Jaroslav Lobačevski is a Staff Security Researcher at GitHub Security Lab with nine years of applied experience securing .NET and C# ecosystems. He combines deep application-security expertise with hands-on engineering, contributing to high-impact open-source projects like CodeQL—where he enhanced ASP.NET Core analysis and added detections for constant conditions and GitHub Actions injection—and ysoserial.net, improving .NET deserialization payloads. Formerly a Senior AppSec engineer at Bentley Systems, he has a strong background in static analysis, taint tracking, and vulnerability pattern detection, reflected in contributions to Roslyn analyzers and Security Code Scan. Based in Spain, Jaroslav pairs exploit development training with practical tooling improvements, often focusing on subtle class/attribute modeling and sanitization logic that enable more accurate automated detection. He’s known for improving test coverage and eliminating fragile code paths, turning research findings into production-ready analyzer rules.
9 years of coding experience
16 years of employment as a software developer
Win32 Exploit Development Bootcamp, Win32 Exploit Development Bootcamp at Corelan
Contributions:66 releases, 2 reviews, 810 commits in 4 years 11 months
Contributions summary:Jaroslav's contributions focused on enhancing the security aspects of the C# and VB.NET project, Security Code Scan. Their commits include removing potentially vulnerable code, rearranging test namespaces to improve code quality, and modifying the XSS analyzer to more effectively identify and address vulnerabilities. They also updated the codebase for improvements to the performance and security of the analysis.
Deserialization payload generator for a variety of .NET formatters
Role in this project:
Back-end Developer
Contributions:6 commits, 4 PRs, 4 comments in 1 year 3 months
Contributions summary:Jaroslav primarily focused on enhancing the ysoserial.net project by adding new deserialization payloads. Their contributions involved implementing specific formatters, namely XmlSerializer and DataContractSerializer, for ObjectDataProvider and WindowsIdentity gadgets. These additions demonstrate expertise in .NET deserialization vulnerabilities and payload generation. Furthermore, the user added a fix to handle a null reference exception, showcasing a commitment to code quality.
Find and Hire Top DevelopersWe’ve analyzed the programming source code of over 60 million software developers on GitHub and scored them by 50,000 skills. Sign-up on Prog,AI to search for software developers.
Request Free Trial
Jaroslav Lobačevski - Staff Security Researcher at GitHub