Tim Haines

I find cross-tenant flaws that pentests and bug bounties miss

Code-level authorization reviews for B2B SaaS, across your APIs, MCP servers, and the AI agents you’ve wired into customer data.

I do focused security reviews for B2B SaaS teams. Maybe a bigger customer’s security review is holding up a deal, or you’ve wired an AI agent or MCP server into customer data and don’t know its blast radius. Either way, your engineers get findings they can act on, with the exploit path and how to fix it.

I led a multi-quarter authorization and multi-tenant isolation overhaul that took a SaaS platform upmarket: rolling tenant isolation through 45+ data models, designing an access-rules system, and hardening the boundaries that stop one customer ever seeing another’s data. Before that I founded Percy (visual testing, acquired by BrowserStack) and Respondly (acquired by Buffer).

I’ve spent years reading code for security bugs, and that judgment is what the engagement buys. Tools surface candidates fast. I decide which are real, what it would take to exploit them, and which to fix first.

I’ve run the bug bounty programs at all three companies, so I know what crowdsourced testing and external pentests turn up, and where they stop. Most of that stays at the surface of the running app, hitting APIs and poking at inputs. The problems that actually breach you sit deeper, in the code and the release path and how access gets enforced. That’s what I read for.

Authorization & Cross-Tenant Isolation Review

from $10,000

Broken access control is the most common way B2B SaaS leaks data across tenants. It’s a logic bug, and it lives in the code, so the scanners hitting your running app at the surface walk right past it. I read the actual code: the database queries, the access checks, the tenant boundaries. The same bug class shows up everywhere you hand out data now: your APIs, your MCP servers, and the AI agents you’ve given access to it. The review covers all three.

I don’t just flag it. I make one test account reach another customer’s data, then hand you the reproducible steps, the fix, and how to keep it from creeping back as you ship.

Scope: application authorization and tenant isolation, code-level, across APIs, MCP servers, and multi-tenant SaaS. Not cloud or runtime infrastructure.

Also

Supply Chain & Release Integrity Audit

from $5,000

Often the same enterprise review asks how your code ships. Poisoned dependencies, compromised GitHub Actions, leaked publish tokens, a pipeline one bad PR can subvert. I review dependency intake, CI/CD, release provenance, and secret hygiene, and hand back ranked findings with a real exploit path and the fix. Up to publish, not cloud or runtime.

Cross-tenant CVE I reported

Cross-tenant data access in a filter API

High CVSS 8.5
CVE-2026-44706 · Chatwoot

Chatwoot’s conversation filter API interpolated user-supplied values straight into SQL. An authenticated user in one account could run blind SQL injection and read across tenant boundaries — other accounts’ emails, password hashes, and API tokens. Reported, fixed upstream, and public, so you can verify it.

More findings →

When teams call me

Compliance checks that you have a process. I check whether your access control and release pipeline actually hold up.

How it works

Engagements are fixed-scope and fixed-price, usually one to two weeks. You get a ranked findings report and a walkthrough with your engineers. Once the issues are fixed, I write a short independent attestation you can show prospects’ security teams when they ask. Remediation, if you’d rather I implement the fixes or pair with your team, runs $2,500/day; posture retainers start at $3,000/month.

Who it’s for

Seed to Series C B2B SaaS selling into larger customers who’ve started asking hard security questions. Especially teams putting AI agents or new APIs in front of customer data.