Skip to content
GreySurface

Work with me

I take on selected commissioned work where the scope is narrow, authorised, and aligned with my focus on access-control weaknesses in B2B SaaS products.

Commissioned work is separate from unsolicited disclosure.

I do not make unsolicited vulnerability reports conditional on payment. Commissioned work is different: it requires written scope, named contacts, and authorisation before testing starts.

The useful fit is usually a product team that wants a careful review of authentication, authorisation, API behaviour, or tenant boundaries without turning the work into a broad compliance exercise.

Focused work I can take on

One-off SaaS access-control review

Focused testing of authentication, authorisation, tenant isolation, and API access control in a defined product area.

API authorisation review

Reviewing authenticated API behaviour against the permissions, roles, and tenant boundaries the product is expected to enforce.

Tenant isolation review

Testing whether one customer account can access another customer's records, files, actions, or administrative surfaces.

Authentication and account lifecycle review

Reviewing registration, invitation, activation, session, recovery, deactivation, and account-state boundaries.

Quarterly access-control review

A recurring scoped review for teams shipping regular permission, API, or multi-tenant product changes.

Fix validation

Retesting a specific issue after remediation using agreed accounts, agreed boundaries, and a narrow validation plan.

How an engagement works

The process is deliberately plain. Agree the boundary, test only what has been authorised, write the findings clearly, then validate the fix if useful.

01

Scope

I agree the product area, test accounts, limits, contacts, timing, and evidence handling before testing starts.

02

Test

I test the agreed access-control boundaries with minimum necessary proof and avoid unrelated areas.

03

Report

I provide a clear write-up with impact, reproduction context, evidence, severity rationale, and likely remediation direction.

04

Validate

Where requested, I retest the agreed fix path and confirm whether the boundary behaves as expected.

What I do not offer

I keep the scope narrow because that is where I can be most useful.

  • 24/7 monitoring or managed security operations
  • Compliance audits or certification work
  • Broad red-team exercises
  • Bug bounty platform services
  • Social engineering, phishing, or credential attacks
  • Unscoped testing without written authorisation

What to include in an enquiry

A short first email is enough. Please do not include credentials, tokens, customer data, or sensitive evidence.

  • The product or feature area you want reviewed
  • The security boundary or concern you want tested
  • Whether this is one-off, quarterly, or fix validation work
  • The preferred timeframe and main technical contact
  • Who can approve the testing scope and authorisation

Commissioned enquiry

Need a scoped access-control review?

Email Nick