I find security bugs. Everything gets reproduced in a lab, reported to the vendor privately, and written up here once the fix ships.

Currently sitting with vendors: 7 critical, 8 high, 1 medium. Most are around authorization scoping, credential exposure, or privilege escalation through stuff operators can configure. Writeups land when the fixes do.