Security

I didn’t set out to find security bugs. I set out to build software that works. Every once in a while I notice something that shouldn’t be there.

Approach

Coordinated disclosure, always. If I find something, the vendor hears about it before anyone else, and they get a reasonable window to fix it before I publish. The point is to make the software safer, not to make a name for myself.

Published Disclosures

CVE-2026-39117: SSRF in AltumCode 66Uptime Ping Servers Plugin

Severity: High · CVE-2026-39117 · Responsibly Disclosed February 2026

Discovered an unauthenticated Server-Side Request Forgery vulnerability in the 66Uptime multi-location ping servers plugin that enabled cloud credential theft, internal network scanning, and arbitrary server-side requests. Coordinated responsible disclosure with the vendor over 90 days, verified the fix across multiple release cycles, and published a full security advisory.

More information at https://www.glimmernet.com/security/gt-2026-001-ssrf-66uptime-ping-servers/

Ongoing Research

I track active phishing campaigns impersonating major brands — Apple, Microsoft, and other large organizations — using heuristics I’ve developed for malicious domain detection. The work is independent and ongoing, without reliance on commercial threat feeds.

Contact

For security disclosures, email [email protected] with [SECURITY] in the subject line.

Encryption details and disclosure policy are published at /.well-known/security.txt per RFC 9116.