zemnmez
Thomas Shadwell LogoA 2D pyramidal frustum (triangle with the top missing). In the center is an open eye, below the eye, a single tear.
Thomas NJ Shadwell

I am an internationally recognised expert on computer security, with specialisms in web security, security program (SSDLC) construction, and automated security analysis.

I am a Member of Technical Staff at OpenAI, where I work on computer security.

I am interested in consulting on legal cases. For business, email me at thomas@shadwell.im.

A selection of my work over the years can be found below.

2024
XXX
October.
May.
GPT4o. Product security for OpenAI‘s first multimodal model. §b220c.
January.
2023
XXIX
October.
August.
March.
2022
XXVIII
November.
2021
XXVII
July.
Monorepo. a polyglot, fully tested, automatically upgraded, automatically versioned, continuously integrated monorepo ecosystem reflecting ideas I had working on hardening at scale at Google. §957be.
2020
XXVI
December.
October.
July.
Senior Information Security Engineer, Google ISE hardening. Automated security mitigation, detection and refactoring using compiler technology (“langsec”), SDKs and DSLs (“hardening”) on TypeScript and Java. Google-wide mitigations for Log4Shell, XSS, deserialization attacks. Product security review and design, Google Ads (“FLOC”, “FLEDGE”), Google Cloud, Google's IDE (“Cider”). Research including critical disclosures such as CVE-2022-41034. §bbd55.
May.
April.
do-sync. Async to sync library for encapsulated javascript macros. §08e89.
February.
2019
XXV
December.
November.
Chromium cross-origin bypass. in Google Chrome, Blink, or Chromium, it was possible to bypass cross-origin restrictions by causing a refresh of a failed cross-origin request. CVE-2019-13664. §db098.
July.
June.
May.
April.
January.
2018
XXIV
December.
September.
January.
2017
XXIII
November.
September.
July.
February.
2016
XXII
April.
January.
2015
XXI
December.
October.
Nebula Finder’s Fee. unique developer granted cosmetic item for the video game Team Fortress 2 granted for security issues allowing remote access to computers running the video game. §214fc.
2014
XX
September.
Senior Application Security Engineer, Twitch. first security engineer at the video game streaming website. Designed security architecture for flagship projects including bits, the Twitch API, extensions and Twitch's OIDC / OAuth AuthN/Z systems. Created and defined security relationships and processes. Built Go security static analysis system, security frameworks and libraries. §0bb2b.
July.
April.
Sunbeams Ebenezer. unique developer granted cosmetic item for the video game Team Fortress 2 granted for security issues allowing movement millions of dollars of virtual items between arbitrary accounts via account takeover. §9fd25.
January.
2013
XIX
January.
2012
XVIII
May.
March.
Developer, Rewired State. charity focused on teaching code literacy. Ran and participated in hackathons for good causes. Taught software engineering to young people. §f775d.
2011
XVII
November.
September.
Sr. Admin, TF2Outpost. Volunteer role at once largest trading website in the Steam community. Worked on administration of high-profile trades & scams. §29971.
April.
February.
2010
XVI
December.
January.
2009
XV
July.

About.

The design of this website.

This website is a direct descendant of one I made in 2019. The core ideas come from very early on when I was using the internet, and I didn't want to tell people with my chosen username what kind of person I was. I picked the username zemnmez to be something meaningless that people could fill with their own ideas of who I was.

Similarly, when I made the website, I didn't want to tell people directly about myself, so instead I made this timeline to keep track of what I had done every year. The number in roman numerals is my age that year. It fulfilled another role as I was collecting my work to apply for my US O1 visa, which requires proving that you've done a lot of interesting things!

The background video (hero video) in summer is of a hidden area in the gardens of Kenwood House, a beautiful stately home sandwiched between Highgate and Hampstead in London where I grew up. It's located at about 51.57139601074658°N, -0.16924392259112794°E.

It used to be that there was a bench hidden under overgrown bushes and a tree near the hydrangeas past the orangery. I took a video from there one summer – I was collecting photos and videos to remind me of home because I knew I'd leave it behind someday to move to the US.

In winter, a close-by location of Kenwood House in the snow is shown.

The type and style itself was inspired by older, pre-computer era typsetting such as the Lloyd's Act 1871. Particular effort was put into trying to have content fill horizontal space automatically, as seen in older documents that try to make the most of the paper they're printed on.

What's the difference between Zemnmez LogoOne big square, two small squares and 4 rectangles make up a shape that resembles a stylised, angular eye. A square, rotated 45° so that its corners point up, down, left and right. The square has on either side of it two similar smaller squares, separated by a small gap. Each of the four square's sides have a rectangle following their edges with the same small gap. and Thomas Shadwell LogoA 2D pyramidal frustum (triangle with the top missing). In the center is an open eye, below the eye, a single tear.?

The diamond logo (Zemnmez LogoOne big square, two small squares and 4 rectangles make up a shape that resembles a stylised, angular eye. A square, rotated 45° so that its corners point up, down, left and right. The square has on either side of it two similar smaller squares, separated by a small gap. Each of the four square's sides have a rectangle following their edges with the same small gap.) came out of several years of wanting a way to express myself in art. For a few years following, I changed logo annually based how I'd felt the year prior, making logos with geometry and construction lines.

When I eventually made the diamond logo, it ended up looking a like an eye logo I'd made very early on in 2012. I liked it so much it came to represent the persona I had since 2009. The logo itself is from much later, probably around 2015.

The time eye logo (Thomas Shadwell LogoA 2D pyramidal frustum (triangle with the top missing). In the center is an open eye, below the eye, a single tear.) was the later (2019) creation, coming out of a specific need to disambiguate between the published work I had as Thomas Shadwell, my real name, versus zemnmez, the persona I had used since 2009. It became necessary after I made the Forbes Under 30 list for my tax system hack in 2018. Before this point I'd worked hard to try to keep the two identities separate, but Forbes lists aren't really for online personas.

The eye logo is a reference to the well-known eye of providence, a symbol that represents human achievement as being incomplete without God. I wanted it to reflect the idea that, in a universe that might not have a God, we as people have a responsibility to care for each other.

In having to make this distinction, for a short time the work published as zemnmez continued to represent the things I was most proud of – an idealised kind of self. But at Google, I started to publish security research I was really proud of as both zemnmez and Thomas Shadwell The abstract ideas are still there, but now I'm more Thomas than I ever was. ☺