Featured
All →Latest
All →Slopdemic, Not Vulnpocalypse (Yet)
I joined Sherrod DeGrippo on the Microsoft Threat Intelligence Podcast this week to talk about how AI is reshaping vulnerability research, disclosure, and patching. It was
My Clanker Setup
A mate messaged me this week asking whether I'd ever written up my clanker setup — which harness I run, which models, what hardware, and
AI Didn't Break Vulnerability Disclosure. It Exposed What Was Already Broken.
There's a sentence I keep coming back to from a conversation Josh Bressers and I had recently on Open Source Security: we'd
The Hitchhiker's Guide to Vulnerability Disclosure in 2026
Post-Mythos vulnerability disclosure: a 2026 field guide for vendors and researchers on AI-era bug bounties, slop triage, and rebuilding ecosystem norms.
Coordinated, Until It Isn't
Everyone has a take on Moksha's 89-vuln XAPI drop. Almost everyone misses the same thing: it wasn't one decision, it was four: go public, go Day-0, withhold patches from Citrix, lean into the "shittrix" frame. Coordinated disclosure runs on goodwill, and the goodwill runs out sometimes.
Thoughts on the #slopdemic
Move over #vulnpocalypse — there's a new term we need to talk about: the #slopdemic. AI didn't invent low-quality vuln reports, but it just turbocharged them, and F/OSS is drowning.
Continued Monitoring of the Situation
Week two of an AI-powered House Finch nest monitor: four model biases, a Wyze cam back from the dead, and a full pipeline rewrite before the eggs hatch.
"Monitoring the Situation" - The Internet of Birbs
Two pale-blue speckled eggs on the sunroom bookshelf turned into three cameras, an Unraid NAS, two AI models, and a journal that writes itself every morning. None of it had to be useful — it just had to be possible. Because joy.
Spicy Takes from my Aikido Security Podcast
Nine takes from my RSAC conversation with Mackenzie Jackson on Aikido's Secure Disclosure podcast — on bug bounty, AI slop, hack-back, vibe coding, and why the internet still working is a minor miracle.
Offense Scales with Compute. Defense Scales with Committees.
Why AI is widening the attacker-defender gap faster than anything we've built to close it — and what that actually means for the next decade of security.
The Compliance Reckoning
AI makes security verification cheap, putting two decades of checkbox compliance, paper pentests, and audit theater under sudden economic pressure.
Bug Bounties in the Age of AI
As AI accelerates the offense-defense asymmetry, bug bounties and vulnerability disclosure remain essential. Casey Ellis on the future of bug bounties, the evolving threat landscape, and how disclose.io and the SRLDF protect the researchers keeping us safe.
Hot Takes
All →You get to choose your hard
Being known for what you're against is easy. Being known for what you're for
It's con season
It's con season — Black Hat, DEF CON, and the summer security-conference circuit are nearly here.
Find it and fix it
A fun exercise: run various models against deliberately vulnerable apps, and eval them on their ability to identify
Prompt-injection bumper stickers
Prompt injection is climbing out of the chat box and into the physical world. Print an adversarial instruction
Words mean things
If the AI era teaches you anything, let it be the lesson that words mean things.
The top five turtles in a stack of 50
AI defense and code review get the funding, but hospitals still run XP and Ivanti falls over weekly. The security industry is ignoring 45 of its 50 turtles.