Featured
Research
A kiosk is not a boundary: threat-modeling Cage, Wayland, and Chromium
Part one of a practical series on building a real-world Linux kiosk environment with Debian Trixie, Wayland, Cage, Chromium, TypeScript, CSS, HTML, and a Python backend.
Read advisory
Recent
2026-04-27
The PHP concat operator interruption — a bug I sat on for thirteen years
A first-person account of an unreported bypass of CVE-2010-2191 I found around 2010, never disclosed, and which lived on in shipped PHP until 8.3.0 in November 2023. What I did, what I didn't, and what the project did and didn't.
2026-03-08
Defeating PHP's internal boundaries — a hardening guide for PHP 8.5
Why every PHP-internal security control collapses in front of FFI or a single memory-corruption primitive — including a practical answer to whether FFI escapes Docker — and what your hardening posture actually needs to look like in 2026.
2026-01-22
Two audiences, one report: the structure I use for every engagement
The board wants to know whether you're a bigger or smaller problem than the last firm. The engineers want to know which line of code to change. A report that addresses only one of them is not finished.
Working with me