Hi, I'm Michal Špaček.


developer and a trainer, Zend Certified Engineer

I'm into web, security, and performance. I build, break, and test web applications. I'm a Zend Certified Engineer since 2009. As a developer, I've learned a lot and I like to pass my knowledge and experience on my trainings. Since 2011, I've delivered over 150 workshops. I want to show other web developers why and how to build secure and fast web applications.


I've been speaking at more than 140 conferences and events, including WebExpo Conference in Prague, Czech Republic and Passwords conference in Las Vegas, USA, both multiple times. Check the list of all my Talks.

Head of Security in Shoptet

Starting January 2023, I'm the security team in Shoptet, the Central European Shopify alternative. It's a technical role, mostly. I've known Shoptet since at least 2012, I know many Shoptet people, present or past, and I love e-commerce, in my own way, so the decision wasn't that difficult. My Shoptet security team is the smallest and the largest at the same time - because everyone is my team member, some just don't know it yet. It would be very boring without them, and I couldn't do it without them either. We run tens of thousands eshops so there's a chance to influcence and motivate quite a large part of the market, and to royally mess it up, too. I've always loved it, both ways. My mission is to do it like I've always done, be transparent and don't require passwords to be changed every 91.5 days. Yes, we've already rolled out 1Password company-wide, why are you asking?

Occasional bug hunter

I find and report security issues because I care about the Internet and I want it to be more secure. I'm not trying to hide while doing so, and I don't want to cause any harm. I've reported both major and minor bugs to companies like Google (hall of fame record), Atlassian (hall of fame, problem description), T-Mobile (hall of fame), Operátor ICT (hall of fame, bug description), DomainTools (with a swift response), “Czechia” – a web hosting service by a Czech company called ZONER (customer login details dump), Alza (my post about the bug), CZC.cz and many others. If you want people like me to report security bugs to you easily, add security.txt file to your site.


Report URI developer

I joined Report URI, a real-time security reporting tool, in 2017. Founded by Scott Helme (runs Security Headers, too), later joined by Troy Hunt of Have I Been Pwned? fame. Both Scott and Troy are award-winning security researchers and bloggers. During those 5 years we've processed more than a trillion JSON and XML reports, doing even more than 5k reports/sec. I've tried adding enough tests, introduced static analysis with PHPStan and that allowed us to upgrade to PHP 8.0 even on Friday, Friday 13th. We knew what we were doing, we've started publishing penetration tests reports in full. Shortly before the end of my tenure, I've removed 125352 lines of code related to payments, replaced them with just 1443 new lines and all the Stripe things. Stripe folks then made sure we will not forget.

A developer in Slevomat.cz

I was working for one of the fastest growing on-line companies in the Czech Republic from September 2013 to June 2014. I've done a talk about how we've secured the application and user data. The slides from the talk are on-line and the talk is called How we have improved the security of Slevomat.cz (in Czech only).

Skyper based in Prague, Czech Republic

Absolutely awesome 5 years and 5 months since my Day One in Tallinn, Estonia until November 2012 in which I've learned gazillion of new things about how to build a service for hundreds of millions of users, how to build a company, and how to grow an office from few people up to a hundred.

WebTop100 juror a guarantor

I was a juror (2011–2018) and later also a guarantor (2014–2018) for the area of technical solution and security for WebTop100, the largest competition of company websites in the Czech Republic. I wrote several articles about the experience with the evaluation and also about the results.

Co-founder of hosting service tojeono.cz

In late 2003, my colleagues and I decided to purchase our own servers, which we've offered under the brand name tojeono.cz to use by our clients and other customers who required customized hosting services. I left the project after about a year and after two more years I also left my colleagues.

More about me and my experience at LinkedIn.