Pwno is a AI cybersecurity startup founded by two high-schoolers. It competes directly with Google Deepmind on the world's hardest cybersecurity problem: memory security. We find big, scary bugs in critical systems with AI.
We had been working on this question for around 8 months, from initaily just trying to harness gdb.
What we did
Here's a list of bugs we found,
and currently patched.
| PROJECT | COMPONENT | ID | TYPE | DATE |
|---|---|---|---|---|
| Redis | PWNO-0019 | [REDACTED] | [REDACTED] | 2025-12-30 |
| Redis | PWNO-0018 | [REDACTED] | [REDACTED] | 2025-12-30 |
| Redis | PWNO-0017 | [REDACTED] | [REDACTED] | 2025-12-30 |
| Chromium | PWNO-0015 | UAF read in WebDragDest::dropHitTestDidComplete invalid-drag-target path on macOS | UAF | 2025-12-23 |
| FFmpeg | PWNO-0014 | Heap-buffer-overflow in EXIF writer for extra IFD tags↗ | OOB Write | 2025-12-21 |
| Dng-sdk | PWNO-0013 | [REDACTED] | Unitialized memory | 2025-12-19 |
| WebKit | PWNO-0012 | [REDACTED] | [REDACTED] | 2025-12-18 |
| WebKit | PWNO-0011 | [REDACTED] | [REDACTED] | 2025-12-18 |
| OpenSSL | PWNO-0010 | OOB write in SHA3/KECCAK deserialization | OOB Write | 2025-12-16 |
| OpenSSL | PWNO-0009 | OOB write via SHA-2 digest deserialization | OOB Write | 2025-12-16 |
| FFmpeg | PWNO-0008 | Heap OOB write in libsvtjpegxs decoder, chunk mode | OOB Write | 2025-12-14 |
| FFmpeg | PWNO-0007 | Heap OOB write in MPEG-TS JPEG‑XS PES parsing (libavformat/mpegts.c) | OOB Write | 2025-12-14 |
| Firefox | PWNO-0006 | UAF in nsDocLoader::GetInterface during APZ repaint / scrolling | UAF | 2025-12-13 |
| FFmpeg | PWNO-0003 | avformat/sierravmd: fix header read error check (tiny precedence bug) | Undefined Behavior | 2025-12-11 |
| FFmpeg | PWNO-0005 | OOB read in Vulkan DPX hwaccel shader | OOB Read | 2025-12-11 |
| FFmpeg | PWNO-0002 | Crash in vf_noise SSE2 on misaligned frames | Denial of Service | 2025-12-08 |
| FFmpeg | PWNO-0001 | Stack overflow in drawvg parser on deeply nested scripts | Stack Overflow | 2025-12-08 |