X (Twitter) - 2024
CVSS 5.9 Medium
Reported a web and mobile denial of service affecting private messages, with a 1120 USD bounty.
software, security, systems.
I'm Molly. I work on full-stack products, security research, infrastructure, and tools. This is where I write about what I build, break, and learn.
23 years old
Fullstack Developer & Security @ Galadrim
42 alumni
Paris, France
latest article
JUN 07, 2026
TBSO: A Listed Shell Selling an AI/Fintech Platform Before the Platform Exists
A research-note style analysis of TBSO's completed capital increase, founder control, related-party NVST risk, AI/fintech roadmap, Bitcoin pivot, and valuation against the current evidence.
financeipoaicrypto
Read article ->
recent writing
view all posts ->finance
TBSO: A Listed Shell Selling an AI/Fintech Platform Before the Platform Exists
financeipoai
rust
Why the fuck did I write a Rust crate?
rustcybersecurityfreebox
scraping
Mogador: enterprise-grade scraping with one beefy workstation
scrapingrustdata
reverse-engineering
Belfast: Reverse engineering a mobile game server
reverse-engineeringgoprotobuf
clickhouse
A ClickHouse segfault in query planning (and the 5-line fix)
clickhousec++debugging
self-hosting
Everything I Self-Host at Home
self-hostinghomelabdocker
selected projects
view all projects ->belfast
An open-source Azur Lane server emulator written in Go. High performance and scalable architecture.
GoNetworkingReverse Engineering
semantic-chan
CLI / MCP / HTTP server designed to index huge codebase to allow semantic searching for humans or LLMs.
GoAICLIMCP
pgp-mfa
Proof of concept MFA authentication method using PGP keys.
GoSecurityCryptography
jabberwock
An org-wide secrets scanner that runs on every GitHub push and routes hash-only findings to Slack and a read-only dashboard. Used at Galadrim.
SecurityAWSServerlessDevOps
work & disclosures
view all disclosures ->Proton - 2025
CVSS 6.3 Medium
Identified and reported an access control flaw allowing a paywall bypass.
React2Shell incident response - 2025
Validated exploitability on production applications managed by Galadrim and coordinated remediation with development teams.
pdfcpu - 2025
CVSS 8.2 High
Reported a stack overflow leading to denial of service.
Santé Publique France - 2026
CVSS 8.7 High
Reported an IDOR exposing personally identifiable data for roughly 250 EUR in bounty.
Iliad / Freebox OS - 2026
CVSS 8.7 High
Reported two vulnerabilities affecting Freebox OS, enabling one-click account takeover.
libsoup - 2026
CVSS 6.9 Medium
Reported a memory corruption issue in the HTTP client/server library.
Fédération Française d'Athlétisme - 2026
CVSS 5.9 Medium
Reported weak cryptographic practices and non-robust implementations.