Skip to content
← home

tag

#learn

94 posts

Processing experience into insight - retrospectives, lessons

Security

AI Didn't Break Vulnerability Disclosure. It Exposed What Was Already Broken.

There's a sentence I keep coming back to from a conversation Josh Bressers and I had recently on Open Source Security: we&…

29 Jun 2026 · 4 min read
Security

Thoughts on the #slopdemic

Move over #vulnpocalypse — there's a new term we need to talk about: the #slopdemic. AI didn't invent low-quality vuln reports, but it just turbocharged them, and F/OSS is drowning.…

04 May 2026 · 2 min read
Security

Offense Scales with Compute. Defense Scales with Committees.

Why AI is widening the attacker-defender gap faster than anything we've built to close it — and what that actually means for the next decade of security.…

08 Apr 2026 · 11 min read
Security

Bug Bounties in the Age of AI

As AI accelerates the offense-defense asymmetry, bug bounties and vulnerability disclosure remain essential. Casey Ellis on the future of bug bounties, the evolving threat landscape, and how disclose.io and the SRLDF protect the researchers keeping us safe.…

27 Mar 2026 · 4 min read
Policy

The White House AI Framework: What It Says, What It Doesn't, and Why the Gaps Matter More

The March 2026 White House AI policy framework analyzed: seven pillars, and why the AI security omissions matter more than what's actually in the document.…

23 Mar 2026 · 7 min read
Policy

No More Free-ish Bugs

The line between bug bounty programs and vulnerability disclosure programs has blurred — and why pretending Red Bull and t-shirts count as a bounty hurts everyone.…

12 Feb 2026 · 1 min read
Thinking

2026 security predictions

2026 cybersecurity forecast: China's PLA centenary looms, AI turns anyone into a malware developer, and economic pressure pushes more people toward cybercrime. Shift-left finally start working—but only for modern code. The rest of the internet? A triage trash fire.…

26 Dec 2025 · 5 min read
Thinking

2025 security predictions retrospective

This time of year, everywhere you see, security guys like me are sharing our hot takes for the year ahead. However, reflecting on the past year is equally important. I like to see how my previous predictions held up and how things actually played out.…

16 Dec 2025 · 6 min read
Thinking

First Principles: Bad guys are humans, they're creative and driven, and they don't quit.

Here's the bigger question: If we do finally achieve 100% success in automating cyber defense, will the "bad guys" pack their stuff up and go home?…

26 Nov 2025 · 2 min read
Thinking

Peace-time Cyber vs War-time Cyber

A long read on how cybersecurity doctrine built during 15 years of geopolitical peacetime is failing as nation-state actors abandon restraint and discretion.…

02 Jul 2025 · 5 min read
Building

What You Give Away Might Be Worth More Than What You Keep

The sticking point is the word "free". If you do happen to get stuck there (and a lot of things will push you in that direction), a lot of the magic in the decision math gets missed. Everything has a Give and a Get and, if you're doing it right, nothing is ever given away for free.…

27 May 2025 · 1 min read
Building

If a tech solution falls in the forest...

A solution disconnected from it's problem isn't actually solving anything.…

27 May 2025 · 1 min read