$ whoami#
Software Developer turned Security Researcher.
I spent years building web applications before I started breaking them. This transition wasn’t just a career shift; it was a deep-dive into the fundamental ways systems fail at the architectural level. I don’t just find bugs; I investigate the logic that allowed them to exist.
The Developer’s Edge#
Most security research identifies what is broken. Because of my engineering background, I focus on the “Developer’s Blind Spot”—the space between a feature’s intent and its actual implementation.
- Developer Intuition: I can “smell” vulnerable patterns in code—like unsafe ORM usage or weak middleware logic—because I’ve been in the trenches building them.
- Impact-Driven Research: I actively hunt for vulnerabilities in open-source projects and enterprise platforms, focusing on impactful, responsible disclosure.
- Practical Patches: For critical research, such as my work on CVE-assigned vulnerabilities, I work alongside maintainers to provide the specific code patches required to fix the root cause.
The Journey: Curiosity as a Constant#
My path into security wasn’t academic—it was adversarial. It started in my teens, finding creative ways to identify flaws in local administrative and educational systems. Even then, my focus was on the report; identifying a bypass and ensuring the vulnerability was understood and closed.
This drive continued during my service in an elite intelligence unit (8200). While my primary role was in translation, I spent my free time exploring the organization’s own internal systems. I identified and reported multiple security gaps, turning a personal curiosity into a contribution to the unit’s defensive posture. Today, I’ve traded unofficial exploration for a professional commitment to securing the web.
Research Focus#
- Web Vulnerabilities: Deep-dives into DOM-based XSS, IDOR, and Business Logic flaws.
- Open Source Security: Contributing to the ecosystem by hardening widely-used packages and managing the CVE process.
- Logic Exploitation: Breaking down proprietary APIs and web apps to uncover creative attack vectors that automated tools often miss.
“The best builders make the best breakers.”