INDEPENDENT SECURITY RESEARCH · UNITED KINGDOM

Independent security research for multi-tenant SaaS.

I use GreySurface for my independent security research practice, focused on authentication, authorisation, API access control, and tenant isolation in B2B software.

Received a report?How I work

Disclosure record

GS-REFERENCE

Tenant A

Tenant B

Boundary under validation

MINIMUM PROOF

DIRECT DISCLOSURE

REDACTED EVIDENCE

FIX VALIDATION

Self-controlled accounts
Minimum necessary proof
No payment condition
Remediation support

Research activity

I keep public figures deliberately narrow. Report details, vendor names, and evidence stay private unless publication is appropriate.

3,323

Vulnerabilities identified

849

Reports sent

Received a security report from GreySurface?

I provide the report without a fee or payment condition. I test from accounts I control, stop after the minimum proof needed to establish the issue, minimise incidental data, and cooperate with remediation.

Verify the sender What to do next

Where I focus

Tenant isolation

I test whether an authenticated user can cross the boundary between separate customer accounts.

Object-level authorisation

I check whether access decisions are applied to the individual record requested, not only to the route or session.

Authentication and account lifecycle

I review registration, activation, invitation, session, recovery, and account-state boundaries.

API access control

I compare intended product permissions with the behaviour of authenticated API endpoints.

A disciplined disclosure process

Create

I establish access using an account or trial environment I control.

Confirm

I use the minimum read-only proof needed to establish whether a security boundary has failed.

Stop

I do not bulk enumerate records or test state-changing actions against data outside my account.

Report

I contact the vendor directly with an impact summary, reproducible evidence, and remediation context.

Support

I remain available to clarify the report and validate the fix.

I do not make reports conditional on payment.

I provide a vulnerability report so the vendor can assess and remediate the issue. I never withhold it pending payment.

If a vendor validates a useful finding and chooses to recognise the research with a discretionary goodwill contribution, that choice does not affect access to the report, coordination, or fix validation.

Read how I work

Independent by design.

I run GreySurface as an independent security research practice, based in the UK. I keep the focus narrow by design: access-control weaknesses in software that separates one customer's data from another's.

My aim is straightforward. I want to give the vendor a clear, reproducible report early enough for the issue to be fixed before it causes harm.

About GreySurface

Need to verify a report or continue a disclosure?

Verify a report Contact me