Security-focussed test/fix is basically “sparkling QA”
On a Firefox blog post boasting that Mythos found 270 new bugs and concluding "the defects are finite, and we are entering a world where we can finally find them all":
Read more
The Hitchhiker's Guide to Vulnerability Disclosure in 2026
Or: what a bunch of us have been saying since Mythos dropped, in three RSAC interviews and most of the hallway conversations in between. DON'T PANIC If you work in security, you've spent the last month and a half in a conversation that won't
Coordinated, Until It Isn't
Everyone has a take on Moksha's 89-vuln XAPI drop. Almost everyone misses the same thing: it wasn't one decision, it was four: go public, go Day-0, withhold patches from Citrix, lean into the "shittrix" frame. Coordinated disclosure runs on goodwill, and the goodwill runs out sometimes.
Thoughts on the #slopdemic
Move over #vulnpocalypse — there's a new term we need to talk about: the #slopdemic. AI didn't invent low-quality vuln reports, but it just turbocharged them, and F/OSS is drowning.
Continued Monitoring of the Situation
Birbs, week two — what the system got wrong, four times, and what came back from the dead Follow-up to "Monitoring the Situation — The Internet of Birbs" When I hit publish on the birbs post last Wednesday, I described an "AI-powered nest monitor" with a straight face.