Stress on Our Shared Heart
Our Stack Overflow
Software runs in layers. Our application calls our framework. Our framework calls our database pooler. Our database pooler calls our TLS library. Our TLS library calls our kernel.
When each layer carries an unpatched defect, costs do not add — they compound. A 1,000× slowdown in one layer multiplies against a 66× slowdown in another, against a 500× overhead in a third. Our stack does not crash. It slows. Every request pays. Every user waits. Nobody sees why.
This is stress on our shared heart. Not a single point of failure. A distributed, invisible tax levied on every operation, in every system, by every unpatched defect accumulated across three decades of copy-paste inheritance.
We fix it layer by layer, starting with our most upstream bottlenecks first.
Proof — What We Have Already Shipped
We do not file tickets. We write patches.
Pyramid — disclosed 2026-03-27. Five O(n²) defects across routing, configuration, topological sort, and registry subsystems — all in startup and configuration paths that every production deployment and every worker restart pays. Top speedup: RoutesMapper.connect() drops from O(R²) to O(R), a 2,000× op reduction at R=1,000 routes. Four more defects in the same PR: 1,000×, 738×, 176×, 6×. Six files changed. 511 of 511 existing tests pass. Disclosure coordinated with Tres Seaver (@tseaver). Pull request: Pylons/pyramid#3817. Full write-up: patching pyramid, which will patch pypi.
This is how all of our patches work. We isolate the defect. We prove the complexity. We write the fix. We write the tests. We submit upstream. We move to the next node.
1,258 defects isolated across 528 projects. 977 patches written. 60+ ecosystems scanned.
Every one of these is a Pyramid-scale fix waiting to land.
What Changes When We Ship
MOAD-0001 — O(N²) → O(N)
Linear scans replaced with hash membership tests. Connection poolers no longer scan the full database list on every login. Intrusion detection systems no longer iterate every field name per header. VCS tools no longer render graphs in quadratic time. Build systems no longer cascade reactor lookups. Every operation that was paying a hidden per-transaction multiplier now runs in linear time.
MOAD-0002 — No Intertangle
Subsystems stop coupling through shared mutable globals. Reloads do not require a process restart. Configuration changes do not ripple into unrelated execution contexts. Systems become composable.
MOAD-0003 — No Leaked Context
Request identity stops leaking across thread boundaries. Tenant isolation holds under concurrency. Observability data stops mixing sessions. Async code becomes safe to reason about.
MOAD-0004 — No Logged Secrets
SASL passwords, proxy credentials, API keys, SCRAM verifiers — none appear in log files. World-readable log directories stop being credential stores. Incident responders stop finding secrets in rotation archives.
MOAD-0005 — No Thundering Herd
Cache misses stop stampeding. Cold starts stop cascading. First requests after a deploy stop taking 10× longer than the second. Systems degrade gracefully instead of collapsing under synchronized load.
MOAD-0006 — No Glass Safe
Mailing list infrastructure stops broadcasting subscriber passwords in plaintext. Open source contributor communities stop receiving credential-exposure emails on a recurring schedule. Researchers can submit patches without surrendering credentials to every SMTP relay in the path.
MOAD-0007 — No Flatland Defect
3D engines stop scanning all N scene objects on every raycast. Physics engines gain a broad-phase BVH — collision detection drops from O(N×M) per step to O(log N + k). Hover detection queries a spatial index instead of testing every node. At 10,000 objects firing at 60 Hz, the linear scan dominates our frame budget; the BVH returns it.
MOAD-0009 — No Metered Heart
Scheduled jobs stop firing on a timer regardless of whether anything warranted the fire. State transitions complete atomically or roll back atomically. Users never see the intermediate broken state. Downstream systems receive event-driven signals when state actually changes.
The living capital impact exceeds the others. A Metered Heart does not just waste compute. It drains the humans who depend on the system. Trust degrades. Experiential capital leaks. Every deferred-repair cycle teaches users that the system cannot tell the truth about its own state.
MOAD-0011 — No Catastrophic Inheritance
PCRE backtracking NFA patterns, inherited through Perl lineage into every modern regex engine, stop producing polynomial or exponential matches on adversarial inputs. ReDoS windows close. Regex-based input validators stay O(n).
The Solution Existed First
The most unsettling fact about MOAD-0001 sits not in our scan data but in our timeline.
Georg Cantor published the formal definition of a mathematical set in 1874. A set, by definition, supports membership testing as a primitive operation. x ∈ S requires no iteration. It requires no linear scan. Membership in a set does not grow more expensive as the set grows. The mathematical structure that eliminates MOAD-0001 entered the formal record 152 years before our scanner confirmed its violations.
The defect postdates its own fix.
Java's ArrayList — the most common substrate for MOAD-0001 in the wild — shipped in 1996. Cantor's sets: 1874. The fix arrived 122 years before the language that made the defect widespread.
This matters because the standard framing of MOAD is: "people should have known better." That framing is too weak. People did know better. The knowledge sat in every discrete mathematics textbook, in every data structures course, in every edition of Knuth. The defect did not persist because the solution was unknown. It persisted because knowledge does not automatically propagate into running code. Something must carry it there.
The Propagation Eras
Five eras separate Cantor from our scanner. Each carried the knowledge one step closer to the code. Each introduced a 10-to-40-year lag.
Era 1: Mathematical Foundation (1847-1909). Boole formalized logical membership in 1847. Cantor extended it into set theory between 1874 and 1897. Bachmann introduced O() notation in 1894; Landau extended the system in 1909. After 1909, the claim "this operation grows proportionally to N²" became falsifiable.
Era 2: Computer Science Formalization (1953-1973). Luhn at IBM described the first hash table in 1953. Knuth applied Bachmann-Landau notation to algorithm analysis in The Art of Computer Programming, Volume 1 (1968) and formalized hash tables with full complexity analysis in Volume 3 (1973). After 1973, the case for O(1) membership sat in the most-cited work in computer science.
Era 3: Language Era (1980s-2000s). Standard library implementations lagged Knuth by 10-20 years. C++'s std::unordered_set arrived in the STL draft circa 1994. Java shipped HashSet in 1.0 (1996). Python elevated set to a first-class built-in in 2.4 (2004).
Era 4: Idiom Era (2000s-2010s). Effective Java (Bloch, 2001) recommended HashSet for membership tests. Stack Overflow answers from 2008 onward consistently directed developers away from list.contains() inside loops. The idiom propagated through human review cycles, not automated enforcement. Existing code, already written with ArrayList, did not get updated.
Era 5: Detection Era (2026). Automated scanning identified the pattern across every major ecosystem. Not the code written after the idiom era. The code written before it, copied forward through three decades of tutorials, ports, and dependency chains. The fossil layer. Correct at deposition. Expensive at excavation.
What the Timeline Tells Us
| MOAD | Mathematical / Theoretical Basis | First Formal Description | Systematic Detection | Gap |
|---|---|---|---|---|
| 0001: Sedimentary | Cantor set theory + Bachmann Big O | 1874 / 1894 | 2026 | 132–152 years |
| 0002: Intertangle | Parnas information hiding | 1972 | 2026 | 54 years |
| 0003: Leaked Context | Thread identity scoping | 1998 | 2026 | 28 years |
| 0004: Logged Secret | RFC 1945, HTTP auth headers | 1996 | 2026 | 30 years |
| 0005: Thundering Herd | Dijkstra semaphores | 1965 | 2026 | 61 years |
The root gap is not between knowing and doing. It is between knowing and building automated systems that enforce the knowledge everywhere, continuously, without relying on human review cycles to catch each instance.
Cantor gave us sets. Luhn gave us hash tables. Knuth gave us complexity analysis. Parnas gave us information hiding. Dijkstra gave us semaphores. Each contribution: a complete theory. Each gap: the absence of a detector.
The MOAD project builds the detector. Scan → ticket → patch → unit test → disclose → PR → upstream merge → planet patched. Every fix propagates through every downstream user without asking permission. That is the leverage.
The Trolley Problem of Computer Science
Removing a bottleneck is not neutral. It is a force multiplier applied to every node downstream.
Fix O(N²) at a connection pooler and every application that pools through it suddenly gets 1,000× more requests. Fix a kernel scheduler and every service running on that kernel surges simultaneously. Fix a TLS library and every HTTPS handshake lands at once. The throughput freed at one node floods every queue behind it — instantly, globally, without warning.
This is computer science's trolley problem. Pull our lever and friction drops. But if we do not look downstream first, we derail everything we just unblocked.
Agape — love for all nodes on our graph — is not optional here. It is the engineering constraint.
Every disclosure brief is written with care for the maintainers who receive it. Every patch preserves existing behavior. Every benchmark is reproducible. The goal is the fix, not the credit. We do not ship a large speedup at a workaholic node without first asking: who stands downstream? Are they staged? Do they have caretakers?
A brutal release — high speedup, no coordination, no caution — does not help our ecosystem. It burns out our nodes. It floods our queues. It converts a single O(N²) defect into a cascade of MOAD-0005 thundering herds across every layer we just unblocked.
We need a virtuous ascending vortex, not a death spiral of workaholicism.
Across our eight forms of capital — living, material, financial, intellectual, experiential, social, cultural, spiritual — every patch touches more than code. A maintainer who receives a well-prepared disclosure, with tests, with benchmarks, with a reproducible complexity gate, gains experiential capital. A project that ships our fix gains social trust. An ecosystem where bottlenecks clear without cascade failures accumulates living capital.
We move at the speed of trust, not the speed of throughput.
The Ask
This work is too large for one person to solo. It is not too large for a team.
What we need:
- Maintainers who will review and merge our patches upstream
- Contributors who will take on outreach to the next node in the DAG
- Donors who will keep this work moving while upstream review cycles run — donate →
- Organizations whose infrastructure runs on these projects and who benefit directly from every merge
Every upstream merge is permanent. Every fix propagates through every downstream user, every deployment, every CI runner — without asking permission. That is the leverage. That is why we do this here instead of selling it.
Contact: security@undefect.com
Our Scale
1,295 UNDF defects assigned · 977 patches written · 60+ ecosystems · 9 MOADs · 18 languages scanned
Our set is closed. Our world is bounded. Every node has been touched.
Generated on every build from stats.json. Numbers recompute automatically as new disclosures land.