The #thoughtops blog · Casey John Ellis

security | ai | technology | policy | startups

Founder of Bugcrowd & disclose.io, pioneer of crowdsourced security as-a-service, principal of Tall Poppy Group. Sharp takes on breaking things, building things, fixing things, and the economics in between.

Latest

All →
Security

Slopdemic, Not Vulnpocalypse (Yet)

I joined Sherrod DeGrippo on the Microsoft Threat Intelligence Podcast this week to talk about how AI is reshaping vulnerability research, disclosure, and patching. It wa

By Casey Ellis · 05 Jul 2026
Building

My Clanker Setup

A mate messaged me this week asking whether I'd ever written up my clanker setup — which harness I run, which models, what hardware, and whether I'd gone full Her

By Casey Ellis · 05 Jul 2026
Security

AI Didn't Break Vulnerability Disclosure. It Exposed What Was Already Broken.

There's a sentence I keep coming back to from a conversation Josh Bressers and I had recently on Open Source Security: we'd already gotten pretty bad at the intak

By Casey Ellis · 29 Jun 2026
Thinking

The Hitchhiker's Guide to Vulnerability Disclosure in 2026

Post-Mythos vulnerability disclosure: a 2026 field guide for vendors and researchers on AI-era bug bounties, slop triage, and rebuilding ecosystem norms.

By Casey Ellis · 17 May 2026
Policy

Coordinated, Until It Isn't

Everyone has a take on Moksha's 89-vuln XAPI drop. Almost everyone misses the same thing: it wasn't one decision, it was four: go public, go Day-0, withhold patches from Citrix, lean into the "shittrix" frame. Coordinated disclosure runs on goodwill, and the goodwill runs out sometimes.

By Casey Ellis · 17 May 2026
Security

Thoughts on the #slopdemic

Move over #vulnpocalypse — there's a new term we need to talk about: the #slopdemic. AI didn't invent low-quality vuln reports, but it just turbocharged them, and F/OSS is drowning.

By Casey Ellis · 04 May 2026
Personal

Continued Monitoring of the Situation

Week two of an AI-powered House Finch nest monitor: four model biases, a Wyze cam back from the dead, and a full pipeline rewrite before the eggs hatch.

By Casey Ellis · 03 May 2026
Personal

"Monitoring the Situation" - The Internet of Birbs

Two pale-blue speckled eggs on the sunroom bookshelf turned into three cameras, an Unraid NAS, two AI models, and a journal that writes itself every morning. None of it had to be useful — it just had to be possible. Because joy.

By Casey Ellis · 29 Apr 2026
Security

Spicy Takes from my Aikido Security Podcast

Nine takes from my RSAC conversation with Mackenzie Jackson on Aikido's Secure Disclosure podcast — on bug bounty, AI slop, hack-back, vibe coding, and why the internet still working is a minor miracle.

By Casey Ellis · 24 Apr 2026
Security

Offense Scales with Compute. Defense Scales with Committees.

Why AI is widening the attacker-defender gap faster than anything we've built to close it — and what that actually means for the next decade of security.

By Casey Ellis · 08 Apr 2026
Thinking

The Compliance Reckoning

AI makes security verification cheap, putting two decades of checkbox compliance, paper pentests, and audit theater under sudden economic pressure.

By Casey Ellis · 28 Mar 2026