// Cesium    EST. 2026

Research.
Build.
Protect.

Cesium is an independent group focused on security research, privacy advocacy, and open-source development. We document vulnerabilities under responsible disclosure, build useful tools, and help individuals reclaim their digital privacy.

READ RESEARCH → ABOUT US
FOCUS AREAS
Security · Privacy · Development
DISCLOSURE POLICY
Responsible Disclosure (90-day)
CONTACT
security@wearecesium.org
STATUS
Active · Accepting Reports
// 001    WHAT WE DO
// 01   SECURITY
Security Research

We document vulnerabilities and run responsible disclosure research across platforms, services, and software. All findings are coordinated with vendors before publication under a 90-day disclosure window.

// 02   DEVELOPMENT
Development

We build open-source tools, utilities, and applications that serve the security and privacy communities. Practical software that solves real problems — released under permissive licenses.

// 03   PRIVACY
Privacy

We provide clear, actionable information on online privacy, FOSS alternatives, and digital self-defense. No jargon — practical guides for individuals who want to take back control of their data.

// 002    DISCLOSURE PHILOSOPHY

We disclose responsibly.
Always.

Every vulnerability we find is reported to the affected vendor first. We give a minimum of 90 days for a fix before any public disclosure. Security research only improves the ecosystem when it's done with care — not for clout.

90
DAY DISCLOSURE WINDOW
100%
OPEN SOURCE TOOLS
0
VENDOR EXCEPTIONS
CVE
COORDINATED SUBMISSIONS
// 003    LATEST FROM THE BLOG
SECURITY BLOG → PRIVACY BLOG →
// ABOUT CESIUM

An independent group that takes security seriously.

Cesium was founded by a small group of security researchers, developers, and privacy advocates who wanted to build something honest — a place to publish real research, ship useful tools, and help people understand the threats they face online.

// PRINCIPLES
We operate in public.

Transparency is the baseline. Our research is published in full. Our tools are open source. Our disclosure process is documented and enforced without exceptions.

We don't take bug bounties for research we consider in the public interest. We don't accept vendor payments for positive coverage. We don't sit on vulnerabilities.

If we find something, we tell the vendor. If the vendor doesn't respond or doesn't fix it, we tell everyone else.

// WHAT DRIVES US
RESPONSIBLE DISCLOSURE
We follow a strict 90-day disclosure policy. Vendors are notified privately and given a reasonable window to patch. Extensions are granted case-by-case for complex issues. There are no exceptions for companies that simply prefer silence.
OPEN SOURCE FIRST
Every tool we build is released under a permissive open-source license. We believe security tooling shouldn't be locked behind enterprise contracts or opacity. If the code is useful, it should be available.
PRIVACY AS A RIGHT
Online privacy isn't a luxury feature — it's a baseline right that has been steadily eroded. We publish practical, non-commercial guidance on how to reclaim it, without affiliate links or sponsored recommendations.
NO SENSATIONALISM
We don't name vulnerabilities. We don't build landing pages for CVEs. We write clearly, cite our work, and let the findings speak for themselves. Security theatre helps nobody.
// THE TEAM

A small, distributed group. Some of us prefer to stay pseudonymous — this is the security world, after all.

CS
t4
FOUNDER · DEVELOPER · SECURITY RESEARCHER

Web application security, tool development and responsible disclosure coordination. Has reported to a number of platforms under responsible disclosure.

// SECURITY RESEARCH

Vulnerability
Research & Advisories

All findings published here have been disclosed to vendors prior to publication. CVE IDs are linked where assigned.

VULN · CVE-2026-XXXXX MAY 2026
Stored XSS in a Major SaaS Platform's Markdown Renderer

A persistent cross-site scripting vulnerability in a widely-used project management tool's Markdown parser allowed injection of arbitrary JavaScript through image alt-text attributes. The issue affected all tiers including enterprise. Patched in version 4.12.1 following a 67-day disclosure window.

TIMELINE
Reported: 2026-03-01  ·  Acknowledged: 2026-03-04  ·  Patched: 2026-05-07  ·  Disclosed: 2026-05-14
7 MIN READ READ FULL ADVISORY →
RESEARCH APR 2026
How Modern SSO Implementations Leak Session Context

An analysis of OAuth 2.0 implementation patterns across 12 major SaaS platforms reveals a recurring pattern of session context leakage through referrer headers during the authorization code exchange flow. We document the pattern, affected configurations, and mitigations.

SCOPE
12 platforms surveyed  ·  4 confirmed affected  ·  All notified  ·  3 patched
12 MIN READ READ FULL RESEARCH →
TOOL RELEASE APR 2026
Releasing csm-scan v0.1: Subdomain Enumeration Without the Bloat

csm-scan is a lightweight, fast subdomain enumeration tool built for recon pipelines. Written in Go, it integrates with passive DNS sources, supports custom wordlists, and outputs clean JSON or plaintext. No telemetry. No rate-limit workarounds that violate ToS.

LINKS
Source: github.com/cesium-dev/csm-scan  ·  License: MIT  ·  v0.1.0
4 MIN READ READ + DOWNLOAD →
VULN · IN DISCLOSURE MAR 2026
IDOR in a Healthcare Platform's Patient Record API

An insecure direct object reference in a patient record retrieval endpoint allowed authenticated users to access records belonging to other patients by incrementing a numeric ID parameter. Vendor notified. Currently within disclosure window — full advisory pending.

STATUS
Reported: 2026-03-18  ·  Acknowledged: 2026-03-22  ·  Disclosure window: 2026-06-18
PENDING DISCLOSURE REDACTED UNTIL PATCH
// PRIVACY BLOG

Privacy Guides
& Analysis

Practical, non-commercial guides on digital privacy, FOSS alternatives, and reclaiming control of your data. No affiliate links. No sponsored content.

FOSS APR 2026
The Case for Local-First Software in 2026

Cloud-first software has become the default assumption. But for users who care about data sovereignty, local-first alternatives offer a compelling case — and the ecosystem has never been more mature. We survey the current state of local-first tools across productivity, communication, and notes.

5 MIN READ READ GUIDE →
GUIDE APR 2026
Hardening Your DNS: From ISP Resolver to Encrypted, Filtered Queries

Your DNS resolver sees every domain you visit. Most users are still using their ISP's default resolver, which logs and monetises that data. This guide walks through moving to an encrypted, private resolver — from DNS-over-HTTPS to running your own with Pi-hole and Unbound.

9 MIN READ READ GUIDE →
ANALYSIS MAR 2026
What Popular Android Apps Actually Send Home: A Network Traffic Analysis

We intercepted and analysed the network traffic of 20 popular free Android applications over a 7-day period. The results — telemetry endpoints, fingerprinting payloads, and third-party SDK callbacks — are documented in full. Several apps contacted over 30 distinct tracking domains per session.

14 MIN READ READ ANALYSIS →
FOSS MAR 2026
A Practical FOSS Stack for 2026: From Browser to Productivity Suite

A curated, opinionated list of open-source alternatives for every major software category — with honest notes on where FOSS still falls short. No affiliate links, no referral codes. Just what we actually use and can vouch for.

6 MIN READ READ GUIDE →
ANALYSIS FEB 2026
Browser Fingerprinting in 2026: What's Changed, What Hasn't

Browser fingerprinting has grown more sophisticated, but so have the defences. We survey the current state of canvas fingerprinting, font enumeration, and WebGL probes — and assess what actually works to mitigate them in daily browsing.

10 MIN READ READ ANALYSIS →
GUIDE FEB 2026
Email Security Basics: SPF, DKIM, DMARC Explained Without Jargon

Most people running a custom email domain have no authentication records configured — making their domain trivially spoofable. This guide explains SPF, DKIM, and DMARC in plain terms and walks through setting them up correctly, with common mistakes to avoid.

8 MIN READ READ GUIDE →