The presence of a patch does not mean the deployability
The presence of a patch does not mean the deployability of said patch.
— Joshua Corman, 4/21
Read more
AI isn't the problem — asymmetry is
AI isn't the problem — asymmetry is. The number of vulnerabilities, the ability to find them, and the comparative cost between finding them and fixing them. AI makes gap bigger, and puts the ability to find and exploit in to more hands.
Mythos feels a lot like Snowden
Mythos feels a lot like Snowden. When Snowden dropped, everyone in the game already knew it was happening — but it was the first time the collective zeitgeist had had the thought — and it reshaped how everyone else thought about a lot of things. It was the trigger for cybersecurity being
Security-focussed test/fix is basically “sparkling QA”
On a Firefox blog post boasting that Mythos found 270 new bugs and concluding "the defects are finite, and we are entering a world where we can finally find them all": View on X →
Spicy Takes from my Aikido Security Podcast
Nine takes from my RSAC conversation with Mackenzie Jackson on Aikido's Secure Disclosure podcast — on bug bounty, AI slop, hack-back, vibe coding, and why the internet still working is a minor miracle.