Software engineer building and breaking things across games, XR, practical tools, and AppSec research.
My background spans web development, data ingestion, XR visualization, Unity/Godot projects, and application security. Recently, I have been focused on web vulnerability research, responsible disclosure, and documenting security findings through rubberducky.codes.
-
CVE-2026-54685
Write-up: rubberducky.codes/research/cve-2026-54685
Advisory: GHSA-7789-65hx-f26w -
CVE-2026-30933
Write-up: rubberducky.codes/research/cve-2026-30933
Advisory: GHSA-525j-95gf-766f -
Unlimited Login Attempts
Write-up: rubberducky.codes/research/unlimited-login-attempts
Advisory: GHSA-r4v7-6wcg-ghj5 -
Session Theft to Takeover
Write-up: rubberducky.codes/research/session-theft-to-takeover
-
Farked — Solo project, 2025
badjuju-xrdev.itch.io/farked -
Skull Shadows — Godot XR Game Jam, 2025
badjuju-xrdev.itch.io/skull-shadows -
SMRTT — Meta Quest Hackathon 2024
devpost.com/software/smrtt -
Drone Express — 2023 VR Game Jam
badjuju-xrdev.itch.io/drone-express
I write about application security, vulnerability research, and technical projects at:
Started in 2026.
- Hack The Box Certified Web Exploitation Specialist — December 2025
- AWS Certified Cloud Practitioner — 2021–2027
- OffSec Web Expert — Currently pursuing

