Kevin George Leo
KL

kevin-leo / resume

Kevin George Leo

Software Engineer — Security & Program Analysis

MSc Computer Science, Saarland University
Hilfswissenschaftler, CISPA Helmholtz Center

📍 Saarbrücken, Germany

229 bugs surfaced · 213 confirmed · 6 CVEs · 1 GHSA

summary.md

Security researcher and software engineer with 2+ years of industry experience and active research in web security, JavaScript runtime differential testing, and vulnerability disclosure. Skilled in Python, JavaScript, and automated testing pipelines. Experienced in responsible disclosure with 6 CVEs and 1 GitHub Security Advisory. Pursuing an MSc in Computer Science at Saarland University, GPA 1.5.

experience.log

Work Experience

research-assistant

Research Assistant — CISPA Helmholtz Center for Information Security

Saarbrücken, Germany

  • + Conducted differential testing across Node.js, Deno, and Bun to surface JavaScript runtime security bugs.
  • + Designed and built an automated Python pipeline to run test suites across runtimes and post-process results for vulnerability detection.
  • + Reported and responsibly disclosed security bugs to runtime maintainers via GitHub Issues.
  • + Built a proof-of-concept UI deception attack exploiting Progressive Web App manifests on V8-based browsers (HTML, CSS, JavaScript).
  • + Developed an automated Playwright framework simulating user authentication flows in 2FA-based environments.
programmer-analyst

Programmer Analyst — Cognizant Technology Solutions

Kochi, India

  • + Supported business-critical ETL pipelines as Production Support Engineer on a health-insurance data warehousing project.
  • + Monitored, triaged, and resolved production incidents via structured workflows using ServiceNow, Linux shell scripting, IBM DataStage, and SQL.
  • + Led Root Cause Analysis as part of post-incident review, identifying systemic failures and preventing recurrence.
  • + Implemented remediation and preventive controls that improved pipeline reliability and reduced incident volume.
  • + Authored incident reports and SLA documentation for technical and business stakeholders.

thesis.diff

Master's Thesis

Cross-Runtime Bug Transference & the Robustness of Security Fixes — 2026

@@ pipeline @@

  • + LLM-driven generation of proof-of-concept exploits directly from GitHub issue reports.
  • + Cross-runtime execution to detect behavioral divergence and recurring bug patterns.
  • + AST-based mutation testing (Acorn, Estraverse) to evaluate the robustness of existing security patches.
229 bugs surfaced
213 confirmed (186 previously unreported)
57 weak fixes uncovered in npm packages
6 + 1 CVEs published & GHSA advisory
kevgeoleo / CrossRuntimeTests View repo ↗

Self-contained, reproducible test cases exposing behavioral differences across Node.js, Deno, and Bun — error timing, fs semantics, networking, crypto/encoding, and stream/buffer handling — each linked to the issue actually filed with runtime maintainers.

JavaScriptbenchmarktestsuitecross-runtimecompatiblityNode.jsDenoBun

advisories.json

Published Advisories

Responsible disclosures resulting from thesis research, all confirmed prototype-pollution vulnerabilities.

CVE / GHSAAdvisoryDescription
CVE-2026-25521 GHSA-rxrv-835q-v5mh ↗ Prototype pollution vulnerability
CVE-2026-25047 GHSA-2733-6c58-pf27 ↗ Prototype pollution vulnerability
GHSA-gcrg-hrj9-ggqg davideicardi/confinit ↗ Prototype pollution vulnerability
CVE-2026-26021 GHSA-2c4m-g7rx-63q7 ↗ Prototype pollution vulnerability
CVE-2026-27212 nolimits4web/swiper ↗ Prototype pollution vulnerability
CVE-2026-28491 steveukx/properties ↗ Prototype pollution vulnerability
CVE-2026-33864 mozilla/node-convict ↗ Prototype pollution vulnerability

skills.yml

Technical Skills

languages:

PythonJavaScriptPHPSQLCC++R

runtimes_and_web:

Node.jsDenoBunHTMLCSSPWA

testing_and_automation:

PlaywrightDifferential TestingAST Mutation (Acorn / Estraverse)

security_tools:

AutopsyHashcat

dev_tools:

GitLinuxFigmaLaTeXOpenAI APIUnix ShellServiceNow

education.md

Education

MSc Computer Science — Saarland University

Saarbrücken, Germany

Relevant coursework: Security, Web Security, Human Computer Interaction, Data Networks, Software Engineering. Completed CTF challenges covering XSS, SQLi, CSRF, and UI deception.

GPA 1.5

BTech Computer Science & Engineering — Rajagiri School of Engineering and Technology

Kochi, India

Relevant coursework: Data Structures, Operating Systems, Object Oriented Design and Programming, Database design Principles, Data Communication, Design and Analysis of Algorithms, Cryptography and Network Security

9.29 / 10

languages.yml

English C1 German A2

contact.sh

Let's talk

Open to Software Engineering, Security, test automation, and DevSecOps roles across Germany.

Download Résumé (PDF) ↓