TriageForge is an independent research practice working on cryptographic infrastructure, coordinated vulnerability disclosure, kernel-level vulnerability research, privacy implementation under UK law, and the methodology of small-lab verification.
Output is published. The practice does not provide commercial consultancy services; collaboration is pro bono and academic in character.
Founded 2026 · Whitby, North Yorkshire · United Kingdom
Each area maps to published output: papers, disclosed findings, accepted patches, methodology documents. The practice lists work rather than capabilities.
The implicit contract between researcher and vendor under coordinated disclosure. What happens, structurally, when timelines are honoured in form but disengaged in substance. Bounty-programme incentive misalignment and the disclosure calculus under indefinite vendor silence.
Key management, smart-card and NFC authentication, payment-system architecture. Lineage includes co-authorship of the NHS Approved Cryptographic Algorithms standard (NIST-sourced, 2004) and design of the Transport for London Oyster contactless payment system.
Darwin / XNU on macOS; OpenBSD network daemons. Source-level audit paired with binary verification against shipping artefacts. Findings disclosed in 2026 through the OpenBSD project and Apple Security Bounty.
EV2First mutual authentication, AES-128-CMAC verification, Secure Dynamic Messaging. The first native open-source NTAG 424 DNA SDK for macOS, released under AGPL v3 with zero third-party dependencies.
UK GDPR, Data Protection Act 2018, and Data (Use and Access) Act 2025. DPIAs, LIAs, ROPAs, transfer impact assessments, technical schedules to processing agreements. Twenty-plus years of implementation experience across clinical research, retail, financial services, and public-sector contracting.
How a small research practice verifies its claims. Empirical-verification gates between hypothesis and submission. Adversarial multi-LLM review with explicit hallucination-detection protocols. The discipline of declining to file until binary, disassembly, and observed live behaviour are in agreement.
Reverse chronological. Each entry links to the full public document.
A four-class taxonomy, a pre-send filter, and two real disclosure withdrawals from the practice’s own 2026 OpenBSD work. The honest case for routine pre-send discipline, from the sender’s end of the slop problem. Full paper →
Thirteen-year-latent CL.TE HTTP request smuggling primitive in relay_http.c: the body was parsed as chunked but a co-present Content-Length header was not stripped before forwarding to backend, contrary to RFC 9112 §6.1. Found by a targeted source-review pass against the RFC framing rules. Full disclosure →
Five commits landed in OpenBSD −current on 2026-05-26 following a corrected per-claim disclosure. The resolution side of the case study at the centre of The Calculator Discipline. Full disclosure →
Five-stage pipeline: recon (Marchenko-Pastur spectral ranking), verify (OpenBSD canary-aware stack-frame analysis), disclose (the pre-send hallucination filter from The Calculator Discipline), harness, orchestrator. Walked-back experiments ship alongside survivors with per-tool post-mortems.
Five-stage research pipeline (path pruning, spectral anomaly, SSA dataflow, symbolic taint, on-device validation) maintained by the practice and used across the 2026 OpenBSD disclosure batch.
Unified runtime trace pipeline for XPC daemons in the PAC era, where static call graphs no longer suffice. Companion tool to Metis for macOS targets.
The first in a series of TriageForge case studies. Walks through the operator-precedence error in OpenBSD's ospf6d LSA parser, why source review caught what fuzzing and static analysis did not, and what the work tells us about the productive scope of a small lab.
Pre-authentication, network-reachable. Length-prefixed binary parser failed to validate the inner length before trusting it — the standard defence for this class of bug, missing.
Operator-precedence error in an OSPFv3 parser. Acknowledged in the commit message. TriageForge case study →
Integer overflow in an AgentX bounds check. No released OpenBSD version was ever vulnerable; published for completeness and as evidence of audit methodology.
Source-level defect in the EIGRP routing daemon, confirmed by an ASAN-instrumented build crashing on a single crafted packet. On the shipped amd64 binary the consequence is bounded to a denial of service; the same input on the stock arm64 build does not crash, owing to the project's stack-protector posture. A worked example of the gap between source UB and live exploitability.
Accompanies the public disclosure of three vulnerabilities in Apple platforms. Examines what happens when the implicit contract between researcher and vendor is honoured in form and abandoned in substance.
A single-day case study of three filings, fifteen refutations, and the manpage that wasn’t. Documents a disciplined pre-filing methodology using four commodity LLMs as adversarial reviewers, with an empirical-verification gate between LLM verdict and submission.
Six-phase methodology distilled from thirty-five years of structured practice. Eleven chapters covering vendor disclosure under the 90-day standard, the Darwin/XNU security landscape, and the human side of working with vendor security teams.
A small research practice depends on being clear about what it knows, what it does not, and how it tells the difference. The three principles below are applied without exception.
The shipping artefact is what runs. Source is intent. Divergence between the two is treated as material until proven otherwise, and the running binary is disassembled before any claim of a live finding.
Every disclosure carries a working reproducer, a tested version, the vendor reference, and an explicit list of what has and has not been verified. Speculative filings waste vendor time and researcher credibility. The practice does not file them.
The pre-filing adversarial review, the binary-versus-source verification protocol, and the disclosure-timing calculus are all published in full. Critique is welcomed; methodology improvements are integrated. The discipline is the asset; the findings are the receipts.
TriageForge was founded in 2026 by Stuart Paul Thomas in Whitby, North Yorkshire. Thirty-five years of professional practice spanning payment terminals; the Sony PlayStation 2 UK launch network (2000); the NHS Approved Cryptographic Algorithms standard (co-author, 2004); the Transport for London Oyster contactless payment system (designer); and macOS and OpenBSD vulnerability research published 2026 through Apple Security Bounty and the OpenBSD project.
The practice is, at the time of writing, a single-researcher operation. Growth over the next two years is anticipated through collaboration with researchers working in adjacent fields, rather than through employment or capital. The institutional framing — practice, lab, we — describes how the work is structured (publications, methodology, evidence), not headcount.
Vendor-recognised credentials are maintained where they are relevant to operational scope. Anthropic’s Cyber Verification Program approved the organisation’s use of the Claude platform for dual-use security research in April 2026 — confirming that defensive and offensive tooling work undertaken here is sanctioned by the vendor whose technology supports parts of the workflow.
Researchers active in cryptographic infrastructure, coordinated vulnerability disclosure, kernel-level vulnerability research, NFC and smart-card security, privacy implementation, or small-lab methodology are invited to make contact regarding specific collaborations. Co-authorship and credited contributions follow standard academic practice.
Contact is asynchronous and considered. Reply times are not guaranteed.
For research collaboration, peer review of methodology, or substantive discussion of published work:
contact@triageforge.co.ukTriageForge is not a consultancy and does not undertake commercial engagements, paid contracts, retainers, or fee-earning work. Collaboration is pro bono and academic in character.