Policy
Where security meets society: advocacy, legal reform, government work, safe harbor, disclose.io mission
The Hitchhiker's Guide to Vulnerability Disclosure in 2026
Post-Mythos vulnerability disclosure: a 2026 field guide for vendors and researchers on AI-era bug bounties, slop triage, and rebuilding ecosystem norms.
Coordinated, Until It Isn't
Everyone has a take on Moksha's 89-vuln XAPI drop. Almost everyone misses the same thing: it wasn't one decision, it was four: go public, go Day-0, withhold patches from Citrix, lean into the "shittrix" frame. Coordinated disclosure runs on goodwill, and the goodwill runs out sometimes.
The FCC Just Banned Every Foreign-Made Router
The FCC added every foreign-made consumer router to the Covered List — a March 2026 supply-chain action that goes far beyond previous adversary-nation bans.
The White House AI Framework: What It Says, What It Doesn't, and Why the Gaps Matter More
The March 2026 White House AI policy framework analyzed: seven pillars, and why the AI security omissions matter more than what's actually in the document.
No More Free-ish Bugs
The line between bug bounty programs and vulnerability disclosure programs has blurred — and why pretending Red Bull and t-shirts count as a bounty hurts everyone.
Peace-time Cyber vs War-time Cyber
A long read on how cybersecurity doctrine built during 15 years of geopolitical peacetime is failing as nation-state actors abandon restraint and discretion.
Builders and Breakers: Partnering for Secure Elections
In September 2023, the IT-ISAC Elections Industry SIG launched a first-of-its kind pilot program in which election technology providers gave security researchers access to modern voting technology under the principles of Coordinated Vulnerability Disclosure.
DEF CON 31 Policy — All Your Vulns Are Belong to Terms and Conditions
DEF CON 31 Policy - All Your Vulns Are Belong to Terms and Conditions - DEF CON panel featuring David Rogers, Katie Trimble-Noble, Harley Geiger, and myself. Recorded on September 15, 2023 at DEF CON 31 in Las Vegas, Nevada.
The iOS FaceTime vulnerability: What it means and what you can do to protect yourself
Yesterday news broke that a bug in FaceTime that allows callers to listen to the audio of the person they are calling before that person picks up. Today we learned that i
How Governments are Running Effective Bug Bounty Programs
If you’re reading this article, statistically speaking your organization might be getting hacked. In the private sector, the Equifax hack and Intel’s processor vulnerabil
Election Security 2020: Don’t Let Disinformation Undermine Your Right to Vote
A tweet of a voting machine that “looks like” it’s infected by ransomware could be as effective at deterring voter turnout and confidence as the real deal, which is a cost-effective and asymmetric means to manipulate election results.