Overview Structured security code review is a practical and effective approach to finding real vulnerabilities. In this post I walk through how I applied a systematic review methodology to Snipe-IT, a popular open-source IT asset management platform, and how that approach led me directly to a …

Background I’ve been spending some time looking at browser extensions as a security target. They are interesting because they sit between the browser and the network, operate with elevated permissions, and users generally trust them implicitly. The whole point of a privacy extension is that …

OPNsense is a popular open-source firewall and routing platform built on FreeBSD. It handles network perimeter security for a huge range of environments, from home labs to enterprise edge routers, and it supports LDAP and Active Directory integration for centralized authentication. That makes the …

Background Tautulli is a Python/CherryPy web application that sits alongside your Plex Media Server and gives you statistics, notifications, and monitoring for everything happening on your server. It is one of the most popular self-hosted Plex companion apps, and a lot of people run it exposed on …

Background I’ve been working through Vercel’s bug bounty program, which explicitly calls out server-side rendering and compiler security as focus areas. Svelte is a Tier 1 target in that program, and since Svelte 5 introduced a significant rework of how components are compiled and …

AdGuardHome is a self-hosted DNS-level ad blocker that a lot of people, myself included, run on their home networks. It sits in front of all your DNS traffic and blocks ads, trackers, and malware domains before they even get a chance to load. It is common on home routers, Raspberry Pis, and small …