Thoughts on the #slopdemic
Move over #vulnpocalypse — there's a new term we need to talk about: the #slopdemic. AI didn't invent low-quality vuln reports, but it just turbocharged them, and F/OSS is drowning.
Casey Ellis
Hacker, founder, advisor, and pioneer of crowdsourced security. Founder of Bugcrowd, co-founder of disclose.io, principal of Tall Poppy Group. Board member at SRLDF.
Personal
Continued Monitoring of the Situation
Birbs, week two — what the system got wrong, four times, and what came back from the dead Follow-up to "Monitoring the Situation — The Internet of Birbs" When I hit publish on the birbs post last Wednesday, I described an "AI-powered nest monitor" with a straight face.
Thinking
The top five turtles in a stack of 50
As an industry we're focused on the top five turtles in a stack of 50. AI for defense and code review matters — we need to be doing it — but it gets the most attention because it gets the most funding because it's the most visible. Meanwhile
Thinking
Cryptographically enforced disclosure
Been playing around with the idea of cryptographically enforced disclosure. You disclose something — there's a CVD timeline and a fallback date. At the fallback, it all goes on the blockchain, with a drand-triggered encryption key as the dead-man switch. No one can say "we're just
Security
Peacetime cyber versus wartime cyber
Peacetime cyber versus wartime cyber. We developed our cyber defense doctrine, policy, and technology through 10 years of peace and prosperity. We're now transitioning into austerity and warfare — what do we need to revisit? Throw the things that don't matter out the window, and start doing
Personal
"Monitoring the Situation" - The Internet of Birbs
Two pale-blue speckled eggs on the sunroom bookshelf turned into three cameras, an Unraid NAS, two AI models, and a journal that writes itself every morning. None of it had to be useful — it just had to be possible. Because joy.
Hot Takes
Tactically, Mythos is Anthropic marketing their asses off
Tactically, Mythos is Anthropic marketing their asses off to beat OpenAI. It didn't put me in the doomer "world is ending" camp — open-weight models already had me there.
Security
AI isn't the problem — asymmetry is
AI isn't the problem — asymmetry is. The number of vulnerabilities, the ability to find them, and the comparative cost between finding them and fixing them. AI makes gap bigger, and puts the ability to find and exploit in to more hands.
Security
Mythos feels a lot like Snowden
Mythos feels a lot like Snowden. When Snowden dropped, everyone in the game already knew it was happening — but it was the first time the collective zeitgeist had had the thought — and it reshaped how everyone else thought about a lot of things. It was the trigger for cybersecurity being
Hot Takes
Security-focussed test/fix is basically “sparkling QA”
On a Firefox blog post boasting that Mythos found 270 new bugs and concluding "the defects are finite, and we are entering a world where we can finally find them all": View on X →
Security
Spicy Takes from my Aikido Security Podcast
Nine takes from my RSAC conversation with Mackenzie Jackson on Aikido's Secure Disclosure podcast — on bug bounty, AI slop, hack-back, vibe coding, and why the internet still working is a minor miracle.
Thinking
We don't have a slop problem.
We don't have a slop problem. We have an inability-to-prioritize problem. When it comes to security — and particularly vulnerability research, but really right across the board — the issue isn't that there's too much noise. It's that we can't figure out