This blog
NULL CATHEDRAL is where I write about the things I find when I get curious and start poking at software.
“What’s inside this vendor’s VMware images?” “How do the top PHP projects handle file uploads?” “This CVE looks interesting! Did other projects get it wrong too?”
Most of what I do starts with a question, not a target. I follow the thread until I hit something interesting. Or I don’t, and I move on.
If the writeup helps someone else, good. If it makes a vendor uncomfortable, also good. Nothing here is sacred.
The author
Hello! I’m _NULL. Security research started as a hobby and became my job. This blog is the hobby part.
If you want to get in touch, here’s how. If you write top-10 VPN listicles, I probably can’t help you.
Disclosure policy
Vendors get notified first, then they get 120 days to patch, and I publish regardless of whether they do.
I make reasonable attempts to reach security contacts before the clock starts. If a vendor ghosts me entirely, I’ll publish a limited advisory after fifteen business days.
Incomplete or broken patches will get shorter timelines: 30 days if it’s critical and being exploited, 60 if the original fix offers partial protection, 90 otherwise.
If someone can’t patch, I’ll work with them on workarounds. But nothing gets buried because it’s inconvenient.