What I'm shipping in the open.

Rapid7's industry-standard penetration-testing framework — used by security teams worldwide. I author auxiliary detection modules that let defenders check whether newly-disclosed CVEs affect their own systems, each one reviewed and merged by Rapid7's maintainers.

• Add LiteLLM proxy pre-auth SQL injection scanner (CVE-2026-42208)merged Jun 2026
• Add Next.js middleware authorization bypass scanner (CVE-2025-29927)merged Jun 2026
• Add Audiobookshelf authentication bypass scanner (CVE-2025-25205)merged Jun 2026
• Module Documentationmerged Jan 2020
• Module Documentationmerged Dec 2019
• Module Documentationmerged Dec 2019
• Module Documentationmerged Dec 2019
• Module Documentation.merged Dec 2019
• Aux Docsmerged Nov 2019
• Aux module documentationmerged Nov 2019
• Add vLLM Anthropic router info-leak scanner for CVE-2026-54236in review
• Add vLLM multimodal info-leak scanner for CVE-2026-22778in review
• Add Kopia server SFTP ProxyCommand argument injection exploit (CVE-2026-45695)in review
• Add Splunk PostgreSQL sidecar unauthenticated file operation scanner (CVE-2026-20253)in review
• Add LiteLLM MCP test endpoint command execution exploit (CVE-2026-42271)in review

The community vulnerability-detection library behind ProjectDiscovery's Nuclei scanner. I contribute templates that detect specific newly-published CVEs.

• Add CVE-2026-54236 vLLM Anthropic router heap-address info-leak templatemerged Jun 2026
• Add CVE-2026-22778 vLLM multimodal heap-address info-leak templatein review
• Add CVE-2026-45695: Kopia Server SSH ProxyCommand Injection (Unauth RCE)in review

Truffle Security's widely-used secret-scanning engine that finds leaked credentials in code. I added detection for a new API-key type.

• Add Tavily API key detectorin review

NVIDIA's open-source vulnerability scanner for large language models. I contribute probes that test AI systems for injection flaws.

• Add NoSQL injection probe and detectorin review
• Add OS command injection probe and detectorin review

Microsoft's Python Risk Identification Toolkit for red-teaming generative-AI systems. I contribute attack converters used to probe AI safety.

• [DRAFT] FEAT add Policy Puppetry converter (#2080)in review

An open-source heart-rate-variability biofeedback tool used for stress and wellbeing training. I added automated testing to keep it reliable.

• test: add minimal headless smoke test and run it in CI (#28)merged Jun 2026

A self-hosted journaling application. I contribute reliability fixes, tests, and security hardening.

• fix(electron): anchor path validation and block off-origin navigationin review
• chore(deps): resolve npm audit advisories via non-breaking updatesin review
• test: add unit tests for moodAnalyticsin review
• fix(db): add foreign key from ai_usage_stats.user_id to auth.usersin review
• fix(revenuecat-webhook): require plus entitlement before granting is_pro on BILLING_ISSUEin review

A privacy-focused journaling app. I contribute features like full-text search and timeline views.

• feat(timeline): add timeline list view of entries (#161)in review
• feat(search): full-text search over decrypted entries (#160)in review

A terminal-based guided-breathing tool for taking a mindful pause without leaving the keyboard.

• feat: Linux sound playback with auto-detected player (#7)in review

An open-source mental-health community platform for sharing coping strategies. I contribute accessibility and localization improvements.

• [#2322] Add language selector to navbarin review

Open-source software powering local, ethical food supply chains for farmers and food hubs worldwide.

• Add webhook event for orders placed with payment duein review