Thinking

The Hitchhiker's Guide to Vulnerability Disclosure in 2026

Casey Ellis

Casey Ellis

13 min read
Share
Casey Ellis on VulnCheck Threat Con One — vulnerability disclosure post-Mythos
Header image: VulnCheck Threat Con One interview, recorded at RSA 2026.

Or: what a bunch of us have been saying since Mythos dropped, in three RSAC interviews and most of the hallway conversations in between.

DON'T PANIC

If you work in security, you've spent the last month and a half in a conversation that won't stop accelerating. On April 7, Anthropic announced Mythos — the Claude model that autonomously found tens of thousands of previously unknown vulnerabilities across every major operating system and browser. They restricted the preview to a handful of US companies under Project Glasswing. They sat on most of the disclosures because more than 99% of what Mythos found wasn't patched yet, and dumping the lot would have lit the internet on fire. On May 11, the first public proof landed when Daniel Stenberg wrote up Mythos finding a curl vulnerability. The headline writers have been having a great time.

Here's a thing worth flagging up front. In the weeks before Mythos dropped, I sat down for three interviews — all of them recorded pre-Mythos, all of them at or around RSA, all of them about more or less the same conversation we are now having at full volume:

None of us were talking about Mythos in those conversations because none of us knew about Mythos. We were talking about AI slop, OODA-loop compression, why curl had to pause its bounty, what the receiving end of disclosure actually looks like in 2026, and where the next narrative arc was going to come from. Mythos is the news. The conversation that broke open around it isn't actually new. It's the conversation hackers have been having amongst themselves since at least 2014, and that we were already having out loud at RSA two weeks before the news cycle caught up.

So while everyone else is busy being either terrified or triumphant about Mythos, here's the field guide I wish I could hand to every CISO, every maintainer, every kid currently breaking something in a basement on a Tuesday night. There's a towel in here somewhere.

Part One: The Issues of Physics

Most of the confusion in the post-Mythos panic comes from people arguing about whether to have a vulnerability disclosure conversation, as if it's optional. It isn't. VDP is an issue of internet physics.

If you are on the internet, you have screwed something up, and someone outside your organization will find it. That sentence is QED. People aren't perfect, computers magnify mistakes, and bugs are a fact in and of themselves — like weather. There's no version of this where you opt out. The only thing you get to choose is whether the report arrives at your security team, on Twitter, or in an extortion email.

A useful way to think about this:

  • Bugs are like the weather. They happen. They are not (necessarily) a moral failing on the part of the vendor, and they are not malice on the part of the finder. They are an issue of Internet physics.
  • A VDP is a lightning rod. It says: if the storm comes, here is where the strike goes so it doesn't burn down the house. You don't have to like the storm. You do have to put up the rod.
  • A bug bounty is shooting rockets with wire into the cloud. It's deliberate, expensive, and only a few organizations are actually ready for it. The curl bounty program — God bless Daniel and the team — probably should never have been a bounty in the first place; you can't run rockets-with-wire infrastructure on volunteer maintainer time. This is an optional feature of a vulnerability disclosure program (a la NIST 800.53.r5, which I was a core contributor to).

Mythos and Aarvark/Daybreakdidn't change the physics, they simply revealed it. They just made the storms bigger and a lot more frequent. The miracle isn't that AI is finding bugs at scale. The miracle, as it has been for thirty years, is that the internet still works at all.

Part Two: What Actually Changed in May 2026

Five things converged in roughly six weeks. Not all of them are AI's fault, but AI is the accelerant under all of them.

1. The slop firehose. AI-assisted bug submission has put the ability to find, file, and follow up in the hands of orders of magnitude more people. Most of what comes out the other end is junk — convincing-looking junk, which is worse than the obvious junk we got in 2014. Daniel Stenberg paused the curl bounty for exactly this reason. He's not against bounties. He's against drowning.

2. The OODA loop collapsed. Observe, orient, decide, act — the loop defenders rely on has been compressed by AI to a width humans literally can't fit inside. We're going to have to rethink which steps a human owns, and accept that some of them get delegated to systems we're going to have to learn to trust. This is something I predicted back in 2022 when I was first exposed to the offensive potential of frontier LLMs, and we're now seeing play out for real.

3. Offense got cheaper before defense got faster. Defense was always offense's child — you build the wall after something teaches you why. AI gives both sides agility, but offense was always structurally more nimble because the cost of failure is just you don't get a shot. The defender's worst-case is the production database, gone. That asymmetry didn't change in 2026. It just got priced in.

A useful way to think of this is that the Defenders Dilemma/Attackers Advantage runs at, say, 10:100 in peacetime. The addition of AI multiplies the capability of BOTH, to the power of three. Defenders can (and should be) excited about this, but they should also recognize that the ratio is now 1,000,000:1,000 - and it is the gap between the two numbers that is the actual root-cause of the problem. Of course, I've picked number out of the sky a little bit here - but they illustrates the problem that I'm referring to.

4. The norms quietly evaporated. A lot of our "rules of politeness on the internet" doctrine got written during ten to fifteen years of relative peace and prosperity. We've been transitioning out of that since 2020, and then we sprinkled AI on top. Letters of marque are sitting in Congressional drafts right now. Non-cooperative defense — the idea that you can break into someone else's vulnerable system to fix it on their behalf — is being discussed in rooms that didn't used to discuss it. I'm not advocating for any of this. I just don't see how we avoid some of it.

5. Mythos made the scale legible. It is one thing to know the long tail of unpatched bugs is vast. It is another thing to watch a single model produce ~300 unknown findings in Firefox alone, and to realize the only reason we aren't reading about all of them is that Anthropic is sitting on 99% of the disclosures because the maintainers haven't caught up. That is the headline. The deeper story is that the bugs were already there. Mythos didn't create them. It made them undeniable.

Part Three: For Vendors (Or: The Grown-ups Holding the Lightning Rod)

If you ship software and people use it (hosted, installable, on a pyhsical device, or F/OSS), this section is for you. Pin it to whatever you use for runbooks.

1. You already have a VDP. You just might not be getting the report. Decide whether yours has a front door. If it doesn't, the report is going to land on Twitter, in your CEO's LinkedIn DMs, or — in the worst case — in an extortion attempt. The Optus breach researchers literally said afterwards, had there been a vulnerability intake point we could have sent this to, we just would have done that. They didn't start as criminals. They escalated into crime because nobody told them how not to.

2. Two things in security.txt, minimum. A contact method. A policy. The policy needs a definition of good faith and a written promise that you will not pursue legal action against research that stays inside it. Use the Disclose.io boilerplate. It exists precisely so your lawyers don't have to, and so they have a Gold Standard document that has been vetted by the largest companies on the Internet to use as a comfort reference. Getting boilerplate language past a roomful of lawyers was, by the way, intrumental to making the 2022 DOJ change to CFAA charging policy possible. That's not a marketing claim. That's the historical record.

3. Set timing expectations proactively. 90 days is the default that survived two decades of arguing. If you're a medical-device manufacturer, a satellite operator, or anyone whose regression testing is measured in months, say we need up to a year and say it on day one. Silence is what produces ugly Twitter drops. A boundary you announced is a boundary the researcher will mostly respect.

4. Boil it down, but don't burn it. Your VDP needs to be legible to an ESL researcher in Hindi or Spanish or Mandarin. We see this every day. A War-and-Peace policy fails not because researchers are stupid but because they're global. If your policy reads like the output of a securities lawyer who got paid by the word, rewrite it.

5. Don't NDA the public. If a researcher found a bug in your publicly-accessible product on their own initiative, they own the IP of that finding. Asking them to sign away their disclosure rights with no consideration in return is, frankly, an attempt to use a piece of paper to repeal the laws of physics. NDAs are appropriate when you invited them in, gave them access, and there is a "given and get." For everything else, they aren't.

6. Don't paywall advisories. Hiding security information behind a customer login is anti-anti-fragile. The goal is transparency, period. I understand every special case people will write me about. The general principle still holds.

7. Don't run a bounty before you can run a VDP. Public bug bounty maturity is downstream of internal vulnerability management maturity. If you don't already know how to triage, prioritize, and patch on a known cadence, you will get firehose'd and shut your program down within a year. The Mythos era is going to be unkind to programs run on hope.

8. The 80/20 of slop triage. AI can plausibly take ~80% of inbound — automated reproduction, deduplication, qualification, the "is this even a thing" question. The remaining 20% — edge cases, chained findings, weird-class novelty, fraud attempts — is where human judgment dominates. Build for both. Don't pretend you can fully automate the 20.

9. Don't penalize, incentivize. The right response to AI-slop reports isn't to lower payouts across the board. It's to raise the payouts for the work you want more of. Let the cost of low-tier findings trend toward zero. Let the price of the rare hard bugs climb. Markets work.

10. Keep a visible "known bad actor" list. Not a hall of shame. A we told you, you ignored us, you're now muted signal so the rest of the community can calibrate. Most bad actors aren't malicious. They're undertrained. The visible boundary is part of the training.

11. When a report reads as angry, get curious. We discovered at Bugcrowd that a particular regional community's "aggressive" reports were just the tone they thought was required to get Western companies to pay attention. One polite pushback de-escalated almost every one. There are a thousand more of these patterns. Don't read tone as content.

12. Compliance theater is about to get repriced. Pentests sold to organizations that don't actually care about the result are going to come under heavy pressure. AI is going to make that work cheaper and the buyers are going to notice. If the only reason for your pentest is a checkbox, expect the checkbox to get cheaper. If the reason is risk reduction, the price will hold.

13. The asymmetric question. What is this bug actually worth? The value spectrum runs from zero (slop) to seven figures (handset 0-day in the intelligence-community market). Where are you on that spectrum? If a competitive offensive-procurement market exists for your product, you probably need a paid program regardless of where you are on your VDP journey. If it doesn't, lightning rod is probably enough.

14. Become a CNA when you're ready. A CVE Numbering Authority badge is a proxy indicator of security maturity, both for the researchers picking where to submit and for the buyers reading your posture. It is also a real commitment. Don't take it on as marketing.

Part Four: For Researchers (Or: The Polite Guide to Calling Babies Ugly)

If you find bugs and want to disclose them without getting your door kicked in, this section is for you.

1. The vendor is probably not ready for you. Disclosure is, in the framing one of my hosts used, walking through the front door and calling someone's baby ugly. If the receiving side isn't prepared, the conversation is inherently adversarial — not because they're malicious but because they're surprised. Empathy is force-multiplying.

2. Use the front door first. security.txt, the VDP page, the email in the policy. If none exist, the Disclose.io programs database is your friend. Twitter and LinkedIn are escalation paths, not first contact.

3. A cease-and-desist is a letter from a fancy letterhead. It is not a court order. Fewer than ten people in the entire history of CFAA have actually been prosecuted for good-faith disclosure. The chilling effect works only if you let it. If you get one, talk to a lawyer. If you can't afford one, see point 4.

4. The Security Research Legal Defense Fund exists. srldf.org. 501(c)(3), worldwide, grants for good-faith research under legal threat. We took the Maltese train-hacking case — kids got their door kicked in for a textbook disclosure — funded the defense for $20K, got them a presidential pardon, and there's now anti-hacking law reform in front of the Maltese Parliament. That's what happens when you don't fight this stuff alone. Tell every researcher you know that this is real and available.

5. Look where everyone else isn't. The early bounty hunters made fortunes on far-flung domains pre-EASM. EASM ate that surface. The 2026 equivalent is the bottom 20 turtles in the stack: hardware, firmware (half of what Flax Typhoon hosed was 1980s format-string bugs), Cobol, ASP.NET, Java. AI app-sec is the top five turtles in a stack of fifty. Everyone is staring at them. Go look at turtle 47.

6. Prompt injection is a genuinely new vulnerability class. First green field in years. Specialize.

7. Career advice has updated. "Get a CVE" used to be the default starter step. It still works, but in 2026 the better advice is get a CVE-equivalent advisory with your name on it, and get into a community. The advisory is the evidence. The community is the network, and the regulator of your rough edges.

8. Bounty math is information-asymmetry math. A bounty exists to reduce information asymmetry between a disparate group of finders and a single defender. Every bug is worth something — to fix, to find, to exploit. Price your own work against the spectrum, not against the average payout.

9. Don't AI-firehose. Self-policing used to be normal in this community. Hunters called each other out for extortion attempts, for bogus reports, for the whole register of bad behavior. That's a lot less true today, and it's making everyone's life harder. If you see your peers doing it, push back. We tarnish together.

10. Communication is the discriminator now. Many of us are neurodivergent. Most of us, when we see something broken that matters and the receiving side doesn't get it, get kind of angry. That's not a bug, that's the feature that made us good at this. But channelling that into something productive is its own craft. Get a community. Let people sand the edges down with you, not at you.

Part Five: The Ecosystem Layer

A few things you can't fix at the vendor or researcher level — they live at the ecosystem layer, and 2026 is the year to lean on them harder than ever.

Disclose.io. Boilerplate language, programs database, safe-harbor adoption tracking, and the policy maturity ladder. It exists to make VDP suck less across the internet. Use the language. Index your program. Push your vendor to adopt it.

SRLDF. The legal-defense backstop. Donate if you can. Apply if you need to. Tell every researcher you know.

CFAA reform. We got the DOJ charging-policy change in 2022 after seven years of accumulated precedent from adoption of the Disclose.io safe-harbor language. State laws didn't get that update. There are 50 separate interpretations of anti-hacking law in the US, and roughly 200 globally. The work isn't done.

CNA expansion. More organizations issuing CVEs themselves, in real time, with their name on the advisory, is the cleanest fix for several of the bottlenecks above. We have problems on the CVE side that need work, but the direction is right.

Part Six: The Question 2026 Is Actually Asking

I do a narrative-arc bit in conversations like these. Snowden in 2013 — "this affects me." Target and Home Depot in 2014 — "this hurts me." Ashley Madison in 2015 — "this hurts me in a way I can't insure against." Those three years are the reason hackers got a seat at the table. The reason any of this — Bugcrowd, HackerOne, Synack, the whole legitimization arc — was possible at all.

We are writing the next narrative arc right now, in real time, in the post-Mythos news cycle. The story is going to be told. The question is whether we tell it, or whether it gets told about us by people who don't understand the physics. Mythos isn't the end of the bug bounty industry. It's not the end of human vulnerability research either — even if AI solved every security problem we have today, which it isn't anywhere close to doing, the bad guys still have human intent, human creativity, and a permanent incentive to operate in the edges we leave behind. They will be there. Therefore we will be there.

What Mythos is is the moment the public finally saw the long tail. It's the moment the vendor community has to decide whether VDP is something you do or something you have. It's the moment the researcher community has to decide whether to bring back the scrappiness, the creativity, the community self-regulation that the businessification of the hacker spent the last decade sanding off.

So Long and Thanks for All the Bugs

There's an Asimov line I've never been able to find again that runs roughly: the saddest aspect of life right now is that science gathers knowledge faster than society gathers wisdom. That's the 2026 cybersecurity story in one sentence. Mythos is the science. The wisdom — disclosure norms, safe-harbor language, CNA infrastructure, the community of researchers who care, the vendors who actually want the report — is the part that gets built one boring conversation at a time.

We've done it before. SQL injection got named in 1998 and solved the same year with prepared statements. It's still 50% of the bug class. Solved problems aren't solved. The work isn't a sprint. It's a long-tail clean-up operation that's going to outlast all of us.

Put up the lightning rod. Light the path for the people who want to help you. Be a little more empathetic than you have to be. And if you find a bug in something I work on — [email protected], and thank you in advance.

Don't panic.

Casey Ellis is the founder of Bugcrowd, the founder of Disclose.io, and a board member of the Security Research Legal Defense Fund. The three interviews referenced above were recorded during the week of RSA 2026: Bug bounties in the age of AI (runZero), AI Slop, and the Future of Hacking (Secure Disclosure), and From "Hackers Are Criminals" to Industry Leaders — What Changed? (VulnCheck).

Read more