Security research, side projects, homelab mistakes, and the lessons I wanted to write down before forgetting them.
LLMs compressed expertise. the moat around deep specialization is thinner than ever. the future belongs to fast generalists with good taste. here's why i believe that and how i build.
Paperclip patched an unauth RCE chain in 2026.410.0. pwnkit ingested the advisory, variant-hunted for sibling handlers with the same class of mistake, and found three unprotected routes that let any signed-up user mint plaintext API tokens for any agent in any tenant.
i've been using Claude Opus 4.6 to systematically audit npm packages since early march. after finding 7 CVEs across mysql2, jsPDF, LiquidJS, Uptime Kuma, and node-forge, i'm open-sourcing the multi-agent framework that made it possible.
after using both heavily for coding, i think the real difference is not raw intelligence. it's working style. claude creates momentum. gpt creates rigor.
CVE-2026-33896 — a critical certificate chain verification bypass in node-forge that allows any end-entity certificate holder to forge certificates for arbitrary domains. 32M+ weekly npm downloads affected.
Two CVEs in jsPDF — PDF Object Injection (CVE-2026-31898) and HTML Injection/XSS (CVE-2026-31938). I independently discovered the same vulnerabilities and helped review and harden the fixes as remediation reviewer.
I use Uptime Kuma every day to monitor my homelab. While auditing the codebase as a contributor, I discovered that a previously patched SSTI vulnerability was still exploitable — leading me upstream to LiquidJS, a coordinated fix across both projects, and two published security advisories.
I wanted to manage my domains from the terminal. Infomaniak didn't have a CLI. So I built one — DNS management, terraform-style sync, security audits, propagation checking, and more. Open source on PyPI.
I found four related vulnerabilities in mysql2, the most popular MySQL client for Node.js. Connection option override, prototype pollution, geometry DoS, and an out-of-bounds read — all fixed within 24 hours.
real-time SBB departures styled like the classic Swiss LED boards. live weather, news, crypto ticker, and birthday celebrations. runs on a tablet in our WG hallway.
i built a quiz about how Swiss you are. it got featured on national radio, hit 10,000 quiz takers, and taught me more about product design than any course.
Some people collect sneakers. I collect uptime percentages. 99.9% availability on services nobody asked for.
Hundreds of students, one WhatsApp group, and post-it notes everywhere. I spent 7 months building witelli20 — a dorm management app with room reservations, live transport, and an anonymous confession board.
I left one of the world's best CS programs for a university nobody outside Switzerland has heard of. Everyone thought I was crazy.
i make music and i write code. so naturally i started building my own audio plugins in C++. 6 plugins later, here's what i learned about DSP, JUCE, and shipping creative tools.
i'm a student trying to hit 140g protein daily without protein powder and on a budget. i got tired of checking every product at the store, so i built a free protein tracker for Swiss stores.
i was taking linear algebra at FHNW. so i built a calculator that does everything the textbook does — with step-by-step explanations. then my classmates started using it.
I wanted better stats for Swiss table tennis. So I built TTStats — tracking 5,500+ players and 69,000+ matches. Then it won 2nd place at a startup award.
i started making beats in my bedroom at 17. now i have 100 million streams on Spotify, co-founded a record label, built a mastering studio, and shipped 6 audio plugins.