The technical heart: vulnerability research, disclosure, threat analysis, the craft of finding and fixing
Thinking
As an industry we're focused on the top five turtles in a stack of 50. AI for defense and code review matters — we need to be doing it — but it gets the most attention because it gets the most funding because it's the most visible. Meanwhile
Thinking
Been playing around with the idea of cryptographically enforced disclosure. You disclose something — there's a CVD timeline and a fallback date. At the fallback, it all goes on the blockchain, with a drand-triggered encryption key as the dead-man switch. No one can say "we're just
Security
Peacetime cyber versus wartime cyber. We developed our cyber defense doctrine, policy, and technology through 10 years of peace and prosperity. We're now transitioning into austerity and warfare — what do we need to revisit? Throw the things that don't matter out the window, and start doing
Hot Takes
Tactically, Mythos is Anthropic marketing their asses off to beat OpenAI. It didn't put me in the doomer "world is ending" camp — open-weight models already had me there.
Security
AI isn't the problem — asymmetry is. The number of vulnerabilities, the ability to find them, and the comparative cost between finding them and fixing them. AI makes gap bigger, and puts the ability to find and exploit in to more hands.
Security
Mythos feels a lot like Snowden. When Snowden dropped, everyone in the game already knew it was happening — but it was the first time the collective zeitgeist had had the thought — and it reshaped how everyone else thought about a lot of things. It was the trigger for cybersecurity being
Hot Takes
On a Firefox blog post boasting that Mythos found 270 new bugs and concluding "the defects are finite, and we are entering a world where we can finally find them all": View on X →
Security
Nine takes from my RSAC conversation with Mackenzie Jackson on Aikido's Secure Disclosure podcast — on bug bounty, AI slop, hack-back, vibe coding, and why the internet still working is a minor miracle.
Security
Why AI is widening the attacker-defender gap faster than anything we've built to close it — and what that actually means for the next decade of security.
Security
As AI accelerates the offense-defense asymmetry, bug bounties and vulnerability disclosure remain essential. Casey Ellis on the future of bug bounties, the evolving threat landscape, and how disclose.io and the SRLDF protect the researchers keeping us safe.
Security
* Every vulnerability costs something to put there. * Every vulnerability costs something to discover. * Every vulnerability costs something to fix. * The exploitation of every vulnerability has a value associated with it.
Security
Notes from judging DistrictCon's Junkyard Year 1 — a Pwn2Own-style exploit contest targeting end-of-life devices. Disco balls, DNA sequencers, gym treadmills, and self-propagating game worms. Includes exploit chain diagrams for all eleven talks.