STAR Labs is a Singapore-based offensive security firm specializing in vulnerability research and advanced cybersecurity training. We identify critical weaknesses in widely used software, collaborate with vendors to remediate them, and equip defenders with the mindset and techniques of real-world attackers. Our expertise is demonstrated through success at Pwn2Own and a strong track record of responsible vulnerability disclosures to Microsoft, Google, and enterprise clients across Asia.
From product audits to red team engagements, our services are run by the same people who find bugs in browsers, kernels, and firmware.
Licensed pentesting in Singapore (CS/PTS/C-2022-0106). Web, mobile, network, cloud, and infrastructure assessments run by researchers who also find 0-days.
Learn more →Adversary-emulation engagements that test whether your detection & response actually work when a capable attacker is inside.
Learn more →Targeted research on your product, supply chain, or key third-party software. Reverse engineering, fuzzing, and manual review to surface pre-disclosure vulnerabilities.
Learn more →Manual code review by researchers who've found critical bugs in the Linux kernel, Chromium, Windows, and IoT firmware.
Learn more →Hands-on offensive-security training for blue teams, developers, and researchers-in-training. Delivered by instructors with real exploit chains to their name.
Learn more →Strategic guidance for CISOs and product teams navigating secure-by-design, SDLC, and incident response.
Learn more →CVE: CVE-2026-20147 Affected Versions: Cisco ISE / ISE-PIC 3.4 prior to Patch 6 (and equivalently 3.1 < P11, 3.2 < P10, 3.3 < P11, …
A CRLF injection vulnerability in Apache Pony Mail's Lua implementation allows an unauthenticated attacker to smuggle arbitrary HTTP …
CVE: CVE-2025-55336 Affected Versions: Windows 10 (21H2, 22H2, 1809), Windows 11 (22H2, 23H2, 24H2, 25H2), Windows Server 2019, 2022, 2022 …
A missing OBJ_FORCE_ACCESS_CHECK flag in vhdmp.sys allows a low-privileged local attacker to write arbitrary data to any file on the system …
A use-after-free in tls_sw_recvmsg arises when a zero-length decrypted TLS record causes darg.skb (strp->anchor) to be queued into rx_list …
CVE: CVE-2025-50170 Affected Versions: Windows 10 (1809, 21H2, 22H2), Windows 11 (22H2, 23H2, 24H2), Windows Server 2019, 2022, 2025 …
How we developed four complete full-chain exploits across four LiteLLM versions in a race against a target that kept getting patched under our feet, in preparation for Pwn2Own …
TL;DR In April 2026, Adobe disclosed three critical security issues (CVE-2026-34621,CVE-2026-34622,CVE-2026-34626) affecting Acrobat DC, Acrobat Reader DC, and Acrobat 2024. …
TL;DR In January 2026, the Chrome Releases blog announced several security fixes across different Chrome components. One entry caught our attention: CVE-2026-0899, an Out-of-Bounds …
Every vulnerability we find goes through a structured disclosure process. Here are some of the vendors we've worked with.
Pwn2Own is a computer hacking contest held annually by Trend Micro’s Zero Day Initiative - ZDI. Contestants are challenged to exploit widely used software …
Pwn2Own is a computer hacking contest held annually by Trend Micro’s Zero Day Initiative - ZDI. Contestants are challenged to exploit widely used software …
Pwn2Own is a computer hacking contest held annually by Trend Micro’s Zero Day Initiative - ZDI. Contestants are challenged to exploit widely used software …
Drop us a line. We'll scope a pentest, red team, or code audit tailored to your stack.
Contact STAR Labs