Offense Scales with Compute. Defense Scales with Committees.
Why AI is widening the attacker-defender gap faster than anything we've built to close it — and what that actually means for the next decade of security.
The Hitchhiker's Guide to Vulnerability Disclosure in 2026
Or: what a bunch of us have been saying since Mythos dropped, in three RSAC interviews and most of the hallway conversations in between. DON'T PANIC If you work in security, you've spent the last month and a half in a conversation that won't
Coordinated, Until It Isn't
Everyone has a take on Moksha's 89-vuln XAPI drop. Almost everyone misses the same thing: it wasn't one decision, it was four: go public, go Day-0, withhold patches from Citrix, lean into the "shittrix" frame. Coordinated disclosure runs on goodwill, and the goodwill runs out sometimes.
Thoughts on the #slopdemic
Move over #vulnpocalypse — there's a new term we need to talk about: the #slopdemic. AI didn't invent low-quality vuln reports, but it just turbocharged them, and F/OSS is drowning.
Continued Monitoring of the Situation
Birbs, week two — what the system got wrong, four times, and what came back from the dead Follow-up to "Monitoring the Situation — The Internet of Birbs" When I hit publish on the birbs post last Wednesday, I described an "AI-powered nest monitor" with a straight face.
"Monitoring the Situation" - The Internet of Birbs
Two pale-blue speckled eggs on the sunroom bookshelf turned into three cameras, an Unraid NAS, two AI models, and a journal that writes itself every morning. None of it had to be useful — it just had to be possible. Because joy.
Spicy Takes from my Aikido Security Podcast
Nine takes from my RSAC conversation with Mackenzie Jackson on Aikido's Secure Disclosure podcast — on bug bounty, AI slop, hack-back, vibe coding, and why the internet still working is a minor miracle.
The Compliance Reckoning
There's a dirty secret in cybersecurity. A lot of the money flowing into the industry isn't buying security. It's buying the appearance of security. And the people writing those checks? They know it. I've spent two decades building Bugcrowd and disclose.io,
Bug Bounties in the Age of AI
As AI accelerates the offense-defense asymmetry, bug bounties and vulnerability disclosure remain essential. Casey Ellis on the future of bug bounties, the evolving threat landscape, and how disclose.io and the SRLDF protect the researchers keeping us safe.
The FCC Just Banned Every Foreign-Made Router
The FCC just added all foreign-made consumer routers to the Covered List. Not routers from China. Not routers from adversary nations. All foreign-made consumer routers, from every country. Let that sink in for a second. As of March 23, 2026, no new consumer router model manufactured outside the United States
The White House AI Framework: What It Says, What It Doesn't, and Why the Gaps Matter More
On March 20, the White House released its "National Policy Framework for Artificial Intelligence — Legislative Recommendations," a four-page document urging Congress to act on AI legislation "this year." The framework covers seven areas: child safety, community impacts, intellectual property, free speech, innovation, workforce development, and federal
Vulnerability economics
* Every vulnerability costs something to put there. * Every vulnerability costs something to discover. * Every vulnerability costs something to fix. * The exploitation of every vulnerability has a value associated with it.
No More Free-ish Bugs
There's a fresh conversation happening about the distinction between bug bounty programs and vulnerability disclosure programs. This is an area where the distinction between a bug bounty program (cash or cash equivalent proactively offered to the public) and a vulnerability disclosure program (which can optionally offer a thank-you