Vitaly Simonovich
Vulnerability Research · Threat Intelligence · AI Security

VITALYSIMONOVICH

Security Researcher
0+

Years Experience

0

CVEs Discovered

0+

Public Speaking

0+

Press Mentions

BREAKING
TO DEFEND

Senior security researcher working across vulnerability research, threat intelligence, and AI security. I break systems the way real attackers do, from core internet infrastructure like DNS and glibc to browsers, web platforms, and LLMs, and turn those findings into practical defenses, threat reports, and education so organizations can stay ahead of attackers.

Core Expertise

Vulnerability Research
Threat Intelligence
LLM & GenAI Security
Jailbreaks & Prompt Injection
Application Security
Data Security
Offensive Security & CTFs
Security Education & Public Speaking

RECOGNITION & CVE DISCOVERIES

21 CVEs/10 High·8 Medium·3 Low/6 Awards
CVE Discoveries
~/research/advisories
21 entries

Incomplete fix for CVE-2026-21636 in the Node.js Permission Model: a local server can be started over a Unix domain socket without the --allow-net permission, bypassing the intended network restrictions. Affects Node.js 26; fixed in 26.3.1.

View advisory
Awards & Recognition

Security Vulnerability Credit

2026

WordPress

Credited for reporting an AJAX query-attachments authorization bypass, fixed in WordPress 6.9.2.

Security Vulnerability Credit

2026

ISC (BIND9)

Credited for reporting a NULL pointer dereference crash in BIND9's QP-trie cache, fixed in BIND 9.21.19.

Security Advisory Credit

2026

Jenkins

Credited for independent discovery of a link following vulnerability in Jenkins, reported through the Jenkins Bug Bounty Program sponsored by the European Commission.

Security Researcher Hall of Fame

2026

MongoDB

Recognized for responsibly disclosing a security vulnerability in MongoDB products.

AI Safety - Immersive world jailbreak

2025

Microsoft

Awarded for discovering the 'Immersive world' jailbreak in Microsoft's copilot.

AI Security - Edge browser prompt injection

2025

Microsoft

Indirect prompt injection vulnerability found in Microsoft's edge browser.

PRESS

65 mentions·54 outlets·2019–2026·29 featured
202621 articles
202535 articles
20221 articles
20198 articles

RESEARCH21

2026-06-16researchCato Networks Blog

Cato CTRL Threat Research: Operation Poisson - Analyzing a Cybercriminal's Entire Operation

Post-incident analysis of Operation Poisson, a 33-day campaign by a junior French-speaking threat actor against four individuals and a French automotive business. Captured command-by-command after the operator left SSH keys and a playbook in an open bucket, it shows how free-tier Havoc C2, a Python keylogger, and Tailscale plus OpenSSH built persistence that survived the C2 going offline.

threat intelligenceHavoc C2Tailscalecredential theftincident response
Read Article

SPEAKING11

conference

HashJack: Exploiting URL Fragments to Hijack AI Browser Assistants

Ekoparty Security Conference
May 22, 2026Miami, FL, USA

An indirect prompt injection technique that hides malicious instructions in URL fragments to hijack AI browser assistants, with real attack scenarios and defensive guidance.

No recording available

MY BLOG12

BreachLogicCVE-2025-15281Use-After-FreeglibcMemory CorruptionVulnerability Research

glibc wordexp() Memory Initialization Flaw - CVE-2025-15281

A 26-year-old Use-After-Free vulnerability in glibc's wordexp() function when using WRDE_REUSE and WRDE_APPEND flags together, affecting versions 2.0 through 2.42.

Get in touch
Lectures, interviews, or collaborations?

Always open to discussing new opportunities, interesting projects, or just chatting about security and AI.

Remote, available worldwide
Vitaly Simonovich | Security Researcher