I break software, politely, and then I write it up.

I’m an application-security engineer and independent researcher. Day job: finding and fixing vulnerabilities. Off the clock: reading CVE feeds, reproducing bugs, building small tools, and publishing writeups here.

My focus is reachability - not just “is this function vulnerable?” but “can anyone actually get there, and with what pre-conditions?” Most of the interesting work in appsec lives in that gap between a lint rule firing and a bug a motivated attacker can land.

I disclose responsibly. 90-day timeline by default, extended on request when the fix is real.

What I write about

Vuln writeups (with repros), research on how classes of bugs behave in the wild, tool launches, and the occasional essay about how this craft actually works.

Contact

Email [email protected] for anything.