winfunc
Backed byY

Prove the bug.
Ship the fix.

AI security auditing that finds real bugs, proves they break, and gives your team patches worth merging. SAST, DAST, IaC, SCA — one system.

View findings

Found real vulnerabilities in

Anthropic
Better Auth
Brave
Bun
Cal.com
Google
Gumroad
Hoppscotch
Kastle
Mattermost
Microsoft
The New York Times
NVIDIA
Sentry
Supabase
Anthropic
Better Auth
Brave
Bun
Cal.com
Google
Gumroad
Hoppscotch
Kastle
Mattermost
Microsoft
The New York Times
NVIDIA
Sentry
Supabase

How it works

From signal to fix.

01

Scan

Your codebase, read as a system.

Winfunc doesn't grep for patterns. It reads code paths, follows data from entry point to sink, understands the business logic around it. Most scanner noise gets cut before you ever see it.

02

Prove

Every bug comes with its exploit.

You get the attack path, a working PoC, and the reasoning behind the severity call. No guessing whether something's real. If it can't be proven, it doesn't get reported.

03

Fix

Patches that follow the code.

Fix guidance is tied to the exact code path that broke. Not generic advice, not a CWE link and a shrug. Something your team can review and merge.

-
+

What you get

The proof.

services/webhook/handler.tsSSRF
14async function handleWebhook(req: Request) {
15 const url = req.headers.get('x-callback-url');
16 
17 // No validation — attacker-controlled URL
18 const response = await fetch(url);
19 
20 const data = await response.json();
21 await db.webhookLogs.create({ data });
22 return Response.json({ ok: true });
23}

Attacker-controlled URL passed directly to fetch(). Internal services, cloud metadata endpoints, and localhost are all reachable.

End the severity argument.

PoC

End the severity argument.

The report includes the exploit path, the blast radius, the reproduction steps. Engineering, security, and leadership see the same thing. Nobody has to take anybody's word for it.

Trace the bug through the system.

Data flow

Trace the bug through the system.

Follow tainted input from entry to sink with the surrounding business logic intact. This is where the expensive bugs tend to hide, in the logic between the lines.

From finding to fix, fast.

Patches

From finding to fix, fast.

Patch guidance respects the code around the bug. Teams spend less time translating abstract advice into something safe to ship.

Public archive

Real bugs. Published.

3 Critical
2 High
3 Medium
NGINX
NGINXMedium

stream accepts revoked client certificates despite ssl_ocsp on (CVE-2026-28755)

NGINX
NGINXMedium

SCGI unbuffered mode sent truncated CONTENT_LENGTH causing backend desync

React
ReactHigh

RSC reply decoder DoS via $K FormData amplification (CVE-2026-23864)

Node.js
Node.jsMedium

Permission model bypass via unchecked Unix Domain Socket connections (CVE-2026-21636)

Anthropic
AnthropicCritical

Authentication bypass on FastMCP custom routes

Teams using winfunc

Noah, Co-Founder & CEO, Scout (YC W25)
Company logo
There were vulnerabilities we thought we'd taken care of. Winfunc found extremely complex bypasses around them. And the PoC and replication instructions made it simple to confirm the bug, fix it, and verify the fix. Other security tools never would have caught these.
Noah
Co-Founder & CEO, Scout (YC W25)

Research

From the lab.

What an automated vulnerability research system actually found
Disclosures8 min read

What an automated vulnerability research system actually found

Thirteen patched bugs across nine projects, including Node.js, React, NGINX, Mattermost, Supabase, Bun, Gumroad, Anthropic's MCP SDK, and Better-Auth. What the system got right, where it still falls over, and why executable PoCs matter more than model reasoning.

How Asterisk Works
Engineering9 min read

How Asterisk Works

This is a repost of the initial architecture of winfunc (previously called Asterisk), as of . Since then we’ve seen several attempts to mimic this architecture in the wild, mostly…

FAQ

Common questions.

All of them. Winfunc uses tree-sitter, language servers, and LLM analysis to work across any stack. We've found bugs in Arc (a Lisp dialect). If your code compiles, we can read it.

Next

Start with the work.

Book a call, or read the public findings first. Either way, the proof is there.

View findings