Skip to content
← home

tag

#policy

30 posts

Where security meets society: advocacy, legal reform, government work, safe harbor, disclose.io mission

Casey Ellis on VulnCheck Threat Con One — vulnerability disclosure post-Mythos
Thinking

The Hitchhiker's Guide to Vulnerability Disclosure in 2026

Post-Mythos vulnerability disclosure: a 2026 field guide for vendors and researchers on AI-era bug bounties, slop triage, and rebuilding ecosystem norms.…

17 May 2026 · 13 min read
Policy

Coordinated, Until It Isn't

Everyone has a take on Moksha's 89-vuln XAPI drop. Almost everyone misses the same thing: it wasn't one decision, it was four: go public, go Day-0, withhold patches from Citrix, lean into the "shittrix" frame. Coordinated disclosure runs on goodwill, and the goodwill runs out sometimes.…

17 May 2026 · 9 min read
Security

The FCC Just Banned Every Foreign-Made Router

The FCC added every foreign-made consumer router to the Covered List — a March 2026 supply-chain action that goes far beyond previous adversary-nation bans.…

24 Mar 2026 · 3 min read
Policy

The White House AI Framework: What It Says, What It Doesn't, and Why the Gaps Matter More

The March 2026 White House AI policy framework analyzed: seven pillars, and why the AI security omissions matter more than what's actually in the document.…

23 Mar 2026 · 7 min read
Policy

No More Free-ish Bugs

The line between bug bounty programs and vulnerability disclosure programs has blurred — and why pretending Red Bull and t-shirts count as a bounty hurts everyone.…

12 Feb 2026 · 1 min read
Thinking

Peace-time Cyber vs War-time Cyber

A long read on how cybersecurity doctrine built during 15 years of geopolitical peacetime is failing as nation-state actors abandon restraint and discretion.…

02 Jul 2025 · 5 min read
Policy

Builders and Breakers: Partnering for Secure Elections

In September 2023, the IT-ISAC Elections Industry SIG launched a first-of-its kind pilot program in which election technology providers gave security researchers access to modern voting technology under the principles of Coordinated Vulnerability Disclosure.…

13 Jun 2024 · 6 min read
Policy

DEF CON 31 Policy — All Your Vulns Are Belong to Terms and Conditions

DEF CON 31 Policy - All Your Vulns Are Belong to Terms and Conditions - DEF CON panel featuring David Rogers, Katie Trimble-Noble, Harley Geiger, and myself. Recorded on September 15, 2023 at DEF CON 31 in Las Vegas, Nevada.…

17 Sep 2023 · 34 min read
Policy

The iOS FaceTime vulnerability: What it means and what you can do to protect yourself

Yesterday news broke that a bug in FaceTime that allows callers to listen to the audio of the person they are calling before that…

16 May 2021 · 3 min read
Policy

How Governments are Running Effective Bug Bounty Programs

If you’re reading this article, statistically speaking your organization might be getting hacked. In the private sector, the Equifax hack and Intel’s…

16 May 2021 · 2 min read
Policy

Election Security 2020: Don’t Let Disinformation Undermine Your Right to Vote

A tweet of a voting machine that “looks like” it’s infected by ransomware could be as effective at deterring voter turnout and confidence as the real deal, which is a cost-effective and asymmetric means to manipulate election results.…

16 May 2021 · 2 min read
Policy

NIST: Vulnerability Disclosure as a Requirement for Every Organization

What is the NIST Cybersecurity  Framework? The NIST Cybersecurity Framework is a set of policies meant to help the private sector in strengthening their…

08 Mar 2021 · 2 min read