Security research, side projects, homelab mistakes, and the lessons I wanted to write down before forgetting them.
i've been quietly on the FHNW Rover Team for the past months while building many projects in public and working as a cyber defense engineer. yesterday my team and I won first place at the FHNW Rover Träff — every task, overall. the warm-up comp before this year's european rover challenge finals in poland.
Paperclip patched an unauth RCE chain in 2026.410.0. pwnkit ingested the advisory, variant-hunted for sibling handlers with the same class of mistake, and found three unprotected routes that let any signed-up user mint plaintext API tokens for any agent in any tenant.
LLMs compressed expertise. the moat around deep specialization is thinner than ever. the future belongs to fast generalists with good taste. here's why i believe that and how i build.
i used Claude Opus 4.6 to systematically audit npm packages and found 7 CVEs across mysql2, jsPDF, LiquidJS, Uptime Kuma, and node-forge. the multi-agent framework behind it — pwnkit — is now the closed-source engine powering 0sec.
after using both heavily for coding, i think the real difference is not raw intelligence. it's working style. claude creates momentum. gpt creates rigor.
CVE-2026-33896 — a critical certificate chain verification bypass in node-forge that allows any end-entity certificate holder to forge certificates for arbitrary domains. 32M+ weekly npm downloads affected.
Two CVEs in jsPDF — PDF Object Injection (CVE-2026-31898) and HTML Injection/XSS (CVE-2026-31938). I independently discovered the same vulnerabilities and helped review and harden the fixes as remediation reviewer.
I use Uptime Kuma every day to monitor my homelab. While auditing the codebase as a contributor, I discovered that a previously patched SSTI vulnerability was still exploitable — leading me upstream to LiquidJS, a coordinated fix across both projects, and two published security advisories.
I wanted to manage my domains from the terminal. Infomaniak didn't have a CLI. So I built one — DNS management, terraform-style sync, security audits, propagation checking, and more. Open source on PyPI.
I found four related vulnerabilities in mysql2, the most popular MySQL client for Node.js. Connection option override, prototype pollution, geometry DoS, and an out-of-bounds read — all fixed within 24 hours.
real-time SBB departures styled like the classic Swiss LED boards. live weather, news, crypto ticker, and birthday celebrations. runs on a tablet in our WG hallway.
i built a quiz about how Swiss you are. it got featured on national radio, hit 10,000 quiz takers, and taught me more about product design than any course.
Some people collect sneakers. I collect uptime percentages. 99.9% availability on services nobody asked for.
Hundreds of students, one WhatsApp group, and post-it notes everywhere. I spent 7 months building witelli20 — a dorm management app with room reservations, live transport, and an anonymous confession board.
I left one of the world's best CS programs for a university nobody outside Switzerland has heard of. Everyone thought I was crazy.
i make music and i write code. so naturally i started building my own audio plugins in C++. 6 plugins later, here's what i learned about DSP, JUCE, and shipping creative tools.
i'm a student trying to hit 140g protein daily without protein powder and on a budget. i got tired of checking every product at the store, so i built a free protein tracker for Swiss stores.
i was taking linear algebra at FHNW. so i built a calculator that does everything the textbook does — with step-by-step explanations. then my classmates started using it.
I wanted better stats for Swiss table tennis. So I built TTStats — tracking 5,500+ players and 69,000+ matches. Then it won 2nd place at a startup award.
i started making beats in my bedroom at 17. now i have 100 million streams on Spotify, co-founded a record label, built a mastering studio, and shipped 6 audio plugins.