Hire your first AI security engineer.
Your team ships with Claude, Cursor, Codex, and Copilot. Add @vidoc to a Slack channel or GitHub PR - it reviews every change they open, verifies the real exploits, and replies like a teammate in one Slack digest a day.
Backed by the Vidoc Security Lab - we reproduced Anthropic's Mythos findings, including a FreeBSD remote-root bug, using public models. Read the study.
feat(uploads): add user-controlled image proxy
+86 −2 · 1 file changed · src/api/proxy/route.ts
vidocreviewerAI made shipping fast.
Security review didn't scale with it.
More code, less review
AI tools 3–10x your PR volume. Snyk, Dependabot, and Semgrep fire findings - but nobody owns the fix.
Scanners are loud and wrong
Hundreds of unverified findings. Engineers learn to ignore the channel.
Customers and auditors are waiting
SOC 2, ISO 27001, and procurement security questionnaires land on you.
Vidoc secures every PR.
You read one digest.
Click through to see what your team would see, end-to-end, across a single example finding.
- feat(uploads): add user-controlled image proxy#1284opened 4 minutes ago byCcursor-bot· acme/apiVidoc reviewing
- refactor: drain queue worker on SIGTERM#1282opened 12 minutes ago byMmaria-c· acme/apiVidoc · clean
- fix(auth): session cookie expiry on refresh#1283opened 38 minutes ago byAalex-p· acme/webVidoc · clean
Vidoc reviews every PR, including the ones that don't need you. You only hear about the one that does.
Mythos-level security,
on your codebase.
Using public models - GPT-5.4 and Claude Opus 4.6 - in an open-source coding agent, our research team reproduced three of four representative Anthropic Mythos findings, including the flagship FreeBSD remote-root NFS bug. The same engine now reviews every PR your team opens.
3 / 4
representative findings reproduced
Remote-root
flagship FreeBSD NFS bug
Public models
no special access required
Not a demo. Real bugs in repos you know.
These aren't synthetic examples. Vidoc found them in the Linux kernel and popular open-source projects — click through and read the public reports.
Kernel OOB read in netfilter H.323 Q.931 decoder
DecodeQ931() decremented a wire-supplied 16-bit length without checking for zero, wrapping to -1. The kernel decoder then read far past the buffer — network-reachable, no auth required.
Kernel OOB read in netfilter H.323 ASN.1 decoder
decode_int() called get_uint() without bounds-checking a length value read from a CONS-encoded H.323/RAS packet, causing a 1–4 byte slab-out-of-bounds read in the kernel.
SSRF to the internal network
A flawed private-IP check ignored the 172.16.0.0/12 range, so attacker-controlled DNS could make the scraper reach internal services.
Proxy auth key reused across sandboxes
Proxy auth keys were cached without scoping to the sandbox ID, opening a path to unauthorized access to other sandboxes.
Reply to Vidoc. It learns.
Tell Vidoc why a finding doesn't apply - in Slack, in the PR, in plain English. It remembers per repo and per team. No YAML, no triage dashboard.
Every suppression is audit-logged. You can override Vidoc; Vidoc cannot override you.
#security · threadOpen redirect via returnTo on /auth/callback
User-controlled returnTo flows into a redirect with no obvious allowlist.
Got it, Maria. Marked VID-2918 as not-applicable for acme/web · /auth/callback. I'll keep flagging open redirects on routes that skip that middleware.
Fits the tools your team already opens.
The questions
a CTO actually asks.
Still missing something? Email contact@vidocsecurity.com or grab time directly.
Find the bugs Cursor wrote last week.
Connect a repo. Vidoc returns a short, verified list of real AppSec issues - with exploitability, severity, and a PR-ready fix prompt for each one.