Vulnerability economics
* Every vulnerability costs something to put there. * Every vulnerability costs something to discover. * Every vulnerability costs something to fix. * The exploitation of every vulnerability has a value associated with it.
caseyjohnellis
hacker/hustler. chairman/founder/cto @bugcrowd and cofounder @disclose_io. husband, dad, musician, believer. pioneer of crowdsourced security as-a-service.
Policy
No More Free-ish Bugs
There's a fresh conversation happening about the distinction between bug bounty programs and vulnerability disclosure programs. This is an area where the distinction between a bug bounty program (cash or cash equivalent proactively offered to the public) and a vulnerability disclosure program (which can optionally offer a thank-you
Building
Next things...
Last Saturday Jan 31 was my last day "inside the tent" at Bugcrowd.
Bugcrowd 2013 to 2025 - People and Places
Security
For the Love of the Game: DistrictCon's Year 1 Junkyard
Notes from judging DistrictCon's Junkyard Year 1 — a Pwn2Own-style exploit contest targeting end-of-life devices. Disco balls, DNA sequencers, gym treadmills, and self-propagating game worms. Includes exploit chain diagrams for all eleven talks.
Thinking
2026 security predictions
2026 cybersecurity forecast: China's PLA centenary looms, AI turns anyone into a malware developer, and economic pressure pushes more people toward cybercrime. Shift-left finally start working—but only for modern code. The rest of the internet? A triage trash fire.
Thinking
2025 security predictions retrospective
This time of year, everywhere you see, security guys like me are sharing our hot takes for the year ahead. However, reflecting on the past year is equally important. I like to see how my previous predictions held up and how things actually played out.
Thinking
First Principles: Bad guys are humans, they're creative and driven, and they don't quit.
Here's the bigger question: If we do finally achieve 100% success in automating cyber defense, will the "bad guys" pack their stuff up and go home?
Hacker Summer Camp 2025 - People, Places, and Things
A little photo diary of Hacker Summer Camp 2025.
Thinking
Founders Helping Founders: When Known Vulnerabilities are Life or Death
On today’s episode, Jon Sakoda speaks with Casey on the early economics of paying people to hack companies, criminal creativity, and why founders need to fix their known vulnerabilities.
Building
What You Give Away Might Be Worth More Than What You Keep
The sticking point is the word "free". If you do happen to get stuck there (and a lot of things will push you in that direction), a lot of the magic in the decision math gets missed. Everything has a Give and a Get and, if you're doing it right, nothing is ever given away for free.
Building
If a tech solution falls in the forest...
A solution disconnected from it's problem isn't actually solving anything.