I secure the internet from bad guys.
I travel across the intersections of Security/Privacy and Open Source software.

Mastodon: https://mastodon.social/@thypon

Mail: τһуроɴ@роⅿреⅼ.ⅿе

Github: https://github.com/thypon


Since November 2021, I have helped secure Brave, a privacy and security-focused web browser. In Brave, I participate in red teaming exercises and security guidance across the product stack.
Since 2015, I have been part of the VoidLinux core team. I manage ~100 packages in the Security and DevOps areas, such as Docker, Kubernetes, Terraform and several other Go-based packages.
Authored the first and most used, GraphQL introspection security tool, as seen at BlackHat Arsenal and Hacking APIs


CloudFront Arbitrary Header Write
In 2022, I discovered a serious HTTP Header smuggling issue affecting all AWS CloudFront clients. Any attacker could have tampered with any internal HTTP header, overriding security headers (e.g. X-Forwarded-For).
GraphQL Research 1, 2
Between 2020-2021, I released a bunch of GraphQL Research articles, which culminated in the development of the most used GraphQL penetration testing tool InQL
CVE-2019-12384: Jackson CVE
I developed and described a new technique to identify new deserialization gadget for the most used Java JSON parser - Jackson.
Bug Bounty Activities
I believe in open disclosure and sometimes participate in bug bounties under thypon.
Offensive Excercises
Long time member of the mHackeroni CTF team, and previously in the Doyensec crew.