Senior Software Engineer · Offensive Security Researcher

m2hcz;)

I build secure, large-scale systems and examine where they fail through vulnerability research, AppSec and adversarial engineering. Two assigned CVEs, public security research and more than a decade of production engineering.

12+
Years of software engineering
02
Assigned CVE identifiers
2.2B+
Visits across shipped games
TRUSTED WALL · RESPONSIBLE DISCLOSURE

RESEARCH SUBMITTED TO OR ACKNOWLEDGED BY

Trust is earned
in real systems.

Public programs, responsible disclosure channels and validated security research.

01 / 10

External names identify the relevant program or affected ecosystem. They do not imply employment, endorsement, partnership or a commercial relationship.

INDEPENDENT SECURITY PRACTICE

A.S.I.A Security — Attack Surface Intelligence & Assurance

My independent practice for offensive security, AppSec, vulnerability research and security engineering. Presented separately from third-party acknowledgements.

Visit A.S.I.A ↗
01 — Profile

Engineering depth.
Adversarial perspective.

I am a senior software engineer and offensive security researcher working at the intersection of secure systems, application security and vulnerability research. My engineering background spans backend architecture, distributed systems, server-authoritative design, performance and abuse resistance.

That engineering experience directly informs my security work. I trace a flaw through architecture, code, authorization boundaries and operational behavior — then translate it into reproducible evidence, root cause and practical remediation.

Role
Senior Engineer · Offensive Security
Focus
AppSec · Research · Backend
Location
Brazil · Remote
Twitter / X
@inf0secc
Availability
Open to opportunities
02 — Capabilities

Security research,
backed by engineering.

01 / 03

Offensive Security & Research

Manual analysis, vulnerability research, controlled exploitation, reverse engineering and evidence-driven validation.

Vulnerability ResearchExploit DevelopmentReverse Engineering
02 / 03

Application & Product Security

Secure code review, threat modeling, authorization analysis, hardening and practical support for secure delivery.

Code ReviewThreat ModelingAuthorization
03 / 03

Secure Backend Engineering

Production-grade backend architecture, distributed systems, server-authoritative controls, performance and abuse resistance.

Distributed SystemsAnti-AbuseArchitecture
03 — Security Research

Public work.
Reproducible impact.

Selected disclosures with a clear distinction between assigned CVEs, accepted reports and independently published proof-of-concept research.

R-001
CVE-2026-54094

File Browser — Symlink Scope Bypass

Assigned CVEHigh · CVSS 7.5CWE-22 / CWE-59

A symlink-handling flaw allowed scoped users — and in some public-share scenarios unauthenticated recipients — to access files outside the enforced directory boundary.

R-002
CVE-2026-28740

Gitea — Git LFS Cross-Repository Authorization Bypass

Assigned CVEHigh · CVSS 7.1CWE-639 / CWE-863

An authorization flaw in Gitea's cross-repository Git LFS flow allowed a user with insufficient source-repository permissions to retrieve private LFS objects.

R-003
GH CLI

GitHub CLI — Symlink Path Traversal / Git Hook Injection

Accepted reportCWE-22 / CWE-59

A path-boundary issue in gh run download enabled writes outside the expected destination and could be used to plant an executable Git hook.

R-004
CVE-2025-6440

WooCommerce Designer Pro — Public PoC

Independent PoCCritical · CVSS 9.8CWE-434

Independent proof-of-concept research for an unauthenticated file-upload vulnerability leading to remote code execution.

D-01

Gemini CLI

Three reported vulnerabilities involving CI/CD and AI developer-tooling surfaces.

D-02

NASA VDP

Security research submitted through NASA's vulnerability disclosure process.

D-03

Tesla · xAI / X

Security issues reported through the appropriate program channels.

D-04

Automattic

Research involving Automattic and WordPress.com-related assets.

D-05

Discord · USP

Reports submitted through the corresponding disclosure channels.

D-06

Gov.br · Roblox

Additional authorized research and responsible reporting activity.

Disclosure note — External names indicate the relevant program or affected ecosystem; they do not imply employment, endorsement or commercial affiliation.
05 — Engineering

Built for
production.

More than a decade working with backend systems, production reliability, real-time networking, persistence, anti-abuse controls and live operations.

Languages

PythonTypeScriptRustGoCC#Lua / LuauSQL

Infrastructure

LinuxDockerKubernetesTerraformCloudflarePostgreSQLRedis

Security

Burp SuitemitmproxyFridaGhidraSemgrepNmapWireshark

Specializations

Backend ArchitectureDistributed SystemsServer-Authoritative DesignAnti-CheatVulnerability ResearchReverse Engineering
Independent practice
A.S.I.A

Security without
theater.

A.S.I.A Security — Attack Surface Intelligence & Assurance — is my independent practice for offensive security, AppSec, vulnerability research and security engineering. It translates research depth into scoped assessments, reproducible evidence and practical remediation.

Web & API PentestAppSecSecure Code ReviewThreat ModelingRemediation
Collaborative venture
wnk.sh

Built together,
clearly separated.

wnk.sh is a collaborative project developed with a partner. It is intentionally presented separately from my solo security research, A.S.I.A practice and engineering work.

07 — Contact

Serious systems.
Serious security.

Available for senior software engineering, offensive security, application security and focused research engagements.