Dawid Moczadło
CTO & Co-Founder of Vidoc Security Lab
Security researcher and ethical hacker with a passion for finding and fixing vulnerabilities at scale. Ethically hacked the biggest tech companies in the world. A former No. 1 ethical hacker in Poland (by Microsoft) and a CTF competitor with team P4. Recognized as Forbes 30 under 30 honoree and featured in leading global media including Bloomberg, The Washington Post, CNBC and others.
Articles by Dawid Moczadło
8 articles published
October 24, 2025 (5mo ago)
How we helped make Lovable more secure
A technical deep-dive into exploiting Firebase Auth emulator configuration via cookie injection, mixed-content bypasses, and subdomain trust boundaries - and how VIDOC helped Lovable secure their platform.
October 22, 2025 (5mo ago)
Detecting complex vulnerabilities in real-world code: LLM benchmark for enhanced software security
Traditional SAST tools often miss complex business logic flaws, but can LLMs fill the gap? Research publication by Klaudia Kloc and Dawid Moczadło introduces a real-world benchmark to evaluate AI effectiveness in identifying vulnerabilities that standard tools overlook.
August 18, 2025 (7mo ago)
Vibe Coding Security Vulnerabilities: risks, examples, and guardrails
Vibe coding accelerates delivery but raises security risk. This guide breaks down real failure modes (SQLi, XSS, auth bugs, deserialization/RCE, memory safety, secrets, and supply-chain 'slopsquatting'), shows two code examples, and lists guardrails that actually work.
July 29, 2025 (8mo ago)
LLMs became dangerously good for cybersecurity
LLMs can now reliably spot real-world zero-day vulnerabilities through brute-force patience – this deep-dive explains why that's both impressive and alarming.
April 9, 2024 (2y ago)
State of Security Automation
SAST tools overlook more than 85% of CVEs in real-world scenarios. Outdated security automation can't keep pace with rapid code development. There is the hidden cost of security automation - validating false positives.
October 30, 2023 (2y ago)
Security of new features in Next.js 14 - Server Actions, Taints
Next.js 14 (and 13) introduced many attack vectors without providing the tooling necessary for organizations to detect them. It is easier than ever before to expose server secrets, introduce unauthenticated "endpoints" or any other issue that will make you vulnerable
October 24, 2023 (2y ago)
Escalating debug mode in Django to RCE, SSRF, SQLi
Security implications of DEBUG=true in Django. Learnings from an ethical hacker's perspective
May 16, 2022 (3y ago)
Hacking Swagger-UI - from XSS to account takeovers
We have reported more than 60 instances of this bug across a wide range of bug bounty programs including companies like Paypal, Atlassian, Microsoft, GitLab, Yahoo, ...