Field notes, CVEs, and the specifications that came out of the work.
Yinkozi engineers contribute to research in two surfaces: under the firm's own name for advisories, CVEs, and conference work — and under the YinkoShield product line for the technical specifications and architecture deep-dives that came out of customer engagements.
The technical-specification surface lives at yinkoshield.com.
Architecture, threat-model, evidence-format, and protocol work belongs to the product line — YinkoShield. Six themes, multiple articles each, written for security architects.
What backends cannot prove about what executed on the device — the gap that mobile and POS fraud lives in.
Evidence-bound architectures that close the unobserved-interval gap. Field-tested at tier-1 scale.
Overlay abuse, accessibility-service compromise, SIM-swap, app repackaging, runtime tampering.
Terminal-level integrity, agent-banking economics, fleet-onboarding, hardware-key-bound evidence.
Device-bound signing, ledger continuity, sovereign verification — the YEI-001 specification.
How signed device-side evidence integrates into existing audit, dispute, and AML pipelines.
What we publish under the firm's own name.
Most Yinkozi engagements are under non-disclosure. Where the customer permits, and where it serves the wider community, our engineers publish.
CVEs and coordinated disclosures. Yinkozi engineers have authored CVEs against vendor and open-source software found during customer engagements. Disclosure is coordinated with the upstream vendor under standard timelines. A current list is available on request.
Conference work and talks. Selected engineering output is presented at security conferences when customer agreements permit. Topics typically map to the customer-derived patterns we've spent months solving — payment-network integrity, hardware-bound identity, OT protocol fuzzing, mobile runtime instrumentation.
Advisories. Public advisories Yinkozi has authored against named targets (vendors, open-source projects, scheme-adjacent infrastructure) are published with a coordinated-disclosure window and credited to the originating engineer. Aggregation page in preparation.
What we do not publish. Customer-specific findings, architecture details of customer systems, threat models built for specific engagements, and the contents of the YEI-001 specification while it remains under regulator/qualifying-partner NDA.
Looking for a specific advisory or paper?
Email us with the topic or CVE identifier and we will route the request to the originating engineer.
email