Since this article was published, the company behind the third-party RASP bypass posts has issued a correction confirming that the findings were incorrectly attributed to Promon, and that Promon Shield was not affected.
Following direct engagement between their team and Promon’s Security Research team, the original posts have been taken offline and the record has been corrected.
We appreciate their engagement and their decision to clarify the situation publicly.
This is a useful example of why evidence, reproducibility, and coordinated disclosure matter. Complex technical findings can be difficult to interpret, especially when multiple technologies are present in the same application and AI-assisted analysis is part of the process.
As AI makes it easier to generate technically plausible vulnerability claims at speed, responsible disclosure becomes even more important than before - not less.
Used well, it can help researchers move faster, explore unfamiliar code, generate hypotheses, automate analysis, and test ideas more efficiently. That is a good thing. Security research has always benefited from better tools.
But AI also changes something else: it can make it easier to produce long, technically plausible vulnerability claims than to prove them.
That distinction matters.
Security claims have consequences. This is especially true for technologies used to protect banking, healthcare, government services, payment platforms, and other applications where mobile app security has real-world impact.
At Promon, we welcome serious, good-faith security research. We do not believe any security technology should be above scrutiny. Independent research, when conducted responsibly, helps make the whole ecosystem safer.
But the standard for credible security research remains the same, whether AI is involved or not: claims should be evidenced, reproducible, and handled in a way that protects users.
This is why Promon maintains established channels for vulnerability reporting, including our responsible disclosure process and, where applicable, our bug bounty program. We ask researchers who believe they have identified an issue affecting Promon technology to contact us directly, provide enough technical detail for us to validate the finding, and give us the opportunity to investigate and remediate before public disclosure.
That is not about avoiding scrutiny. It is about protecting users.
Coordinated vulnerability disclosure is a well-established practice in the security industry. Standards and guidance such as ISO/IEC 29147, and ENISA’s coordinated vulnerability disclosure guidance, together with mechanisms such as RFC 9116 for publishing security contact information, reflect the same basic principle: when a potentially serious security issue is found, the affected vendor should be given sufficient information to reproduce, validate, and address the issue before it is made public.
This process benefits everyone.
It helps researchers ensure their findings are accurate.
It helps vendors assess and fix real issues.
It helps customers understand actual risk.
Most importantly, it helps protect end users.
When technical bypass claims are published without prior coordination, without a reproducible report, and without clear affected-version details, it becomes much harder for customers, vendors, and the wider security community to assess the real impact.
Promon is currently reviewing recently published third-party material that appears to concern an older version line of Promon Shield.
We are taking the material seriously and are analyzing the technical content carefully. The public material contains technical detail and describes a number of claimed bypass techniques. At this stage, it has not provided enough information for Promon to independently reproduce, and validate the claimed end-to-end bypass chain.
We have also not received a report through our responsible disclosure process or, where applicable, our bug bounty programme.
That is important context.
A public write-up may be technically detailed while still not being independently reproducible. For security claims affecting protective technology, reproducibility matters.
A credible vulnerability report should normally make it possible to answer questions such as:
What product and version are affected?
Is the affected version currently supported?
What application or sample was tested?
What configuration was used?
What device, OS version, and runtime environment were involved?
What exact steps reproduce the behavior?
What evidence demonstrates that a protection was bypassed?
Without this information, a public claim may appear detailed while still being difficult, or impossible, to verify.
Based on the information currently available, Promon has not verified from the published material a working bypass of any current, supported, up-to-date Promon Shield configuration from the published material.
Where the public material appears to refer to the Promon Shield 7.x line, that version line is no longer supported and has since been significantly improved. Customers using supported, up-to-date versions and recommended configurations benefit from the latest protections, mitigations, and improvements.
We do not see AI-assisted research as a problem in itself. On the contrary, AI will almost certainly become a normal part of modern security research.
But AI-assisted research must still meet the same standard as any other research.
AI systems can produce technically convincing explanations. They can combine known techniques, infer missing details, and present speculative conclusions with confidence. Sometimes those conclusions are useful. Sometimes they are incomplete. Sometimes they are simply wrong.
In security, plausibility is not proof.
A bypass claim must be demonstrated.
A vulnerability must be reproducible.
A technical conclusion must be supported by evidence.
AI may make it easier to claim vulnerabilities. It does not remove the need to prove them.
Our position is simple:
We welcome responsible, good-faith security research.
We ask researchers to use our published responsible disclosure process or, where applicable, submit through our bug bounty program.
We investigate credible reports thoroughly and with appropriate urgency.
We do not consider incomplete or unreproducible public claims to be equivalent to verified vulnerabilities.
We will continue to improve Promon Shield as attack techniques evolve, including techniques assisted by AI.
Based on the information currently available, Promon has not identified any required customer action related to the published material. As always, we recommend that customers stay on supported and up-to-date versions of Promon Shield to benefit from the latest protections, mitigations, and improvements.
Customers who would like confirmation of their specific Promon Shield version or configuration should contact their Promon account team or support contact.
If any credible issue is identified that affects supported versions of Promon Shield, we will handle it with the urgency and transparency our customers expect.
To any researcher who believes they have identified a valid issue affecting Promon technology: please contact us through our responsible disclosure process or, where applicable, submit through our bug bounty program.
Send us the technical details.
Send us the reproduction steps.
Send us the affected version, configuration, and test environment.
Send us the evidence.
We will review it seriously.
Responsible research makes users safer. That is the standard we support, and the standard we ask others to follow.