SERVICES

• Boutique Source Code Review: For cases where automated commodity checks won't cut it (or don't exist) and you need an experienced security engineer to review your source code to highlight not only existing security issues but also "close calls", dangerous practices, and opportunities for holistic fixes. Drawing on experience with some of the biggest systems in existence, we can design scalable solutions together with your technical staff instead of copy-pasting rote recommendations.
• Second Opinion Service: We can help interpret and prioritize recommendations/findings you have received elsewhere as well as help ensure you purchase a correctly specified service (such as a penetration test) so that it aligns with what you are trying to achieve.
• Office Hours & Homework: A package tailored for early start-ups. It consists of a) a recurring "office hours" meeting where the client, typically a founder, brings up their information security questions for discussion/advice and b) a small amount of follow-up/preparatory solo work in connection with each session. With this iterative approach, the client controls allocation of time and avoids paying for verbose reporting as results are communicated continuously throughout the sessions.
• Training: Whether your audience is developers, management, or your comms/legal team, we can create presentations and trainings on information security topics to ensure your audience is left with more, rather than less, clarity. I've been frequently complimented on explaining highly specialized concepts to either laypeople or experts in adjacent fields. As a public example, my recent guest lecture "got great student feedback (5.0/5)". In previous employment, I often helped other engineers improve their presentations, communications, and diagrams to increase clarity and conciseness.

Feel free to contact us for custom projects/requests as well.

EXPERIENCE

I perform all engagements myself, with experience of:

• 8+ years of FAANG employment
• Finding vulnerabilities in OS kernels + libraries, web/mobile/server applications, cryptocurrencies, ...
• Reviewing C/C++, Python, Hack/PHP, Rust, Java, TS/JS, Scala, Erlang, ...
• Co-operating with developers to solve not only the individual vulnerability but the underlying pattern
• Reverse engineeering an in-the-wild zero-day
• Working cross-functionally with (T)PMs, attorneys, static analysis experts, PR, and government officials
• Competitive algorithmic programming (ACM ICPC world finals)

TYPES OF CLIENTS

• A well-known company in the web3 industry
• A Fortune 500 company
• A law office (technical advisory on a case)
• An early stage start-up

RECENT ACTIVITIES

• Flow blockchain fixes four critical securty bugs reported by us
• Visited the Shoot the Messenger podcast from EXILE and Committee to Protect Journalists
• Guest lecture on my web3 bug bounty work at Tero Karvinen's Penetration testing course @ Haaga-Helia
• I visited the Herrasmieshakkerit podcast (in Finnish)
• The New Yorker magazine featured my previous work