Policy
There's a fresh conversation happening about the distinction between bug bounty programs and vulnerability disclosure programs. This is an area where the distinction between a bug bounty program (cash or cash equivalent proactively offered to the public) and a vulnerability disclosure program (which can optionally offer a thank-you
Building
Last Saturday Jan 31 was my last day "inside the tent" at Bugcrowd.
Security
Notes from judging DistrictCon's Junkyard Year 1 — a Pwn2Own-style exploit contest targeting end-of-life devices. Disco balls, DNA sequencers, gym treadmills, and self-propagating game worms. Includes exploit chain diagrams for all eleven talks.
Thinking
2026 cybersecurity forecast: China's PLA centenary looms, AI turns anyone into a malware developer, and economic pressure pushes more people toward cybercrime. Shift-left finally start working—but only for modern code. The rest of the internet? A triage trash fire.
Thinking
This time of year, everywhere you see, security guys like me are sharing our hot takes for the year ahead. However, reflecting on the past year is equally important. I like to see how my previous predictions held up and how things actually played out.
Thinking
Here's the bigger question: If we do finally achieve 100% success in automating cyber defense, will the "bad guys" pack their stuff up and go home?
2026 cybersecurity forecast: China's PLA centenary looms, AI turns anyone into a malware developer, and economic pressure pushes more people toward cybercrime. Shift-left finally start working—but only for modern code. The rest of the internet? A triage trash fire.
Alfred Hobbs: The OG bug bounty hunter who cracked England’s ‘unpick-able’ locks. His breaker mindset exposed flaws, sparked innovation, and proved no system is perfect.
After hearing "vulnerability" and "threat" used interchangeably for a >9,000th time I decided to do something about it, and the Bar Fight Risk Taxonomy was born.
Props to Matt Ploessel for calling out this one... I'd not heard of a bounty around nuclear weapons until today.
security | technology | startups
A little photo diary of Hacker Summer Camp 2025.
On today’s episode, Jon Sakoda speaks with Casey on the early economics of paying people to hack companies, criminal creativity, and why founders need to fix their known vulnerabilities.
The sticking point is the word "free". If you do happen to get stuck there (and a lot of things will push you in that direction), a lot of the magic in the decision math gets missed. Everything has a Give and a Get and, if you're doing it right, nothing is ever given away for free.
A solution disconnected from it's problem isn't actually solving anything.
That said, the widespread nature of the effects shown in the six-part series are definitely plausible. Industrial control systems and the infrastructure that supports them are riddled with zero-day vulnerabilities, alongside the more common "known, yet unpatched" n-day vulnerabilities.
Crowdsourced security empowers ethical hackers to protect digital assets, reshaping cybersecurity. Casey Ellis encourages entrepreneurs to lead with resilience, delegate wisely, prioritize health, and embrace innovation amid chaos for lasting impact and scalable success.
Alfred Hobbs: The OG bug bounty hunter who cracked England’s ‘unpick-able’ locks. His breaker mindset exposed flaws, sparked innovation, and proved no system is perfect.
It was an privilege to participate on this panel at the NEBULA:FOG:PRIME AI x Security Hackathon event on the 25th of January.
It's that time of year again... Here are a few trends that I see making their presence felt in 2025 - These are a work in progress, and I might expand on a few of these: 1. Peacetime cyber vs. wartime cyber: 10 years from now, we'
What's the deal with Volt Typhoon, Salt Typhoon, and Flax Typhoon - and what do we need to do?
Synopsis In this episode of Resilient Cyber Chris Hughes chats with Cyber industry veterans and long-time leaders Wendy Nather and Casey Ellis about systemic cyber struggles, issues that still plague us over the years, and some of the economic incentives at play (or not) when it comes to cybersecurity. Casey
It’s been just over three weeks since I randomly “let the Internet know” that I was heading in for unexpected heart surgery...