MANIFESTOThe Vibe Coding Blind Spot
Kosuke
Talk to us
Kosuke for Pentesting

Free pentest. Pay only if we find something.

8 out of 10 startups have critical or high vulnerabilities exposed. We run a real authorized pentest against your web app. The price is set upfront in the authorization you sign. If we find nothing, you owe nothing. If we find something, you pay the amount you already agreed to. No surprise invoice.

Request a free pentestSee how it works

Four steps. No procurement. No quarterly waits.

From the moment you join the waitlist to a written report in your inbox: roughly 7 to 14 days, end to end.

step / 0130 seconds
Work email
jane@acme.com
Company URL
https://acme.com
Join waitlist

Join the waitlist

Name, work email, company URL, role. Takes 30 seconds.

step / 0215-min call
Verifiedacme.com
In-scopeapp.acme.com
×Out-of-scopebilling/*
Test window14 days

Scope on a call

Confirm domain ownership, agree on scope, pick a 14-day window.

step / 03~5 min
Authorizationv1.0
J. Doe

Sign the authorization

One page, DocuSign, Delaware-governed. Done in five minutes.

step / 04Delivered
HighCVSS 8.1CWE-79
Stored XSS in profile bio
MediumCVSS 6.4CWE-352
CSRF on /api/billing

We run. You get the report.

Every finding scored, with PoC, CWE tag, and fix instructions.

A report your team can act on.

Not a 60-page consulting deliverable. Every row is scored, reproducible, and ships with a concrete fix. Audit-ready for SOC 2 CC7.x. Routes into Linear, Jira, or GitHub Issues without rewriting.

High
Stored XSS in user profile bio
8.1
Endpoint
PATCH /api/users/me
CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L
CWE
CWE-79
Description

The bio field on /api/users/me persists user-supplied HTML without sanitisation. The markup renders raw on the public profile route at /u/:handle.

Impact

Any authenticated attacker can plant a payload in their own bio that fires on every visit, including unauthenticated visitors. With a shareable profile URL, this enables one-click session theft and account takeover.

Evidence · proof of concept
# reproduce
$ curl -X PATCH https://app.acme.com/api/users/me \
-H 'Authorization: Bearer $TOKEN' \
-d '{"bio": "<img src=x onerror=fetch(/leak?c=${document.cookie})>"}'
→ HTTP 200 · bio updated
→ payload fires on /u/jane · verified 14:08 UTC
Remediation
app/api/users/route.ts
- bio: body.bio,
+ bio: sanitizeHtml(body.bio, {
+  allowedTags: ['b', 'i', 'a'],
+ }),

You own the asset. You authorize the testing.

Same legal posture every pentest firm uses, from Bishop Fox to Cobalt. Well-precedented for 20+ years. We run as your authorized agent, against assets you control, under a written agreement that names exactly what is in scope.

Domain ownership, verified first

Before any active testing, you publish a DNS TXT record or a /.well-known token. We do not run the agent against domains you cannot prove control of.

$ dig TXT acme.com
acme.com.  IN  TXT
"kosuke-auth=ok"
verified
≤10 rps

Rate-limited and non-destructive

≤10 requests per second per host unless you authorize higher in writing. No mass account creation, no payment-flow exploitation, no data deletion, no DoS.

Encrypted, then deleted

PoCs use synthetic payloads wherever possible. Engagement artifacts encrypted at rest (AES-256) and deleted within 30 days of report delivery.

Request a free pentest.

We will reply within 24h to schedule the 15-minute scoping call. No procurement. No NDA before the call. No pricing pressure.

  • Free if we find nothing. Price set in the authorization you sign.
  • Domain ownership verification before any active testing.
  • Report ready for SOC 2 CC7.x evidence.

Common Questions

01

How long does the engagement take?

02

What if you don't find anything?

03

What if you do find something?

04

I'm not the CTO. Can I still request this?

05

Is this actually legal?

06

Do you store our data?