DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

72 Days: A Transparency Report on CVE-2022-24999

Patrick Duggan
Jan 6
2 min read

The Uncomfortable Truth

On January 6, 2026 at 16:27 CST, we committed a fix for CVE-2022-24999 to security.dugganusa.com. The vulnerability—a prototype pollution flaw in the qs query string parser used by Express—had been present in our infrastructure for 72 days.

We're publishing this because you deserve to know.

What Was Vulnerable

CVE-2022-24999 is a High severity (CVSS 7.5) prototype pollution vulnerability affecting the qs package, which Express uses to parse query strings. An unauthenticated attacker could craft a malicious URL like:

?a[__proto__]=b&a[__proto__]&a[length]=100000000

This could cause a Node.js process hang—a denial of service condition.

The Timeline

Timestamp	Event
November 26, 2022	CVE-2022-24999 published to NVD
October 26, 2025 20:31 CST	security.dugganusa.com deployed with Express 4.18.2
January 5, 2026	Dependabot flags transitive qs vulnerability
January 6, 2026 16:27 CST	Fix committed and deployed via npm overrides

Dwell time: 72 days from vulnerable service deployment to patch.

Why It Took 72 Days

Express 4.18.2 should have included patched dependencies. It didn't. The vulnerable qs version was pulled in through body-parser's transitive dependency chain—a classic supply chain visibility gap.

We run Dependabot continuously. The alert fired when npm's vulnerability database updated its transitive dependency analysis. Within 24 hours of detection, the fix was in production.

What We Fixed

{
  "overrides": {
    "qs": "6.14.1"
  }
}

That's it. One override in package.json forcing all transitive dependencies to use the patched qs version. Applied to both security.dugganusa.com and analytics.dugganusa.com.

Did Anyone Exploit This?

We reviewed 72 days of access logs. No exploitation attempts detected.

The attack signature (__proto__ in query strings) is distinctive. We searched for it. Nothing.

This doesn't mean we were safe—it means we were lucky.

Defense in Depth Saved Us

Even if exploited, the damage would have been limited:

Azure Container Apps auto-restarts crashed containers within seconds
Rate limiting at the CDN layer would throttle repeated attacks
No data exfiltration risk—CVE-2022-24999 is DoS-only, not RCE
Isolated services—a crash in security-dashboard doesn't affect analytics

Defense in depth isn't about preventing all vulnerabilities. It's about limiting blast radius when they slip through.

The Uncomfortable Math

72 days of exposure
7.5 CVSS severity
0 detected exploitation attempts
24 hours from detection to remediation

Was this acceptable? That depends on your risk tolerance. For a $77/month security dashboard serving threat intelligence feeds, we believe the residual risk was within acceptable bounds—but we'd prefer zero.

What We're Changing

Transitive dependency audits: Monthly manual review of npm ls output for critical packages
Override-first patching: When Dependabot flags a transitive vulnerability, apply overrides immediately rather than waiting for upstream fixes
Transparency reports: Publishing dwell time data quarterly

For Our Customers

If you consume our STIX feeds or threat intelligence APIs, your systems were never at risk. The vulnerability affected our web dashboards, not the data pipelines.

If you visited security.dugganusa.com or analytics.dugganusa.com during the 72-day window, your browser was not compromised. CVE-2022-24999 is a server-side DoS vulnerability—it cannot execute code on clients.

References

DugganUSA LLC operates threat intelligence infrastructure serving enterprise customers. We believe security vendors should be transparent about their own vulnerabilities—not just everyone else's.