security researcher

I build one thing.
I break everything else.

Co-founder and head of development at Sefthy, where I lead development and ship the code that turns enterprise grade backup and disaster recovery into something a small team can actually run. Off the clock, I hunt critical vulnerabilities. That’s two published CVEs so far, a TOP 10 spot on Bugcrowd Italy and a TOP 20 finish on Hack The Box²⁰²⁴.

see my experience see my CVEs

CVEs assigned

TOP 0

Bugcrowd Italy / critical

TOP 0²⁰²⁴

Hack The Box / global

shipping code since

SSRF/privilege escalation/HTTP request smuggling/OpenWRT/Kubeflow/disaster recovery/Laravel/Node/SSRF/privilege escalation/HTTP request smuggling/OpenWRT/Kubeflow/disaster recovery/Laravel/Node/SSRF/privilege escalation/HTTP request smuggling/OpenWRT/Kubeflow/disaster recovery/Laravel/Node/

Work

What I do, and where.

I build one product for real, and break plenty of others for sport. The offensive work keeps my own code paranoid in the right places; the building keeps the bug-hunting grounded in what actually ships.

Building products

Full-stack since 2016. At Sefthy I lead development of plug-and-play backup and disaster recovery that brings a downed server back online, in the cloud, in minutes.

Offensive security

Penetration testing, bug bounty and CTF. Two CVEs assigned, TOP 10 in Italy on Bugcrowd for critical findings, and TOP 20 globally on Hack The Box in 2024. I go for the bugs nobody thinks are exploitable.

Experience

2025 — Now

Co-founder & Head of Development · Sefthy

I lead development of the first fully plug-and-play backup & disaster recovery solution for SMBs — restoring business operations in the cloud, even in the most critical scenarios.
2021 — 2024

Software Developer & Security Specialist · Uania

Full-stack development at an Italian telecom startup: the UaniaShield cybersecurity solution, the devices’ proprietary OS, and all the platforms.
2016

Started shipping code professionally.

Signed, sealed, disclosed.

Vulnerabilities with my name on them.

CVE-2026-54745

SSRF + smuggling in Kubeflow Pipelines

Unauthenticated SSRF and HTTP smuggling on the /_proxy/ route, bypassing ENABLE_AUTHZ=true.

CVSS 10.0 · critical

CVE-2024-51240

Admin to root on OpenWRT LuCI

A flaw in the luci-mod-rpc package lets an admin account escalate to root through the JSON-RPC API.

CVSS 8.0 · high

At Sefthy we're on a mission to democratize enterprise-grade technology for small and medium businesses. When a server dies, it comes back online in the cloud in minutes. One click, no reconfiguration, no sleepless night.

Co-founder & Head of Development · sefthy.com

Have a system worth breaking,
or one worth building?

vito@carolillo.it

I build one thing.I break everything else.

What I do, and where.

Co-founder & Head of Development · Sefthy

Software Developer & Security Specialist · Uania

Signed, sealed, disclosed.

Have a system worth breaking,or one worth building?

I build one thing.
I break everything else.

Have a system worth breaking,
or one worth building?