GROUND STATION · NITEROI ESTABLISHING UPLINK · UTC-3 TRACKING 6 OBJECTS ● LINK OPERATIONAL
000%
VINICIUS PEREIRA // GROUND CONTROL ALL SYSTEMS OPERATIONAL DSC 000% UTC-3
01ORBITAL VIEWNAV.HOME
OPERATOR: VINICIUS PEREIRA · NITEROI STATION · UTC-3 · CHANNEL OPEN TO US + EU

I BUILD AI
SYSTEMS THAT
SURVIVE PRODUCTIONTGT LOCK.

FULL-STACK AI ENGINEER · PROOF, NOT PROMISE
GND · NITEROI BEDROCK● OPR TOKEN-LEDGER● OPR RETELL-SMS● OPR LEAD-QUORUM● CLOUD RUN 6-NA-REDE-IOS● APP STORE DESKCENTER● 1,000+ BIZ
FIG.01 · TRACKED SYSTEMS · 6 / 6 NOMINAL · HOVER TO INTERROGATE
RETELL-SMS 66 CHECKS PASS  ·  TOKEN-LEDGER 32 CHECKS PASS  ·  JOB-ALERTS 39 CHECKS PASS  ·  LEAD-QUORUM 5 SERVICES LIVE ON CLOUD RUN  ·  GOOGLE CLOUD RUN BADGE AWARDED  ·  13 SECURITY DISCLOSURES · 2 PUBLISHED CVES · ANTHROPIC BOUNTY PAID  ·  NOTHING SHIPS UNTESTED  ·  
◂ OPENING TRANSMISSIONWHO IS ON THE OTHER END

I build AI automation and data pipelines that show their work and stay reliable in production. A multi-agent qualifier where two models cross-check each other and abstain when they disagree. An agent that writes SQL and corrects its own errors. A RAG pipeline that measures its retrieval quality before it answers. MCP servers that let an AI assistant query live business data mid-conversation.

Underneath all of it is the data craft that feeds every AI system: web scraping, PDF extraction, and Python pipelines that turn messy sources (websites, PDFs, public records, scattered APIs) into clean, structured data you can actually use.

All of it is public. Every claim on this page links back to its source: the repositories, a live app, published security advisories, a book you can download. Proof, not promise.

02TELEMETRYSYS.TLM
TLM-01
10+
YEARS IN DATA ENGINEERING
TLM-02
1,000+
BUSINESSES ON MY SAAS
TLM-03
5.0★★★★★
EVERY UPWORK CONTRACT
TLM-04
6
PUBLIC REPOS · TESTED + SHIPPED
TLM-05
13
SECURITY DISCLOSURES · 0 DISMISSED
TLM-06
$2,000
BUG BOUNTY PAID BY ANTHROPIC
03FLIGHT SYSTEMSOWNED · OPERATED
OWNED AND OPERATED BY THE ENGINEER · NOT CLIENT WORK
DeskCenter dashboard: PDV, inventory and financials
FIG.02 · DESKCENTER · POS + INVENTORY + FINANCIALS
POS MODULE REAL-TIME INVENTORY FINANCIALS
SYS-A · DESKCENTER

RETAIL MANAGEMENT SAAS

A full retail platform: fast point of sale, real-time inventory, integrated financials, a public online catalog, and advanced reports (margin, ABC curve, sales projection). Reads an entire Excel workbook on import. Built, shipped and operated end to end.

ACTIVE BUSINESSES1,000+
UPTIME99.9%
STACKTYPESCRIPT · REACT · SUPABASE · PWA
◂ VISIT DESKCENTER.COM.BR →
SYS-B · 6-NA-REDE-IOS

6 NA REDE

LIVE ON THE APPLE APP STORE

The official app of a footvolley club in Niterói: training schedule with attendance, balanced doubles draw, win rankings, events and gallery. A Next.js PWA shipped as a native iOS app via Capacitor, one codebase through Apple review, published under my own developer name.

CATEGORYSPORTS · iOS APP STORE
DEVELOPERVINICIUS PEREIRA
STACKNEXT.JS 14 · TAILWIND · SUPABASE · CAPACITOR 8
◂ VIEW ON THE APP STORE →
6 na Rede app on the App Store
NATIVE SHELL
PWA CORE
04MISSION LOGCLIENT · NDA

CLIENT MISSIONS SHIP UNDER NDA. DESCRIBED BY OUTCOME, NOT BY NAME. QUOTES FROM PUBLIC REVIEWS OF COMPLETED CONTRACTS.

M-012026 · CLOSED 5.0 · SCHEDULER STILL LIVE

MARKET INTELLIGENCE PIPELINE

Daily scraping and enrichment for a US real-estate firm. Scheduler running 24/7 on a dedicated VPS, unattended.

★★★★★5.0His communication was excellent every step of the way.
M-022026 · CLOSED 5.0

CONFIG-DRIVEN CLEANSING ENGINE

Data cleansing driven entirely by configuration, backed by automated tests, so rules change without breaking pipelines.

★★★★★5.0Strong architecture, clear documentation, automated tests.
M-032026 · CLOSED 5.0

PROFESSIONAL REGISTRY EXTRACTION

Extraction and validation at scale: 7,010 validated records from a public physician registry, delivered clean and ahead of schedule.

★★★★★5.0Completed the work ahead of schedule and with accuracy. I would hire him again.
M-042026 · CLOSED 5.0

PRINT-VENDOR PRICING APIS

Six print vendors unified behind one pricing interface: a single contract over fragmented sources.

★★★★★5.0Clear, intelligent communication. Detail oriented.
M-052026 · CLOSED 5.0

MEDICAID FORM AUTOMATION

A manual government-form workflow automated end to end: fewer hands, fewer errors.

★★★★★5.0
06ANOMALY REPORTSOFFENSIVE RESEARCH

THE OTHER HALF OF BUILDING SYSTEMS THAT SURVIVE PRODUCTION: FINDING THE CRACKS IN EVERYONE ELSE'S. REAL, EXPLOITABLE, WITH A WORKING PROOF OF CONCEPT. IF THE IMPACT CANNOT BE PROVEN, IT DOES NOT BECOME A REPORT.

PROTOCOL · SIX-PHASE AUDIT · EVALUATED AFTER EVERY STEP

Every audit runs the same sequence. Nothing advances on a hunch. The AI-augmented pipeline widens the reach; the judgment of what is real stays with me.

00
Qualify
Confirm scope, surface and what is actually worth attacking.
01
Map
Full recon: exposure, forgotten endpoints, fresh code, leaked secrets.
02
Enumerate
Every point where untrusted input meets a dangerous sink or a value flow.
03
Attack
Systematic battery per target: tamper, race, sequence, state, code sinks.
04
Confirm w/ Proof
Only what is executed and captured: real request/response, hash, timestamp, 3x repro.
05
Close Coverage
Every surface tested or justifiably untestable. No "good enough".
THREE STATES: SUSPECTED CONFIRMED· REFUTED — ONLY CONFIRMED SHIPS · ZERO FALSE POSITIVES
13
COORDINATED
DISCLOSURES
10
PROGRAMS
INCL. FRONTIER LABS
1/4/8
CRITHIGHMED
SEVERITY SPREAD
0
DISMISSED AS INVALID
EVERY REPORT A REAL FINDING
◆ 2 PUBLISHED GITHUB SECURITY ADVISORIES · PUBLICLY CREDITED · CLICK THROUGH TO VERIFY · 1 BOUNTY PAID BY ANTHROPIC
AR-01JUN 2026 · CONFIRMED + BOUNTY PAID

SECURITY VULNERABILITY · ANTHROPIC

Found and reported a security vulnerability to Anthropic through their official bug bounty program on HackerOne. Reproduced with a working proof of concept, triaged, and awarded a bounty. Reported responsibly before the change reached a released tag.

PROGRAMANTHROPIC SEVERITYMEDIUM · CVSS 5.9 BOUNTY$2,000 · PAID STATUSREWARDED
◂ TRANSMISSION RECEIVED · 2026-06-03SIGNAL VERIFIED
FROM: SECURITY TEAM · ANTHROPIC · RE: REPORT #3736738
"Thank you for this detailed report and the clear proof of concept. We are awarding a bounty of $2,000 for this finding based on its assessed severity (Medium, CVSS 5.9) and the affected asset. We appreciate you reporting this before the change reached the released tag."
◆ VALID◆ REWARDED $2,000◆ RESPONSIBLY DISCLOSED
QUOTE IS THE PROGRAM'S PUBLIC AWARD MESSAGE · TECHNICAL DETAILS OMITTED UNDER RESPONSIBLE DISCLOSURE
AR-022026 · PUBLISHED + PUBLICLY CREDITED

AUTHORIZATION BYPASS · DIRECTUS

Row-level update permission bypass in Directus: /utils/sort and the GraphQL equivalent wrote attacker-supplied primary keys through raw knex, skipping the row filters. In multi-tenant setups a low-privileged tenant could reorder and corrupt content owned by others. Fixed and disclosed as a published GitHub Security Advisory, with public credit.

PROGRAMDIRECTUS · OSS ADVISORYGHSA-X5CW-W9XM-77V2 SEVERITYMODERATE · CVSS 6.5 CLASSCWE-863 · AUTHZ
◂ VIEW PUBLISHED ADVISORY · VERIFY CREDIT →
AR-032026 · PUBLISHED + PUBLICLY CREDITED

SSRF · MCP INSPECTOR

Server-side request forgery in the official Model Context Protocol Inspector: the authenticated /fetch proxy had no IP or hostname allowlist, so a malicious MCP server could pivot the proxy to internal addresses. Fixed and disclosed as a published GitHub Security Advisory, with public credit. Directly in the AI-agent supply-chain surface.

PROGRAMMCP INSPECTOR · OSS ADVISORYGHSA-55HW-XWFP-RHVC SEVERITYMODERATE · SSRF SURFACEAI-AGENT SUPPLY CHAIN
◂ VIEW PUBLISHED ADVISORY · VERIFY CREDIT →
◂ DISCLOSURE REGISTRY · 13 VALIDATED FINDINGS
PROGRAM NAMES SHOWN FOR REVIEW · ANONYMIZE UNRESOLVED ONES BEFORE PUBLIC LAUNCH · ◆ = PUBLISHED ADVISORY
AR-01ANTHROPICArbitrary file read via PR-controlled symlink · CWE-22 · bounty paidMEDIUM · 5.9
AR-02◆ DIRECTUSRow-level authorization bypass via raw knex writes · GHSA publishedMODERATE · 6.5
AR-03◆ MCP INSPECTORPost-auth SSRF via /fetch proxy · no IP allowlist · GHSA publishedMODERATE
AR-04KONGRCE via script sandbox escape · constructor bypass◆ CRITICAL
AR-05X / xAIArbitrary OS command exec via untrusted MCP server configHIGH
AR-06VERCEL / NEXT.JSMiddleware auth bypass · incomplete-fix of a prior CVEHIGH
AR-07KONGRCE · trust-grant bypass of the STDIO safety modalHIGH
AR-08UNICO IDTECHUnauthenticated cross-tenant disclosure of ID-verification sessionsHIGH
AR-09SPOTIFYCross-entity authorization bypass via path traversalMEDIUM
AR-10MONGODBArbitrary file write via path traversal · zip-slipMEDIUM
AR-11UNICO IDTECHLive analytics write-keys disclosed · arbitrary event injectionMEDIUM
AR-12BANCO PLATAUnrestricted API key + backend surface via public runtime configMEDIUM
AR-13BANCO PLATAPublic S3 bucket listing · 830 objects enumerableMEDIUM
TARGETS SPAN FRONTIER AI LABS, DEVELOPER PLATFORMS, IDENTITY AND FINTECH · WHITEBOX SOURCE AUDIT, BUSINESS-LOGIC, RECON AND AI/LLM SURFACES · TRACK RECORD: NO REPORT DISMISSED AS INVALID
07FIELD MANUALAUTHORED · 84 PAGES
Artificial Intelligence in Practice, book cover by Vinicius Pereira
PUB-01 · WRITTEN + PUBLISHED · FREE

ARTIFICIAL INTELLIGENCE IN PRACTICE

A free 84-page handbook on applied AI, written for developers who want to build with LLMs instead of just reading about them. Everything in it was tested by hand: from "what is a token" all the way to a working agent with tools, and what it costs to run.

◦ FOUNDATIONS◦ LOCAL MODELS◦ RAG◦ AGENTS◦ FINE-TUNING & COST◦ SECURITY◦ EVALUATION◦ 3 CAPSTONE PROJECTS
OLLAMA · QWEN · LLAMA · CREWAI · LANGGRAPH · MCP · CLAUDE
09OPERATOR FILEDOSSIER
OPERATORVINICIUS PEREIRA
STATIONNITEROI, BRAZIL · UTC-3
DISCIPLINEFULL-STACK AI ENGINEER
METHODWRITTEN-FIRST · AUDITABLE
SECURITY13 DISCLOSURES · 2 GHSA · ANTHROPIC PAID
STATUS● OPERATIONAL

A decade building data platforms inside one of Latin America's largest credit bureaus and two global consulting firms. On my own time, I ship products people pay for.

I work written-first: scope agreed in writing, decisions documented, delivery you can audit. The proof is on this page: running systems, tests that pass, contracts that closed at five stars.

◂ CREDENTIALS · ACCREDITATION · ALL VERIFIABLE
GOOGLE CLOUD RUN BADGE ANTHROPIC BUG BOUNTY · PAID 2 PUBLISHED GITHUB ADVISORIES APPLE APP STORE · DEVELOPER AUTHOR · 84-PAGE AI HANDBOOK 5.0 ON EVERY UPWORK CONTRACT
10OPEN A CHANNELCONTACT
BROADCAST FREQUENCY · REPLY GUARANTEED
hello@vinimabreu.dev

One transmission is enough: what you need, where the data lives, what done looks like. I reply with questions or a plan, in writing.

© 2026 · BUILT WITH NEXT.JS · DEPLOYED ON VERCEL NITEROI GROUND STATION · BRAZIL ● OPERATIONAL