X (Twitter) - 2024
CVSS 5.9 Medium
Reported a web and mobile denial of service affecting private messages, with a 1120 USD bounty.
software, security, systems.
I'm Molly. I work on full-stack products, security research, infrastructure, and tools. This is where I write about what I build, break, and learn.
23 years old
Fullstack Developer & Security @ Galadrim
42 alumni
Paris, France
latest article
MAY 10, 2026
Why the fuck did I write a Rust crate?
A Freebox OS security research diary: two privately reported vulnerabilities self-scored at CVSS 3.1 8.5 and 8.7, one still-under-investigation bug that got me closer than expected to root, and the rediscovery of a decade-old easter egg.
rustcybersecurityfreeboxapi
Read article ->
recent writing
view all posts ->rust
Why the fuck did I write a Rust crate?
rustcybersecurityfreebox
scraping
Mogador: enterprise-grade scraping with one beefy workstation
scrapingrustdata
reverse-engineering
Belfast: Reverse engineering a mobile game server
reverse-engineeringgoprotobuf
clickhouse
A ClickHouse segfault in query planning (and the 5-line fix)
clickhousec++debugging
self-hosting
Everything I Self-Host at Home
self-hostinghomelabdocker
cryptocurrency
My Crypto Portfolio Strategy for 2026: A Deep Dive into Bitcoin, Ethereum, Solana, Polkadot, and Cardano
cryptocurrencyfinancebitcoin
selected projects
view all projects ->belfast
An open-source Azur Lane server emulator written in Go. High performance and scalable architecture.
GoNetworkingReverse Engineering
semantic-chan
CLI / MCP / HTTP server designed to index huge codebase to allow semantic searching for humans or LLMs.
GoAICLIMCP
pgp-mfa
Proof of concept MFA authentication method using PGP keys.
GoSecurityCryptography
jabberwock
An org-wide secrets scanner that runs on every GitHub push and routes hash-only findings to Slack and a read-only dashboard. Used at Galadrim.
SecurityAWSServerlessDevOps
work & disclosures
view all disclosures ->Proton - 2025
CVSS 6.3 Medium
Identified and reported an access control flaw allowing a paywall bypass.
React2Shell incident response - 2025
Validated exploitability on production applications managed by Galadrim and coordinated remediation with development teams.
pdfcpu - 2025
CVSS 8.2 High
Reported a stack overflow leading to denial of service.
Santé Publique France - 2026
CVSS 8.7 High
Reported an IDOR exposing personally identifiable data for roughly 250 EUR in bounty.
Iliad / Freebox OS - 2026
CVSS 8.7 High
Reported two vulnerabilities affecting Freebox OS, enabling one-click account takeover.
libsoup - 2026
CVSS 6.9 Medium
Reported a memory corruption issue in the HTTP client/server library.
Fédération Française d'Athlétisme - 2026
CVSS 5.9 Medium
Reported weak cryptographic practices and non-robust implementations.