TFSecurity
Malaysian security researchers. We focus on deep security research and offensive security across the world.
[ 01 ]
WHO WE ARE
We are an independent team of Malaysian security researchers. We focus on security research across the world.
TFSec is a dedicated collective of researchers. We test systems, find critical vulnerabilities, report them responsibly, and document our findings. We spend our time hunting on real-world targets and doing deep research into how complex systems actually break.
MY
Based in Malaysia
100%
Open Research
[ 02 ]
OUR WORK
SECURITY RESEARCH
We dig into how web applications and systems work under the hood. When we find something interesting or a new way things can break, we document it properly and share it here.
READ OUR RESEARCH →VULNERABILITY RESEARCH
We actively hunt for vulnerabilities across complex systems worldwide. When we find and report critical security flaws, we document the process and what we learned from it.
HACKERONE ↗[ 03 ]
THE TEAM
A collective of security researchers from Malaysia. We focus on deep security research across the world.
[ 04 ]
RECORDS
Our recent standings and achievements on HackerOne leaderboards and private programs.
MALAYSIA LEADERBOARD
+
// Q2 2026 (APR - JUN)
VIEW LEADERBOARD ↗// Q1 2026 (JAN - MAR)
VIEW LEADERBOARD ↗GLOBAL: SOURCE CODE
+
// Q2 2026 (APR - JUN)
VIEW LEADERBOARD ↗// Q1 2026 (JAN - MAR)
VIEW LEADERBOARD ↗ADOBE
+
STRIPE
+
// 2026
VIEW PROGRAM ↗// ALL TIME
[ 05 ]
LATEST RESEARCH
25 CVEs in Adobe Content Credentials SDK & Adobe Commerce
A breakdown of our recent vulnerability research on Adobe's Content Credentials SDK and Adobe Commerce, resulting in 25 assigned CVEs for the team.
Welcome to TFSec
Who we are, what we do, and what you can expect from this blog.
[ 06 ]
FAQ
What is TFSec?
A team of Malaysian security researchers. We do security research, vulnerability analysis, and write about what we find. We are not a company, just a dedicated team.
How did you guys start?
We started as a group of friends interested in web security. Over time, we teamed up to focus on deep security research full-time.
What do you post on the blog?
Security research we have done, CVEs we found, and interesting vulnerabilities we reported. Basically anything we think is worth sharing.
Are you open to new members?
Not actively recruiting right now. But if you are into web security and have something to show, reach out. We keep it small on purpose.


