ty sir

Wrote about the attacker-defender asymmetry and why AI made it worse -- "AI for defense" is stuck polishing the top five turtles while adversaries live in the bottom ten.

cje.io/2026/04/08/offense-scale...

PATCH YO’ UNIFI (CVSS 10.0) community.ui.com/releases/Sec...

The CVE program is "saved" by a mystery contract with a mystery number. Transparency? Not so much.

Plus: lookup.disclose.io beta is live, EU CRA hits 6 months, exploited vulns up 105%.

Policy Pulse #8: blog.disclose.io/policy-pulse-issue-8-wee... #CVE #PolicyPulse

#ff @bugcrowd.com @nop.codes @cyberscoop.bsky.social @dochackenbush.bsky.social @tib3rius.bsky.social @allanfriedman.bsky.social @yaelwrites.com @pivotcon.bsky.social @infosecjen.bsky.social @meggardiner.bsky.social @craiu.bsky.social @cyberstatecraft.bsky.social @mattkapko.com

#ff @dakotaindc.bsky.social @deciphersec.bsky.social @joemenn.bsky.social @esquiring.bsky.social @ellearmageddon.bsky.social @vincentledvina.bsky.social @pylos.co @srldf.bsky.social @andytseng.bsky.social @dieworkwear.bsky.social @lorenzofb.bsky.social @ryanaraine.bsky.social

#ff @daemontamer.bsky.social @weld.bsky.social @jags.bsky.social @singe.bsky.social @dennisf.bsky.social @ldpreload.so @wbm312.bsky.social @techmeme.com @debdebdeb.bsky.social @jvagle.me

Had a great chat with Mackenzie Jackson on The Secure Disclosure — contrarian takes on why not every org should run a bounty, AI slop being 2014 all over again, and why the internet still working is a minor miracle. #infosec #bugbounty

https://www.youtube.com/watch?v=QtcBhb_aqxk

Bug Bounties in the Age of AI As AI accelerates the offense-defense asymmetry, bug bounties and vulnerability disclosure remain essential. Casey Ellis on the future of bug bounties, the evolving threat landscape, and how…

Bug Bounties in the Age of AI cje.io/2026/03/28/b...

CVE funding secured, but the deal details remain a black box. Plus: lookup.disclose.io is live in beta, exploited vulns surged 105%, and the EU CRA clock is ticking.

Policy Pulse #8: blog.disclose.io/policy-pulse-issue-8-wee...

It begins! We have a @cje.io (and our " @allanfriedman.bsky.social " of course 😉

The Hive at RSAC | Bugcrowd RSAC is the briefing. The Hive is the debrief. A place to sort the signal, hosted by Bugcrowd

Day $NEXT of RSAC is underway… Looking forward to catching up with folks, chilling at the @decibelvc Founder Festival, and the @bugcrowd HIVE Reception later on this evening. See you in the village!

www.bugcrowd.com/the-hive/

[un]prompted 2026 Share your videos with friends, family, and the world

[un]prompted 2026 videos are out today… Enjoy!!! youtube.com/playlist?lis...

YEET YO' LITELLM

Matt Johansen on X: "LiteLLM hacked and is stealing valuable creds. Urgent to remove now.

m.cje.io/4sz8386

Today’s secret word is Patch

Talked to Fletcher Heisler from Authentik about their take on the next evolution of identity management — Extended IAM (XIAM). Open source, seven years in the making, and a new acronym to argue about. Have a listen: https://risky.biz/RBNEWSSI120/

The 15th year (*) of Tongacon is in the books. Thank you Jack Daniel for setting the bar for #infosec community 🫶

photo of an ad for a “golden gaytime,” a kind of chocolate-covered ice cream bar. the ad features a photo of the ice cream bar against a red background, with the words “golden gaytime” written over it.

australia has a reputation for being home to terrifying wildlife, but it should probably be better known for its whimsically-named snacks

Impressive geomagnetic activity tonight with Hp 30 indices reaching above 7 for multiple periods. We are currently experiencing a G3 / STRONG geomagnetic storm. The IMF strength (Bt) is still elevated ~30 nT with slightly negative Bz. Mid-latitude auroral displays are likely throughout the night.

Enjoying a quiet moment before BSIdesSF and RSAC kicks in.

This year I'm really looking forward to jamming with folks; imho it's an equal parts chaotic, scary, exciting, and deeply significant time to be in our game.

See you at the circus!

Intoxalock outage leaves Mass. drivers stranded Some drivers in Massachusetts are unable to start their cars due to a cybersecurity issue affecting a company that provides in-vehicle breathalyzers.

PATCH YO' BREATHALYZER

(seriously though, I'm guessing that attribution on this one is going to be... tricky)

Intoxalock outage leaves Mass. drivers stranded m.cje.io/4sW6Qr0

#ff @cyberscoop.bsky.social @dochackenbush.bsky.social @yaelwrites.com @tib3rius.bsky.social @pivotcon.bsky.social @infosecjen.bsky.social @meggardiner.bsky.social @craiu.bsky.social @cyberstatecraft.bsky.social @mattkapko.com

#ff @dakotaindc.bsky.social @deciphersec.bsky.social @bugcrowd.com @pylos.co @srldf.bsky.social @andytseng.bsky.social @dieworkwear.bsky.social @lorenzofb.bsky.social @ryanaraine.bsky.social @nop.codes

#ff @dennisf.bsky.social @weld.bsky.social @jags.bsky.social @ravirockks.bsky.social @singe.bsky.social @ldpreload.so @wbm312.bsky.social @ciaranm.bsky.social @debdebdeb.bsky.social @jvagle.me

Oh USG/LE took down a couple of IOT botnets you say?

U.S Strikes Killed Iranian Cyber Chiefs, But The Hacks Continued m.cje.io/4snUbh1

Security Research Legal Defense Fund We aim to help fund legal representation for persons who face legal issues due to good faith security research and vulnerability disclosure in cases that would advance cybersecurity for the public int...

We’re excited to welcome Casey Ellis (@cje.io) and Jen Ellis (@infosecjen.bsky.social) to the board of the Security Research Legal Defense Fund (SRLDF.org), bringing even more expertise, focus, and reach to supporting good faith security research defend against frivolous and unfair prosecution.

Claude Tried to Hack 30 Companies. Nobody Asked It To. ◆ Truffle Security Co. We gave AI agents simple research tasks on cloned corporate websites. When the legitimate path was broken, the agents autonomously discovered and exploited SQL injection vulnerabilities to complete…

Q: When is an SQLi bug just a sparkling API?
A: When you ask an LLM to grab a bunch of data from a website, and it realizes that one is there.

imho, this is one of those "don't hate the finder, hate the vuln" things.

cc: @trufflesec

m.cje.io/4uAvgIh

Fact Sheet: President Donald J. Trump Combats Cybercrime, Fraud, and Predatory Schemes Against American Citizens COMBATING CYBERCRIME AND FRAUD: Today, President Donald J. Trump signed an Executive Order to combat cybercrime, fraud, and predatory schemes targeting

"The Order directs relevant Administration officials to conduct a comprehensive review to determine what operational, technical, diplomatic, and regulatory tools could be improved to combat transnational criminal organizations."

m.cje.io/4rmbJJ1