I secure the internet from bad guys.
I travel across the intersections of Security/Privacy and Open Source software.
DM: ＋３９ ３３３ ３２７ ４８５１
- Since November 2021, I have helped secure Brave, a privacy and security-focused web browser. In Brave, I participate in red teaming exercises and security guidance across the product stack.
- Since 2015, I have been part of the VoidLinux core team. I manage ~100 packages in the Security and DevOps areas, such as Docker, Kubernetes, Terraform and several other Go-based packages.
- Authored the first and most used, GraphQL introspection security tool, as seen at BlackHat Arsenal and Hacking APIs
- CloudFront Arbitrary Header Write
- In 2022, I discovered a serious HTTP Header smuggling issue affecting all AWS CloudFront clients. Any attacker could have tampered with any internal HTTP header, overriding security headers (e.g. X-Forwarded-For).
- GraphQL Research 1, 2
- Between 2020-2021, I released a bunch of GraphQL Research articles, which culminated in the development of the most used GraphQL penetration testing tool InQL
- CVE-2019-12384: Jackson CVE
- I developed and described a new technique to identify new deserialization gadget for the most used Java JSON parser - Jackson.
- Bug Bounty Activities
- I believe in open disclosure and sometimes participate in bug bounties under thypon.
- Offensive Excercises
- Long time member of the mHackeroni CTF team, and previously in the Doyensec crew.