Vasilii Ermilov

Security researcher, bug hunter, software engineer.

Publications:

• Can LLMs Detect IDORs? Understanding the Boundaries of AI Reasoning
• Finding vulnerabilities in modern web apps using Claude Code and OpenAI Codex
• A Technical Deep Dive into Semgrep’s JavaScript Vulnerability Detection
• Exploiting dynamic rendering engines to take control of web apps
• Hardcoded secrets, unverified tokens, and other common JWT mistakes

Presentations:

• Can LLMs Really Find IDORs? Limits of AI Security Reasoning
  • BSides Vancouver (June 2026) [slides]
  • BSides Calgary (May 2026) [slides]
• Finding vulnerabilities in modern web apps using LLMs
  • CyberToronto (December 2025) [slides]
• Most common vulnerabilities in Github Actions
  • BSides Seattle (April 2025) [slides]
  • OWASP SnowFROC (March 2025) [slides]
  • BSides Singapore (September 2024) [slides]
• Saving a SAST Program in Distress
  • OWASP Toronto (April 2022) [video]
• Scale Security with Secure Defaults & Eliminating Bug Classes
  • OWASP Ottawa (July 2021) [video]