Thinking
The Hitchhiker's Guide to Vulnerability Disclosure in 2026
Post-Mythos vulnerability disclosure: a 2026 field guide for vendors and researchers on AI-era bug bounties, slop triage, and rebuilding ecosystem norms.
Security
The technical heart: vulnerability research, disclosure, threat analysis, the craft of finding and fixing
Security
Thoughts on the #slopdemic
Move over #vulnpocalypse — there's a new term we need to talk about: the #slopdemic. AI didn't invent low-quality vuln reports, but it just turbocharged them, and F/OSS is drowning.
Thinking
The top five turtles in a stack of 50
AI defense and code review get the funding, but hospitals still run XP and Ivanti falls over weekly. The security industry is ignoring 45 of its 50 turtles.
Thinking
Cryptographically enforced disclosure
A speculative proposal: cryptographically enforced vulnerability disclosure using a drand-triggered dead-man switch to make CVD fallback dates unbreakable.
Security
Peacetime cyber versus wartime cyber
Cyber defense doctrine was built during 15 years of peacetime; the transition to wartime and austerity demands a rewrite of what we accept as polite.
Hot Takes
Tactically, Mythos is Anthropic marketing their asses off
Mythos as a tactical Anthropic marketing play against OpenAI — and why open-weight models already made the world-ending case before any of it landed.
Security
AI isn't the problem — asymmetry is
AI isn't the security problem — it widens the asymmetry between vulnerability discovery and remediation, putting attack capability in many more hands.
Security
Mythos feels a lot like Snowden
Mythos is to vulnerability awareness what Snowden was to surveillance: the moment the zeitgeist finally caught up to what insiders already knew.
Hot Takes
Security-focussed test/fix is basically “sparkling QA”
A short reaction to Firefox's claim that AI-found defects are finite: security-focused test-and-fix is basically QA wearing a fancier hat.
Security
Spicy Takes from my Aikido Security Podcast
Nine takes from my RSAC conversation with Mackenzie Jackson on Aikido's Secure Disclosure podcast — on bug bounty, AI slop, hack-back, vibe coding, and why the internet still working is a minor miracle.
Security
Offense Scales with Compute. Defense Scales with Committees.
Why AI is widening the attacker-defender gap faster than anything we've built to close it — and what that actually means for the next decade of security.
Security
Bug Bounties in the Age of AI
As AI accelerates the offense-defense asymmetry, bug bounties and vulnerability disclosure remain essential. Casey Ellis on the future of bug bounties, the evolving threat landscape, and how disclose.io and the SRLDF protect the researchers keeping us safe.