messier@terminal:~/security$

security research_

i like pulling things apart to understand how they work. when i find something broken, i tell the people who built it. all findings below were responsibly disclosed to the affected parties before being listed here.

Little Wonderland

disclosed2025

E-commerce platform. Discovered authentication and authorization flaws in the order management system that allowed placing orders without payment.

highlights

  • order database insertion without authentication
  • payment bypass via direct API manipulation
  • contacted the team and disclosed all findings
stack: web applicationscope: order API, payment flow, authenticationduration: several sessions

plzdontkillus.com

disclosed2026-05-05

AI safety creator bootcamp by Aella & Ronny Fernandez (Lightcone Infrastructure). Month-long residency in Berkeley for creators making AI doom content.

37
findings
1
critical
12
high
8
medium
16
low/info

highlights

  • combined CSRF + stored XSS + mass assignment + javascript: URI attack chain
  • write-only API with zero data leakage (positive finding)
  • 3 denial-of-service crash vectors on single-threaded python server
  • full infrastructure mapping: Cloudflare → nginx → Python http.server
  • 250+ tests across 5 phases
stack: Cloudflare, nginx, Python http.serverscope: application API, static frontend, DNS, OSINTduration: ~10 hours

if you want me to audit something, or if you think i broke something of yours and want to talk about it - reach out. i don't do this to cause harm. i do it because understanding how systems fail is the first step to making them resilient.

messier@terminal:~/security$ _