The Hitchhiker's Guide to Vulnerability Disclosure in 2026
Post-Mythos vulnerability disclosure: a 2026 field guide for vendors and researchers on AI-era bug bounties, slop triage, and rebuilding ecosystem norms.
Latest
Coordinated, Until It Isn't
Everyone has a take on Moksha's 89-vuln XAPI drop. Almost everyone misses the same thing: it wasn't one decision, it was four: go public, go Day-0, withhold patches from Citrix, lean into the "shittrix" frame. Coordinated disclosure runs on goodwill, and the goodwill runs out sometimes.
Thoughts on the #slopdemic
Move over #vulnpocalypse — there's a new term we need to talk about: the #slopdemic. AI didn't invent low-quality vuln reports, but it just turbocharged them, and F/OSS is drowning.
Continued Monitoring of the Situation
Week two of an AI-powered House Finch nest monitor: four model biases, a Wyze cam back from the dead, and a full pipeline rewrite before the eggs hatch.
The top five turtles in a stack of 50
AI defense and code review get the funding, but hospitals still run XP and Ivanti falls over weekly. The security industry is ignoring 45 of its 50 turtles.
Cryptographically enforced disclosure
A speculative proposal: cryptographically enforced vulnerability disclosure using a drand-triggered dead-man switch to make CVD fallback dates unbreakable.
Peacetime cyber versus wartime cyber
Cyber defense doctrine was built during 15 years of peacetime; the transition to wartime and austerity demands a rewrite of what we accept as polite.
"Monitoring the Situation" - The Internet of Birbs
Two pale-blue speckled eggs on the sunroom bookshelf turned into three cameras, an Unraid NAS, two AI models, and a journal that writes itself every morning. None of it had to be useful — it just had to be possible. Because joy.
Tactically, Mythos is Anthropic marketing their asses off
Mythos as a tactical Anthropic marketing play against OpenAI — and why open-weight models already made the world-ending case before any of it landed.
AI isn't the problem — asymmetry is
AI isn't the security problem — it widens the asymmetry between vulnerability discovery and remediation, putting attack capability in many more hands.
Mythos feels a lot like Snowden
Mythos is to vulnerability awareness what Snowden was to surveillance: the moment the zeitgeist finally caught up to what insiders already knew.
Security-focussed test/fix is basically “sparkling QA”
A short reaction to Firefox's claim that AI-found defects are finite: security-focused test-and-fix is basically QA wearing a fancier hat.
Security
Spicy Takes from my Aikido Security Podcast
Nine takes from my RSAC conversation with Mackenzie Jackson on Aikido's Secure Disclosure podcast — on bug bounty, AI slop, hack-back, vibe coding, and why the internet still working is a minor miracle.
Thinking
We don't have a slop problem.
The real security problem isn't AI slop — it's that vulnerability research and the broader industry can't prioritize what actually matters in the noise.
Thinking
Build the tooling. Don't be the tooling.
The AI move in vulnerability research isn't prompting from scratch every run — it's using AI to build deterministic scanners, fuzzers, and analysis pipelines.
Security
Offense Scales with Compute. Defense Scales with Committees.
Why AI is widening the attacker-defender gap faster than anything we've built to close it — and what that actually means for the next decade of security.
Thinking
The Compliance Reckoning
AI makes security verification cheap, putting two decades of checkbox compliance, paper pentests, and audit theater under sudden economic pressure.
Security
Bug Bounties in the Age of AI
As AI accelerates the offense-defense asymmetry, bug bounties and vulnerability disclosure remain essential. Casey Ellis on the future of bug bounties, the evolving threat landscape, and how disclose.io and the SRLDF protect the researchers keeping us safe.
Security
The FCC Just Banned Every Foreign-Made Router
The FCC added every foreign-made consumer router to the Covered List — a March 2026 supply-chain action that goes far beyond previous adversary-nation bans.
Policy
The White House AI Framework: What It Says, What It Doesn't, and Why the Gaps Matter More
The March 2026 White House AI policy framework analyzed: seven pillars, and why the AI security omissions matter more than what's actually in the document.
Security
Vulnerability economics
The four-line economic frame for every vulnerability: cost to introduce, cost to discover, cost to fix, and the value of exploitation — and why the math matters.
Policy
No More Free-ish Bugs
The line between bug bounty programs and vulnerability disclosure programs has blurred — and why pretending Red Bull and t-shirts count as a bounty hurts everyone.
Building
Next things...
Last Saturday Jan 31 was my last day "inside the tent" at Bugcrowd.
Building
Bugcrowd 2013 to 2025 — People and Places
A photo retrospective of Bugcrowd from 2013 to 2025 — the people, offices, and moments that built the security crowdsourcing category from a Sydney garage out.