REAL-WORLD FINDINGS

Security Findings
From Production Code

Real vulnerabilities caught by our scanner.

See actual security issues, privacy violations, and bias patterns detected in production systems. Learn from before/after examples.

15,000+
Issues Found
98%
Critical Fixed
500+
Companies Protected
$50M+
Fines Prevented
R001CRITICAL

Gender Bias in Resume Screening AI

Tech Startup (Series B)

Finding

Training data contained 85% male resumes for engineering roles, leading to systematic rejection of female candidates.

Impact

Potential NYC LL144 violation. Risk of discrimination lawsuit. 67% of qualified female candidates rejected.

Before (Vulnerable)

# Training Data Analysis
df['gender'].value_counts()
# Output:
# Male: 8,500 (85%)
# Female: 1,500 (15%)

model.fit(X_train, y_train)
# Model learned gender bias from imbalanced data

After (Fixed)

# Fixed: Balanced Training Data
from imblearn.over_sampling import SMOTE

# Balance gender representation
smote = SMOTE(sampling_strategy='auto')
X_balanced, y_balanced = smote.fit_resample(X_train, y_train)

# Verify balance
df_balanced['gender'].value_counts()
# Male: 5,000 (50%)
# Female: 5,000 (50%)

model.fit(X_balanced, y_balanced)

Outcome

Retrained model with balanced data. Disparate impact reduced from 0.33 to 0.92. Passed NYC LL144 bias audit.

R003CRITICAL

PII Exposure in Application Logs

Healthcare SaaS (Enterprise)

Finding

Patient emails, phone numbers, and medical record numbers logged in plaintext across 50,000+ log entries.

Impact

HIPAA violation. Potential $50,000 fine per violation. PHI exposed to unauthorized personnel.

Before (Vulnerable)

# Vulnerable Logging
import logging

logger = logging.getLogger(__name__)

def process_patient(patient):
    logger.info(f"Processing patient: {patient.email}")
    logger.info(f"MRN: {patient.medical_record_number}")
    logger.info(f"Phone: {patient.phone}")
    # PHI logged in plaintext!

After (Fixed)

# Fixed: PII Redaction
import logging
import hashlib

logger = logging.getLogger(__name__)

def hash_pii(value):
    return hashlib.sha256(value.encode()).hexdigest()[:8]

def process_patient(patient):
    logger.info(f"Processing patient: {hash_pii(patient.email)}")
    logger.info(f"MRN: {hash_pii(patient.medical_record_number)}")
    # Phone number completely omitted from logs
    # PHI protected!

Outcome

Implemented PII redaction across all logging. Passed HIPAA audit. Zero PHI exposure in logs.

R006CRITICAL

Hardcoded AWS Credentials in Repository

Fintech Startup (Seed)

Finding

Production AWS access keys hardcoded in config file and committed to public GitHub repository.

Impact

Immediate security breach. $12,000 in unauthorized AWS charges. Customer data potentially accessed.

Before (Vulnerable)

# config.py (COMMITTED TO GITHUB!)
AWS_ACCESS_KEY_ID = "AKIAIOSFODNN7EXAMPLE"
AWS_SECRET_ACCESS_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"

# Used directly in code
s3_client = boto3.client(
    's3',
    aws_access_key_id=AWS_ACCESS_KEY_ID,
    aws_secret_access_key=AWS_SECRET_ACCESS_KEY
)

After (Fixed)

# Fixed: Environment Variables + Secrets Manager
import os
import boto3

# Load from environment (never commit!)
s3_client = boto3.client('s3')
# Uses AWS credentials from environment or IAM role

# For sensitive keys, use Secrets Manager
secrets_client = boto3.client('secretsmanager')
response = secrets_client.get_secret_value(
    SecretId='prod/api/keys'
)
api_key = json.loads(response['SecretString'])['key']

Outcome

Rotated all exposed credentials. Implemented AWS Secrets Manager. Added pre-commit hooks to prevent future leaks.

R009CRITICAL

Age Discrimination in Loan Approval Model

Digital Bank (Series C)

Finding

Loan approval rates for applicants over 50 were 38% lower than younger applicants with identical credit profiles.

Impact

ECOA violation. Potential class-action lawsuit. Regulatory investigation by CFPB.

Before (Vulnerable)

# Model using age as feature
features = ['age', 'income', 'credit_score', 'debt_ratio']
model.fit(X[features], y)

# Disparate impact analysis
approval_rate_under_50 = 0.72
approval_rate_over_50 = 0.45
# Ratio: 0.625 (VIOLATION - below 0.80)

After (Fixed)

# Fixed: Age-blind model with fairness constraints
from fairlearn.reductions import DemographicParity

# Remove age, use only credit-relevant features
features = ['income', 'credit_score', 'debt_ratio', 
            'employment_length', 'payment_history']

# Apply fairness constraint
constraint = DemographicParity()
mitigator = ExponentiatedGradient(model, constraint)
mitigator.fit(X[features], y, sensitive_features=age_group)

# New approval rates
approval_rate_under_50 = 0.68
approval_rate_over_50 = 0.66
# Ratio: 0.97 (COMPLIANT)

Outcome

Retrained model without age bias. Passed fairness audit. Documented disparate impact testing for regulators.

R004HIGH

Missing GDPR Consent for Cookie Tracking

E-commerce Platform (Public)

Finding

Analytics cookies set before user consent. 2.5M EU users tracked without explicit opt-in.

Impact

GDPR Article 6 violation. Potential €20M fine (4% of revenue). Data protection authority investigation.

Before (Vulnerable)

<!-- Vulnerable: Cookies set immediately -->
<script>
  // Analytics loaded before consent
  gtag('config', 'GA-XXXXXXXXX');
  fbq('init', 'XXXXXXXXX');
  // Tracking starts immediately!
</script>

<body>
  <!-- Consent banner shown AFTER tracking -->
  <div id="cookie-banner">
    We use cookies...
  </div>
</body>

After (Fixed)

<!-- Fixed: Consent-first approach -->
<script>
  // Wait for consent before loading analytics
  window.addEventListener('consent-granted', function() {
    // Only load after explicit consent
    gtag('config', 'GA-XXXXXXXXX');
    fbq('init', 'XXXXXXXXX');
  });
</script>

<body>
  <!-- Consent banner shown FIRST -->
  <div id="cookie-banner" style="display:block">
    <button onclick="grantConsent()">Accept</button>
    <button onclick="rejectConsent()">Reject</button>
  </div>
</body>

Outcome

Implemented consent management platform. Achieved GDPR compliance. Zero tracking before consent.

R005CRITICAL

Unencrypted Database Connection

SaaS Platform (Growth)

Finding

Production database accessed over unencrypted connection. Customer PII transmitted in plaintext.

Impact

SOC 2 audit failure. Potential data breach. Customer trust violation.

Before (Vulnerable)

# Vulnerable: No SSL/TLS
DATABASE_URL = "postgresql://user:pass@db.example.com:5432/prod"

engine = create_engine(DATABASE_URL)
# Data transmitted in plaintext!

After (Fixed)

# Fixed: Enforce SSL/TLS
DATABASE_URL = "postgresql://user:pass@db.example.com:5432/prod?sslmode=require"

engine = create_engine(
    DATABASE_URL,
    connect_args={
        'sslmode': 'verify-full',
        'sslrootcert': '/path/to/ca-cert.pem'
    }
)
# All data encrypted in transit!

Outcome

Enforced TLS 1.3 for all database connections. Passed SOC 2 Type II audit. Implemented certificate pinning.

Find Issues Before They Cost You

Scan your codebase and catch vulnerabilities early.