Active Researcher

Vulnerability
Research & Security

Identifying and responsibly disclosing vulnerabilities in cryptographic systems, compilers, and public infrastructure.

Kernel V8/JIT NFC/RFID Cryptography
Stuart Thomas — security researcher, wearing many hats
35+ Years in Security
Open Source & Research
NHS National Crypto Standards
Oracle Former Ethical Hacker
Expertise

Research Areas

macOS & Darwin / XNU

Methodology for macOS vulnerability research — the BSD-to-XNU CVE cross-reference technique, the discipline of evidence and red-team review, vendor coordination under the 90-day standard. See the free Complete Framework book.

🔐

Cryptographic Systems & Smart Cards

Smart card design, PKI architecture, key management, and cryptographic protocol analysis. Co-authored NHS national cryptographic standards (2004). Designed ActivCard contactless and TfL Oyster contactless ticketing infrastructure.

🎮

Network Infrastructure

Large-scale network architecture. Designed PlayStation 2 network infrastructure for UK market. Resilience, scalability, secure connectivity.

💾

Compiler & JIT Analysis

Low-level vulnerability research in optimising compilers. Type coercion, unboxing, JIT-specific edge cases. V8, Turbofan, Maglev, SpiderMonkey.

🏛

Public Infrastructure

Security analysis for NHS, TfL, financial institutions, and government networks. Scalability, resilience, regulatory compliance.

🛡

Application Security

OWASP research, injection attacks, authentication bypass, supply chain security, and attack surface reduction.

📡

Protocol & Network

ICMP crafting, DNS poisoning, tunnel protocols. Edge case exploration in RFC-compliant implementations.

Data Protection & Privacy

UK GDPR, DPA 2018, emerging AI/ML privacy risks. Data subject rights, breach response, and algorithmic transparency. CIPP/E certified.

Published Work

Publications & Research

2026
Book · Free

macOS Security Research: A Complete Framework

Independent · Released free under CC BY-SA 4.0
A complete six-phase methodology distilled from 35 years of structured practice — Scope, Recon, Research Tracks, Red-Team, Submission, Archive. Eleven chapters covering vendor disclosure under the 90-day standard, the Darwin/XNU security landscape (with the FreeBSD/OpenBSD CVE cross-reference technique), the discipline of proof, and the human side of working with vendor security teams. Builds on the 2001 SANS ICMP work and follows PING as the through-line metaphor. Released April 2026 as a free gift to the community under copyleft. DOI: 10.5281/zenodo.19855016. ORCID: 0009-0008-4518-0064.

Download (HTML / EPUB / PDF) · 5-min TL;DR
2026
Paper

Spectral Complexity Screening for Binary Security Analysis

Independent Research · Whitby · 2026
A Random Matrix Theory approach to automated vulnerability triage in compiled binaries. Applies Wigner spectral statistics, SAT phase-transition backbone analysis, and cyclomatic complexity gating to reduce a 335-binary macOS corpus to 12 candidates (96.4% reduction) for deeper analysis. Four-stage pipeline (C1 SAT backbone → C2 RMT spectral screen → C3 dataflow templates → C6 symbolic taint) with full theoretical grounding and empirical false-positive taxonomy. DOI: 10.5281/zenodo.19855615. ORCID: 0009-0008-4518-0064.

HTML · PDF · GitHub Markdown

Prepared with Claude (Anthropic) as assistive technology. See Acknowledgements. Use of AI assistive technology is consistent with the principles of the Equality Act 2010 (Sections 6, 15, 20–21).
2026

OpenBSD Kernel: ELF Exec Pinsyscall Table Corruption

OpenBSD · Reported to Theo de Raadt
A binary without a PT_LOAD exec segment would read a pinsyscall table and damage it. Fix: fail the execve with EINVAL. Committed by deraadt, reviewed by guenther.   Commit
2026

OpenBSD Kernel: Unveil Override Behaviour & Documentation Fix

OpenBSD · Question to Theo de Raadt
Before unveil is disabled, it allows overriding settings on any vnode. Dead code removed, misleading manual page wording corrected. Committed by deraadt, reviewed by beck.   Commit
2004

Cryptographic Algorithms & Key Management Standards

NHS Connecting for Health (Co-author)
National standard sourced from NIST SP publications. Referenced in academic literature and healthcare infrastructure documentation.
2006

Security Analysis: ActivCard Contactless Smart Card Air-Gap

Author
Independent security research in NFC/RFID architecture and contactless payment systems. Available on request.
2005
Updated 2026

Why SQL Injection Won't Go Away

GIAC GSEC · SANS Institute
Cited in Wikipedia: SQL Injection.   Markdown · PDF · GitHub
2005
Updated 2026

ICMP Crafting and Related Issues

GIAC GSEC · SANS Institute
Cited in Wikipedia: ICMP Tunnelling.   Markdown · PDF · GitHub
Open Source

Tools & SDKs

2026

NTAG 424 DNA SDK for macOS

Swift · C · AGPL v3 · Zero Dependencies
The first native macOS SDK for NXP NTAG 424 DNA NFC authentication. Full EV2First mutual authentication, Secure Dynamic Messaging (SDM), AES-128-CMAC verification, and complete key management. 2,145 lines. Built on CryptoTokenKit — no third-party dependencies.

GitHub · Live Platform
Background

Qualifications & Experience

Industry

Consultant Engineer
PwC · Oracle · Deloitte · NHS · TfL · LSE · Sony · Reuters
Data Privacy & DPO Consultant
DPO Interim Ltd · 2020–2023

Certifications

CIPP/E
IAPP
GIAC GSEC
SANS Institute
CiSMP (Distinction)
BCS
CCNA
Cisco
C-GDPR-P
IT Governance

Specialised Training

AI Ethics & Responsible AI
Alan Turing Institute / Linux Foundation
Ethical Hacking & Penetration Testing
Practical Red Team
Smart Card & NFC Security
Gemalto / NXP
Cryptographic Key Management
Thales HSM

Education

Professional Certificate in Management
Open University (Level 6)
ICT
Open University (Level 5)
Certificate in Legal Studies
Open University (Level 4)
Policy

Responsible Disclosure

All research is conducted under strict responsible disclosure guidelines. Findings are reported directly to affected vendors with a coordination timeline of 90 days (or extended at vendor request). Public disclosure occurs only after vendor confirmation of patching.

For vendor programmes, I follow vendor-specific disclosure terms and CVE coordination processes.

This site uses no cookies or tracking. Server logs only. Privacy Notice