About GreySurface
I use GreySurface for my independent security research practice, based in the United Kingdom.
I focus on authentication, authorisation, API access control, and tenant isolation in B2B SaaS products. These controls decide whether one customer can see or change another customer's information.
I work independently. I am not an employee or representative of the vendors I contact. An unsolicited report from me is not a commissioned penetration test or compliance audit.
My aim is to give vendors a clear, reproducible report while limiting testing to the minimum evidence necessary. Where useful, I also help clarify the finding and validate the remediation.
Why GreySurface?
Many serious access-control failures sit beneath an otherwise polished interface. I usually find them by testing the relationship between a user, a record, and a tenant directly.
The name GreySurface reflects that focus: looking beneath the visible surface at the boundaries the product is relying on.
What I do not claim
- I do not claim that every issue is Critical
- I do not claim a vendor commissioned the research when it did not
- I do not publish private customer details as proof
- I do not withhold a report until payment is offered
- I do not present automated scanner output as manual security research