Security Research Lab
We discover and responsibly disclose vulnerabilities in WordPress plugins, web applications, and open-source software. The lab works alongside the Leads Mart AI Lab, applying AI-assisted code review and pattern matching to security audits at scale.
Disclosures
First public advisories pending CVE assignment and embargo lift. Index will populate here.
Public archive: github.com/LeadsMartLabs/security-disclosures
Methodology
- Manual source-code review against the latest plugin / application release.
- AI-assisted triage and pattern matching using internal tooling built on top of Anthropic Claude and GPT-4-class models.
- Validation against locally-deployed installations only. We do not test against third-party production infrastructure without explicit written authorization.
- Coordinated disclosure with a 90-day embargo window.
Disclosure Policy
We follow a 90-day coordinated disclosure timeline:
- Day 0Vendor notified via security contact with full technical detail and reproducer.
- Day 7Reminder email if no acknowledgment.
- Day 30Escalation to relevant CNA (Patchstack · Wordfence · MITRE).
- Day 90Public disclosure regardless of patch status, unless mutually agreed extension.
Contact
| Public | security@leads-mart.com |
|---|---|
| Disclosure (PGP only) | disclosure@leads-mart.com |
| Public archive | github.com/LeadsMartLabs/security-disclosures |
| Org | github.com/LeadsMartLabs |
PGP Key
All embargoed correspondence accepted PGP-encrypted only.
Fingerprint
B229 0271 9256 5F55 642D A5BC 0185 0834 7218 C43B
Public key
Download · pgp.txt · or fetch from keys.openpgp.org.
uid: Ahmed Nassef (Leads Mart Security Research Lab) <disclosure@leads-mart.com>
type: RSA 4096 / RSA 4096 (sign + encrypt)
expires: 2 years from issue
fpr: B229 0271 9256 5F55 642D A5BC 0185 0834 7218 C43BVerify
$ gpg --keyserver keys.openpgp.org --recv-keys B229027192565F55642DA5BC018508347218C43B
$ gpg --fingerprint disclosure@leads-mart.com
# expected: B229 0271 9256 5F55 642D A5BC 0185 0834 7218 C43B