TheOlmsted Firm Independent security research (Est. 2025)

The Olmsted Firm · Established 2025

What we do: Vulnerability research, Coordinated disclosure, Passive reconnaissance

We're a small practice founded by Max Isaacs, working out of Brooklyn and Montréal. Engagements taken on fixed-fee or retainer. Unsolicited disclosures are made without charge as a matter of practice; proof-of-concept material is not retained beyond the disclosure window. → Open the index for selected disclosures, methodology, writing, and contact.

§I Statement §II Practice §III Methodology §IV Disclosures §V Erg Goed §VI Contact

← Back

Statement

On the practice — 2026

The firm finds specific defects in specific software and communicates them to the parties who can fix them.

Work is conducted by Max Isaacs from Montréal. Engagements are accepted from vendors, platforms, and foundations on fixed-fee or retainer terms. Unsolicited findings, observed in passing or surfaced while scanning a portfolio of related systems, are reported to the affected party without charge. Reports are delivered as plaintext, with reproduction, remediation guidance, and timeline.

Reconnaissance is passive. The firm does not perform authenticated testing without written scope. Legal counsel is consulted before any active work on systems of unclear ownership.

The name is a reference to Frederick Law Olmsted, the nineteenth-century journalist and landscape architect, whose dispatches from the antebellum South for the New York Daily Times were a sustained exercise in outside observation: walking through a system its defenders insisted was working, looking at how it actually operated, and writing down what was broken. The method, not the subject, is the homage. A practitioner with no commercial entanglement, going in, looking carefully, and reporting back plainly. He also designed Central Park, which makes the name a small nod to the firm's New York roots.

Clients should expect the discipline of an audit and the temperament of a librarian.

Practice

Four lines of work

Vulnerability researchTargeted study of a codebase, protocol, or deployed system under defined scope. Source-available preferred.
Coordinated disclosureVendor liaison, embargo management, and CVE coordination through a CNA of record. Includes unsolicited findings reported pro bono.
Passive reconnaissancePublic archives, certificate transparency, DNS, and source review. Nothing authenticated, nothing intrusive.
Agentic red teamingLLM-driven exploration of attack surface on conventional systems. Recon, fuzzing, and chained probes under human supervision. Tooling proprietary to the firm.

Methodology

House rules

Read firstStatic comprehension before dynamic testing. Reproduction on a clean instance before filing.
Disclose90-day window standard, ceiling 180. Embargoes honoured in writing. CERT/CC VINCE used for multi-party coordination.
CustodyProof-of-concept material encrypted at rest. PII never copied. Artifacts deleted at window close.
RefuseNo work against journalists, activists, or labour organisers. No engagements paid in equity or tokens. No retainers from entities under active sanction.
InstrumentsPassive reconnaissance runs through Blight. Agentic work runs through Borer, a multi-agent harness for chained probes under supervision. Both are in-house, closed-source, and operated only by the firm. Named after the tree pathologies, in keeping with the practice's interest in how working systems fail from the inside.

Disclosures

Selected · Anonymized · 2025–2026

Date Subject Status

26·05A national fraternity-administration platformFixed

Class
Broken access control (multi-vector)
Surface
Account creation, role assignment, organization membership
Severity
Critical

An organization-administration platform shipped without verification on account registration, without authorization checks on organization membership, and without row-level security on user records. A new account could be created without identity proof, joined to any organization, elevated to any role, and used to read or modify the full member directory including personal information. Disclosed to the operator; remediation deployed prior to a planned mobile launch.
Reach out to hear more →
26·04A small artist management agencyFixed

Class
Unrestricted file upload + missing rate limiting on shared admin surface
Surface
Public media endpoint co-located with admin dashboard
Severity
High

A consumer-facing site and its administrative dashboard shared a single hosting plane and a single upload pipeline. Uploaded media was rendered without sanitization inside the admin dashboard, meaning a malicious file submitted through the public surface would disable the operators' own remediation interface. The denial-of-service hits the very tool needed to respond. Compounding this, the administrative authentication endpoint lacked rate limiting, providing an independent brute-force path to the same compromise.

The underlying observation is architectural: a public-facing trust boundary that also serves the privileged interface inverts the normal incident-response model. Disclosed to the operators; remediation deployed.
Reach out to hear more →
26·04Electron (framework)Routed

Class
Debugger injection via process signal
Surface
Renderer process
Severity
High

A standard POSIX signal forced an Electron renderer to open a debugging port, enabling local code injection into any trusted desktop application built on the framework. Disclosed to the Electron security team; the team scoped the signal-handling behaviour as documented platform behaviour and the responsibility as belonging to integrating applications, recommending escalation to the individual affected vendors.
Reach out to hear more →
26·02A flagship accelerator's recent cohortFixed

Class
Row-level security, authn gaps, stored XSS
Surface
Backend-as-a-service deployments, public endpoints
Severity
Mixed (High to Medium)

Systematic passive review of an early-stage cohort at the sector's most prominent accelerator surfaced recurring misconfigurations: permissive row-level security policies, unauthenticated administrative endpoints, and a stored cross-site scripting sink. Findings forwarded by the program's operator to affected founders; remediations confirmed.
Reach out to hear more →
25·12A Canadian rental platformFixed

Class
Insecure direct object reference
Surface
User document endpoint
Severity
Critical (PII)

Sequential identifiers on a user-document endpoint exposed government-issued identifiers, including SINs and SSNs, belonging to the platform's user base. Disclosed to the operator; remediation deployed under coordination.
Reach out to hear more →

Erg Goed

Sibling project · privacy-focused self-hosted media

The firm also operates Erg Goed, a self-hosted media stack designed for people who would rather not be metered, profiled, or recommended at.

Books, articles, music, video, and feeds, served from your own hardware. No accounts with third parties, no telemetry, no reader logs leaving the network. The stack is documented end-to-end: hardware, network segmentation, services, and the threat model that motivates each choice.

The work belongs on this site because the underlying discipline is the same. The same operator who handles client material and disclosure custody also designed Erg Goed; the same passive-reconnaissance posture that informs the firm's research informs what Erg Goed refuses to phone home about.

erggoed.com →

Contact

Correspondence

Disclosure & intake

disclosure@olmstedfirm.com

General & press

hello@olmstedfirm.com

PGP fingerprint · ed25519 · public key XXXX XXXX XXXX XXXX XXXX
XXXX XXXX XXXX XXXX XXXX