Every technique in this registry was discovered or significantly extended by a CredShields engagement, then verified across multiple targets. The goal is a shared artifact the security community can reference. Not just a marketing page.
ID
Name
Class
Severity
Disclosed
CS-001
Placeholder: GraphQL alias brute-force bypass
Auth · Rate-limit
HIGH
TBD
CS-002
Placeholder: Indirect prompt injection via calendar invite
LLM · Injection
CRIT
TBD
CS-003
Placeholder: RAG cache key omission enabling cross-tenant reads
LLM · Retrieval
HIGH
TBD
CS-004
Placeholder: Mobile certificate pinning gap via analytics subdomain
Mobile · Network
CRIT
TBD
CS-005
Placeholder: Tenant ID pollution via nested JSON fields
API · Authorization
CRIT
TBD
// real entries will replace these placeholders · structure is production-ready
How to submit a finding
This registry is ours, but we credit external researchers who extend a technique with public analysis or a PoC. If you've built on a CS-ID entry and have something to add, email [email protected].