# Gemini Cherry-Pick Evidence Pack - David "Deivitto" Chaparro Purpose: give Gemini all raw CV/profile evidence and a concise claim map so it can decide what to include per company/role without inventing unsupported claims. Current public positioning: - Security services - Fullstack delivery - Cloud & automation services ## Best Resume Variants - Security / audit / protocol roles: use `security-resume.md` and `security-resume.tex`. - Frontend / Web3 product roles: use `frontend-resume.md` and `frontend-resume.tex`. - Fullstack / infra/product roles: use `fullstack-resume.md` and `fullstack-resume.tex`. - AI / LLM tooling roles: use `ai-llm-resume.md` and `ai-llm-resume.tex`. ## Primary Raw Data Files - GitHub user JSON: `raw-data/github/deivitto_user.json` - GitHub repositories JSON: `raw-data/github/deivitto_repos.json` - GitHub summary: `raw-data/github/github-summary.md` - GitHub profile README: `raw-data/github/github-profile-readme.md` - CV sources by role: `raw-data/cv-sources/` - Proof pack: `raw-data/application-context/proof-pack-2026-05-29.md` - Hashlock tuning: `raw-data/application-context/hashlock-resume-tuning-2026-05-26.md` ## High-Signal Claims To Consider ### Protocol Security / Audit - 18+ managed security reviews across Spearbit, Cantina, Recon, and freelance work. - 25+ contests. - 7 Critical / 19 High / 30 Medium findings, plus Low/Gas/Informational findings. - $16B+ aggregate TVL helped secure. - Reviewed or contributed security work around Aave, Uniswap v4, Euler, OpenSea Pro, Axiom, DELV, Sphinx, Sudoswap, Glow, Redacted Cartel, and related DeFi systems. - Judged 2000+ Cantina submissions across Superform, Blast, Uniswap v4, Axie Infinity, and Berachain. - Built or used invariant/property workflows across Echidna, Medusa, Halmos, Foundry, and Recon-style generation. ### Aave / GHO / TokenLogic Work - Include the Aave audit evidence prominently for security roles. - Local Aave sources are in `raw-data/security-evidence/aave/`. - Strongest files: - `raw-data/security-evidence/aave/tokenlogic-security-review.md` - `raw-data/security-evidence/aave/tokenlogic-findings.md` - `raw-data/security-evidence/aave/tokenlogic-interview-reference.md` - `raw-data/security-evidence/aave/tokenlogic-builder-profile.md` - Useful wording: "Ran independent security review / invariant-testing work across Aave/GHO-related scopes, including aave-helpers, aave-stewards, gho-origin, and aave-proposals-v3; documented 15 confirmed issues and additional disproven claims with fork/property evidence." - Useful wording for Recon/Aave v4: "Fuzzed Aave v4 to high critical coverage with property-based testing around core math and protocol modules." ### Recon / AI / Tooling Security - Found and helped harden a critical RCE path in a Recon VS Code extension / AI-assisted test-generation workflow. - Found an infinite token-usage / token-burn abuse bug in an AI platform. Keep platform name private unless disclosure permission exists. - Existing portfolio source also phrases this as "Claude token-burn bug" and "VS Code RCE"; use the more conservative private-disclosure wording unless public naming is approved. - Source files: - `raw-data/security-evidence/recon-rce-token-burn/proof-of-work-app.js` - `raw-data/security-evidence/recon-rce-token-burn/proof-pack-2026-05-29.md` - `raw-data/security-evidence/recon-rce-token-burn/security-resume.md` - `raw-data/security-evidence/recon-rce-token-burn/ai-llm-resume.md` ### Immunefi / HackenProof Bugs - Found bugs through Immunefi and HackenProof bounty workflows. - HackenProof critical is user-confirmed; strongest local candidate is Bucket Protocol liquidation-blocked / critical-class issue. - Bounty evidence files are in `raw-data/security-evidence/bounty-issues/`. - Strongest HackenProof files: - `raw-data/security-evidence/bounty-issues/issue-46-bucket-FIND03-liquidation-blocked.md` - `raw-data/security-evidence/bounty-issues/issue-47-dexalot-FIND01-delayed-transfer-collision.md` - `raw-data/security-evidence/bounty-issues/issue-40-lendvest-F1-closeEpoch-ordering.md` - `raw-data/security-evidence/bounty-issues/issue-42-lendvest-F3-order-count-drift.md` - `raw-data/security-evidence/bounty-issues/issue-43-lendvest-F4-rescue-missing-aave.md` - `raw-data/security-evidence/bounty-issues/issue-44-lendvest-F6-onreport-bounds-inversion.md` - Strongest Immunefi files: - `raw-data/security-evidence/bounty-issues/IMMUNEFI-SUBMISSION-vault-drain.md` - `raw-data/security-evidence/bounty-issues/issue-22-kamino-F3-liquidation-gridlock.md` - `raw-data/security-evidence/bounty-issues/issue-27-neutron-F4-icq-deposit-refund.md` - `raw-data/security-evidence/bounty-issues/issue-29-jito-FIND01-slippage-hold.md` - `raw-data/security-evidence/bounty-issues/issue-33-aztec-bbpilcom-FIND04-shifted-poly-miss.md` - `raw-data/security-evidence/bounty-issues/issue-35-aztec-barretenberg-FIND01-boomerang-std-unique.md` - `raw-data/security-evidence/bounty-issues/issue-36-aztec-l1-FIND03-slasher-arbitrary-call.md` ## Role-Specific Cherry-Pick Guidance ### Hashlock / Web2 + Web3 Auditor Use: - Web2 security bridge plus manual audit review. - Pentesting/AppSec/OSINT/OpSec background. - Audit numbers and bounty wins. - HackenProof confirmed Critical. - RCE/token-burn hardening examples only if short and disclosure-safe. Avoid: - Too much frontend/product detail. - Unnamed AI tooling unless the role values AppSec tooling. ### Morpho / Protocol Security Engineer Use: - Lending/vault/oracle/accounting/invariant testing. - Aave, Euler, Uniswap v4, Axiom, Recon, Spearbit/Cantina. - Aave/GHO/TokenLogic evidence. - Morpho-specific repo evidence if available from GitHub JSON: `morpho-blue`, `morpho-invariant`. Add if defensible: - Formal verification / Halmos / Certora-adjacent workflows. - Bug bounty handling and severity calibration. ### Frontend / Web3 Product Roles Use: - React/Next.js/SvelteKit, Web3 UX, wallet/trading UX, Supabase, Stripe, Tailwind, PWA, testing. - Polychan, SolicitarIA, Fitora, getrecon.xyz. - Security background only as a differentiator, not the headline. If the role values fewer words, frame this as "fullstack delivery" and keep the portfolio proof compact. Gap to fill: - Add explicit `wagmi`, `viem`, performance metrics, tests, and production/user metrics when real. ### AI / LLM Tooling Roles Use: - Full-audit workflows, Recon workflows, AI-assisted property generation, prompt-injection defense, RCE hardening, token-burn abuse finding, human-in-the-loop evaluation. - Python/TypeScript, CLI automation, GitHub workflows, Docker, PostgreSQL. For public-facing materials, prefer the cloud/automation wording unless the role explicitly wants applied AI tooling. Avoid: - Overclaiming ML research, model training, or model-serving experience unless the target role accepts applied tooling evidence. ## Disclosure-Safe Suggested Bullets - "Identified and helped harden a critical RCE path in a Recon VS Code extension / AI-assisted test-generation workflow by tightening command execution boundaries and adversarial input handling." - "Found an infinite token-usage / token-burn abuse issue in an AI platform; documented the abuse path and mitigation direction under private disclosure constraints." - "Reported bugs through Immunefi and HackenProof bounty workflows, including a user-confirmed HackenProof Critical." - "Ran Aave/GHO-focused security review and invariant-testing work across steward/helper/bridge scopes, documenting confirmed issues and disproven claims with reproducible evidence." ## Do Not Overstate - If a claim is private or under disclosure, avoid naming the affected platform/client unless explicitly allowed. - If a finding was submitted but not confirmed, phrase as "reported" or "prepared/submitted" rather than "confirmed". - For HackenProof Critical, user states confirmed; use that claim but keep project details private if needed.