Skip to content
← home

tag

#security

98 posts

The technical heart: vulnerability research, disclosure, threat analysis, the craft of finding and fixing

Casey Ellis on stage at SOURCE Boston 2014, next to a slide asking "So how do you get more eyes on security bugs?"
Security

The Amended Linus's Law

Marcus Hutchins says LLMs just killed "many eyes make all bugs shallow." He's half-right. Linus's Law was never wrong, it was incomplete: the missing variable is incentive, and AI just gave it teeth on both sides.…

13 Jul 2026 · 5 min read
Security

Slopdemic, Not Vulnpocalypse (Yet)

I joined Sherrod DeGrippo on the Microsoft Threat Intelligence Podcast this week to talk about how AI is reshaping vulnerability research, disclosure, and patching.…

05 Jul 2026 · 2 min read
Security

AI Didn't Break Vulnerability Disclosure. It Exposed What Was Already Broken.

There's a sentence I keep coming back to from a conversation Josh Bressers and I had recently on Open Source Security: we&…

29 Jun 2026 · 4 min read
Casey Ellis on VulnCheck Threat Con One — vulnerability disclosure post-Mythos
Thinking

The Hitchhiker's Guide to Vulnerability Disclosure in 2026

Post-Mythos vulnerability disclosure: a 2026 field guide for vendors and researchers on AI-era bug bounties, slop triage, and rebuilding ecosystem norms.…

17 May 2026 · 13 min read
Security

Thoughts on the #slopdemic

Move over #vulnpocalypse — there's a new term we need to talk about: the #slopdemic. AI didn't invent low-quality vuln reports, but it just turbocharged them, and F/OSS is drowning.…

04 May 2026 · 2 min read
Thinking

The top five turtles in a stack of 50

AI defense and code review get the funding, but hospitals still run XP and Ivanti falls over weekly. The security industry is ignoring 45 of its 50 turtles.…

02 May 2026 · 1 min read
Thinking

Cryptographically enforced disclosure

A speculative proposal: cryptographically enforced vulnerability disclosure using a drand-triggered dead-man switch to make CVD fallback dates unbreakable.…

01 May 2026 · 1 min read
Security

Peacetime cyber versus wartime cyber

Cyber defense doctrine was built during 15 years of peacetime; the transition to wartime and austerity demands a rewrite of what we accept as polite.…

30 Apr 2026 · 1 min read
Security

AI isn't the problem — asymmetry is

AI isn't the security problem — it widens the asymmetry between vulnerability discovery and remediation, putting attack capability in many more hands.…

27 Apr 2026 · 1 min read
Security

Mythos feels a lot like Snowden

Mythos is to vulnerability awareness what Snowden was to surveillance: the moment the zeitgeist finally caught up to what insiders already knew.…

26 Apr 2026 · 1 min read
Hot Takes

Security-focussed test/fix is basically “sparkling QA”

A short reaction to Firefox's claim that AI-found defects are finite: security-focused test-and-fix is basically QA wearing a fancier hat.…

25 Apr 2026 · 1 min read
Security

Spicy Takes from my Aikido Security Podcast

Nine takes from my RSAC conversation with Mackenzie Jackson on Aikido's Secure Disclosure podcast — on bug bounty, AI slop, hack-back, vibe coding, and why the internet still working is a minor miracle.…

24 Apr 2026 · 5 min read