start Date: Nov 02, 2025

Status: Ongoing

Contributors: 3

Description

Through Mission Vector Zero, we aim to identify vulnerabilities in widely used systems and software. Our focus spans the entire technology stack, from web applications to hardware with deliberate emphasis on high-impact, widely adopted targets. Every finding must meet strict, verifiable criteria for impact and adoption.

Scope (for our team)

In scope (examples):

  • Web applications
  • Binaries and executables
  • Servers and server software
  • Frameworks and operating systems
  • Libraries, extensions, and packages
  • Hardware and firmware
  • Closed & open-source software
  • Public and private bug bounty targets

Note: Inclusion in scope does not mean every category will be actively tested. These are potential target types available for selection.

Objectives

  1. Identify at least one 0-day vulnerability across 30 high-value targets.
  2. Each target must have a documented and verifiable user base of ≥ 250,000 users.


Vulnerability Acceptance Criteria

We will not pursue low-impact or trivial issues. Each vulnerability considered for this mission must meet the following standards:

  • Must be scored using the CVSS v3 calculator, confirming a severity score of 6.0 or higher
  • Alternatively, when using Bugcrowd’s Vulnerability Rating Taxonomy (VRT), only P1-P3 vulnerabilities qualify

Transparency

Unlike previous missions focused on CVE hunting, we cannot always disclose full details of the vulnerabilities identified, especially for private bug bounty or government engagements (e.g., Department of Defense).
Instead, for institutional verification, we will provide the following metadata:

  • Reporter name
  • Timestamp
  • Report ID

Progress

Current mission progress:

Researcher Target Vulnerability Submission Date Severity Report ID
Alasdair Gorniak NASA Sensitive Data Exposure 16 Sep 2025 18:11:06 UTC P3 49ee435c-5e66-4093-ac6d-e76835e9fba0
Xoriath ProjectSend Cross-Site Scripting 24 Jun 2025 High (8.8) CVE-2025-13232
Daeda1us Apache Druid Weak PRNG 20 Jul 2025 Critical (9.8) CVE-2025-59390

Milestones

NASA P3 Vuln (3.3%)
ProjectSend XSS (3.3%)
Apache CVE-2025-59390 (3.3%)
Remaining

Contributors

Name Date Joined
Alasdair Gorniak Nov 02, 2025
Alexandru Ionut Raducu (Xoriath) Nov 23, 2025
Luke Smith (Daeda1us) Nov 30, 2025

Timeline of Events

Oct 27, 2025

Alasdair Gorniak identified a sensitive data exposure vulnerability on one of the National Aeronautics and Space Administration (NASA) subdomains. The vulnerability was submitted on Sep 16, 2025 and was resolved on Oct 27, 2025.

Nov 23, 2025

Alexandru Ionut Raducu identified a XSS vulnerability in ProjectSend and later increased the severity of the vulnerability from a simple XSS to full administrator account takeover.

Nov 30, 2025

Luke Smith (Daeda1us) discovered that Apache Druid versions through 34.0.0 use a weak, guessable fallback secret for signing Kerberos authentication cookies when druid.auth.authenticator.kerberos.cookieSignatureSecret is not configured. Because the system relies on ThreadLocalRandom, a non-cryptographic PRNG, attackers may be able to predict or forge tokens. The issue also results in each node generating its own secret, causing inconsistent authentication behavior in distributed clusters.