m2hcz;)
I build secure, large-scale systems and examine where they fail through vulnerability research, AppSec and adversarial engineering. Two assigned CVEs, public security research and more than a decade of production engineering.
RESEARCH SUBMITTED TO OR ACKNOWLEDGED BY
Trust is earned
in real systems.
Public programs, responsible disclosure channels and validated security research.
01 / 10External names identify the relevant program or affected ecosystem. They do not imply employment, endorsement, partnership or a commercial relationship.
A.S.I.A Security — Attack Surface Intelligence & Assurance
My independent practice for offensive security, AppSec, vulnerability research and security engineering. Presented separately from third-party acknowledgements.
Engineering depth.
Adversarial perspective.
I am a senior software engineer and offensive security researcher working at the intersection of secure systems, application security and vulnerability research. My engineering background spans backend architecture, distributed systems, server-authoritative design, performance and abuse resistance.
That engineering experience directly informs my security work. I trace a flaw through architecture, code, authorization boundaries and operational behavior — then translate it into reproducible evidence, root cause and practical remediation.
- Role
- Senior Engineer · Offensive Security
- Focus
- AppSec · Research · Backend
- Practice
- A.S.I.A Security
- Location
- Brazil · Remote
- m2hczs@proton.me
- GitHub
- github.com/m2hcz
- Twitter / X
- @inf0secc
- Availability
- Open to opportunities
Security research,
backed by engineering.
Offensive Security & Research
Manual analysis, vulnerability research, controlled exploitation, reverse engineering and evidence-driven validation.
Application & Product Security
Secure code review, threat modeling, authorization analysis, hardening and practical support for secure delivery.
Secure Backend Engineering
Production-grade backend architecture, distributed systems, server-authoritative controls, performance and abuse resistance.
Public work.
Reproducible impact.
Selected disclosures with a clear distinction between assigned CVEs, accepted reports and independently published proof-of-concept research.
CVE-2026-54094
File Browser — Symlink Scope Bypass
A symlink-handling flaw allowed scoped users — and in some public-share scenarios unauthenticated recipients — to access files outside the enforced directory boundary.
CVE-2026-28740
Gitea — Git LFS Cross-Repository Authorization Bypass
An authorization flaw in Gitea's cross-repository Git LFS flow allowed a user with insufficient source-repository permissions to retrieve private LFS objects.
GH CLI
GitHub CLI — Symlink Path Traversal / Git Hook Injection
A path-boundary issue in gh run download enabled writes outside the expected destination and could be used to plant an executable Git hook.
CVE-2025-6440
WooCommerce Designer Pro — Public PoC
Independent proof-of-concept research for an unauthenticated file-upload vulnerability leading to remote code execution.
Gemini CLI
Three reported vulnerabilities involving CI/CD and AI developer-tooling surfaces.
NASA VDP
Security research submitted through NASA's vulnerability disclosure process.
Tesla · xAI / X
Security issues reported through the appropriate program channels.
Automattic
Research involving Automattic and WordPress.com-related assets.
Discord · USP
Reports submitted through the corresponding disclosure channels.
Gov.br · Roblox
Additional authorized research and responsible reporting activity.
Tools that encode
security thinking.
pathward
Defensive library for path traversal, symlink escape, Zip Slip and TOCTOU protection.
ReconMapper v2
Repeatable attack-surface mapping with enumeration, crawling and service fingerprinting.
SQLi Scanner
Automated SQL injection detection and payload-driven validation.
PhantomNet
High-performance client-server networking with compact synchronization patterns.
Built for
production.
More than a decade working with backend systems, production reliability, real-time networking, persistence, anti-abuse controls and live operations.
Languages
Infrastructure
Security
Specializations
Engineering at
player scale.
Selected Roblox titles where backend architecture, persistence, networking, game integrity and live operations were central concerns.
Run For Brainrots
Fast-paced multiplayer runner operating at viral player scale.
Violence District
Scalable server infrastructure, real-time combat systems and live operations.
Last Letter
Core gameplay systems, networking, persistence and modular architecture.
Massacre
Backend architecture, server-authoritative combat, anti-cheat and live operations.
Security without
theater.
A.S.I.A Security — Attack Surface Intelligence & Assurance — is my independent practice for offensive security, AppSec, vulnerability research and security engineering. It translates research depth into scoped assessments, reproducible evidence and practical remediation.
Built together,
clearly separated.
wnk.sh is a collaborative project developed with a partner. It is intentionally presented separately from my solo security research, A.S.I.A practice and engineering work.
Serious systems.
Serious security.
Available for senior software engineering, offensive security, application security and focused research engagements.