I focus on finding concrete, reproducible bugs in open-source SDKs and developer infrastructure. My work is grounded in deep code reading, adversarial verification, and structured disclosure — not exploit theatre.

Active contributor to ecosystems across DeFi, AI agents, Web3 bridges, fintech SDKs, and developer tooling. I prefer execution over speculation, structured disclosure over hype, and merged contributions over closed PRs.

My work spans security research, SDK auditing, and open-source contribution across multiple ecosystems.

Focus areas:

• SDK code-correctness audits (TypeScript, Python, Rust, Solidity)
• Async race conditions and lifecycle bugs
• Type-binding drift between SDK declarations and runtime behavior
• OpenAPI generator artifacts and schema validation gaps
• Decimal/precision handling in financial systems
• Responsible disclosure via HackerOne and GitHub Security Advisories

I work in long structured audit sweeps, verify every finding via adversarial 3-lens review, and only file what survives independent confirmation. Reputation over volume.

• SDK code-correctness in TypeScript / Python / Rust / Solidity
• Async race conditions and lifecycle bugs
• Type-binding drift between SDK declarations and runtime behavior
• OpenAPI generator artifacts and schema validation gaps
• Decimal/precision handling in financial systems
• Open-redirect, SSRF, and timing-oracle patterns
• Auth-callback routing failures and token-lifecycle violations
• GitHub Security Advisory (GHSA) coordinated disclosure
• HackerOne report drafting (CVSS 4.0, CWE classification)

I audit production-runtime SDKs for concrete code-correctness bugs that affect SDK consumers and downstream applications. The goal is always a 1-3 line fix and a passing test, not a theoretical hazard.

Recent merged contributions:

• initia-labs/initia.js#168 — Cosmos denom regex spec alignment
• vercel/turborepo#12976 — HTTP timeout added to auth path (closed #12975)

Active sprints:

• Polymarket SDK ecosystem (py-sdk, ts-sdk, clob-client-v2)
• Across-protocol (toolkit, relayer, json-constants, sdk)
• Cloudflare OSS (workers-sdk, agents, sandbox-sdk)
• Plaid React Native SDK
• Vercel Tier-1 OSS

I file responsibly via the channel that fits the finding class — HackerOne for in-scope programs, GitHub Security Advisory for direct-to-maintainer coordination, public GitHub Issues for pure code-quality bugs.

Disclosure principles:

• Verify every claim via independent code reading + grep + cross-reference
• Calibrate severity conservatively (CVSS 4.0 with reasoned vector)
• Submit one finding per report, no padding
• Include suggested fix and concrete reproduction steps

When a bug class appears once, it usually appears across the ecosystem. I systematically hunt the same pattern across related repositories to surface cross-project occurrences and structural causes.

Recent pattern hunts:

• Missing AbortSignal.timeout() on critical-path fetches (7 repos surveyed)
• Map/Set leak on consumer unsubscribe (6 repos surveyed)
• Type signature drift on optional fields (multiple SDKs)

Every finding I file passes through a 3-lens adversarial verification: correctness (does the code actually behave as described), reproducibility (could a maintainer trigger this from the description), and refutation (try to disprove the finding). Only findings surviving 2-of-3 lenses are filed.

This pipeline prioritizes signal quality over volume — I'd rather file 5 reports that all confirm than 50 that maintainers dispute.

Right now, I'm especially focused on:

• Coordinated GHSA disclosure on cross-chain bridge SDKs
• Cloudflare OSS production-runtime audit pass
• Plaid React Native SDK lifecycle and type-binding review
• Building a multi-program signal-pool strategy across HackerOne, GHSA, and direct GitHub

• HackerOne: hackerone.com/nexory
• Email: open to coordinated disclosure on private security advisories

If you maintain an SDK and want a focused audit pass, reach out — I work in structured sprints and only file what I can confirm.

If something I've reported helped your project or saved your users from a bug class, consider sponsoring future research:

Every contribution funds more research time spent reading code and filing high-signal disclosures.

• Location: Europe
• Background: Security research, SDK audit, responsible disclosure
• Work Style: Long structured sweeps, adversarial verification, conservative severity calibration
• Interests: SDK code-correctness, cross-chain bridges, AI agent security, fintech integrity
• Approach: Read code carefully, verify aggressively, disclose responsibly
• Mindset: Reputation over volume, merged contributions over filed reports