Based in London
I build developer tools and find security bugs.
I also run Gawk, a live dashboard that tracks the AI industry. Everything I make is open, and every number or claim links to proof you can check yourself.
Gawk
A live dashboard for the AI industry.
Gawk watches more than thirty public sources and puts what is moving in AI on one screen. Model releases, downloads, spend, news. Every number links to where it came from. When a source goes down, its card greys out and keeps the last value instead of guessing.
Small tools you can install and read.
Five of them. Each one started as something I needed once, then became a package. They live on PyPI, Homebrew and GitHub, and the source is short enough to read in one sitting.
authdrift
A Semgrep ruleset that finds OAuth handlers keying on email instead of the OIDC sub claim. That is the bug that breaks when a user renames their Gmail. Six rules, six frameworks, no false positives.
pip install authdriftPyPIbharataddress
Deterministic parsing for messy Indian addresses. 26,711 embedded pincodes, six Indic scripts, no runtime dependencies. Infrastructure that simply has to work, offline.
pip install bharataddressPyPIprivacylint
A Swift CLI that catches App Store privacy rejections before you submit. Required Reason APIs, missing manifests, AI consent declarations, tracking domains. It tells you in plain English, with file and line numbers.
brew installSwift CLIcodepulse
A public leaderboard and paste-audit for CLAUDE.md files. It scores configs against Claude Code defaults and flags redundant or outdated instructions. Deterministic, with an optional semantic layer.
TypeScriptGitHubgmail-oauth-research
The reproducible dataset behind the Gmail rename audit. A code-pattern scan of over two million repositories that found 124 projects keying Google login on email. Methodology, severity tiers and a per-project breakdown, all public.
DatasetDatasetWhat I found, and what got fixed.
I report bugs on HackerOne, Bugcrowd and huntr. Most stay private until they are fixed. The public work is the Gmail rename audit, the authdrift ruleset I built from it, and the fixes maintainers shipped. The ztnet maintainer merged one himself as PR #884, with 45 lines of code and 304 of tests.
Google externalised the cost of renaming Gmail
Google shipped Gmail address renaming and never shipped a webhook to go with it. 124 open-source projects still tie your identity to your email address. This is what breaks, and who pays. It comes with the open dataset and the authdrift ruleset, and maintainers have merged fixes from it.
124 repositories. Four ecosystems. One broken assumption.
The data behind the essay: 2M+ repositories scanned, severity tiers, ecosystem breakdown, full methodology. The complete audit, reproducible.
AI-augmented, human-in-the-loop
A careful way to use AI in security research. Every finding is checked by hand, and nothing is submitted automatically. It tests where AI actually helps a researcher, instead of flooding triage queues.
Right now, Nativerse is one person. I put everything in public so you never have to take my word for it.
I am Srinathprasanna Shanmugam. I trained as a software engineer, then spent a few years in enterprise software. I build all of this on my own time. If something here matches what you do, I would like to hear from you.