Josh talks to Casey Ellis about why vulnerability disclosure is so hard, and also so important. Casey is one of the best in this space having been a Bugcrowd founder. There are few people with more experience and insight into how a security vulnerability should be handled, and why the explosion of AI is making all this much harder than it’s ever been before. While finding vulnerabilities is easy, reporting them is still a lot of work. Casey is working on helping everyone better understand all this with his disclose.io project.
Episode Links
This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.
Episode Transcript
Josh Bressers (00:00) Today, open source security is talking to Casey Ellis. He’s best known as the founder of BugCrowd and also the founder of Disclose.io. I am extremely excited to have Casey here to talk to us because like, the last couple months, man, have been bananas. And we set this up a long time ago and it is just, I feel like the crazy knob just keeps going up. And so, wow.
Casey Ellis (00:18) Yep.
Yeah,
I definitely, know, the whole idea of like, let’s dial it to 11 and see if that fixes things like that didn’t seem to work. So now we’ve gone on and dialed it to like, whatever over 9,000 or something like that. Yeah, but it’s good to see you, man.
Josh Bressers (00:37) Yes. Yes. So one of
it, yeah, yeah, it’s been, it’s been a long time. So it’s always, it’s always a treat. ⁓ so one, I guess you are, I’m very interested in talking to you, Casey, because as most of us have noticed by now that the, the comment verse is filled with vulnerability disclosure experts now and
Casey Ellis (00:43) has been a while.
Yes.
Josh Bressers (01:03) You are one of the like handful of people I know that’s an actual legitimate real vulnerability disclosure expert. So I’m very excited.
Casey Ellis (01:10) I was trying to do it, trying
to do it before it got cool. So yeah, I do appreciate that.
Josh Bressers (01:14) I know, right? And like, it’s funny because I think like, I spent 20 years complaining no one listened to us. And now it’s like, I miss the old days. Like it was so much better.
Casey Ellis (01:25) Yeah, no,
definitely. think, you know, especially in terms of the, you know, myself and some of the other old guard this kind of space, we’re definitely spending a chunk of time feeling like the dog that caught the car. ⁓ But, you know, at the same time, the fact that it’s a conversation that’s being had, that’s kind of open now, that’s a really important and a really positive thing. I think it becomes more an issue of how do we steer it.
Josh Bressers (01:39) Yes.
Casey Ellis (01:50) And then how do the things that are most impactful strategically, like not get lost in all the noise. Cause there’s no shortage of that going around right now too,
Josh Bressers (01:58) Yeah,
yeah. Okay, I mean, let’s start there, right? Why don’t you tell us a little bit about yourself for anyone who might not know, because I know like, it’s one of those things, you I’ve been in this universe forever, so someone starts talking about Casey Ellis. I’m like, yes, everyone knows Casey, but I suspect this audience might not know who you are or why we should listen to you.
Casey Ellis (02:01) Sure.
Who’s that guy? Yeah.
Yeah, sure. Absolutely. Gosh, that’s a better question for my mom probably, but I’ll give it a crack. yeah, Casey Ellis, am, like you said, best known as the founder of Bug Crowd. So Bug Crowd didn’t invent vulnerability disclosure or bug bounty programs, but we did pioneer this idea of putting a platform in between all of the security researchers that are out there wanting to help out and all of the ultimately kind of creative problems that need to get solved for defenders. ⁓
Yeah, the core of the thesis was to basically outsmart or create, you know, a condition where we’ve got enough intelligence and enough creativity from like a firepower standpoint available to at least have a chance of outsmarting the bad guys and getting to things first. So that was back in like 2011 was when I started working on it and kicked off in 2012. So I’ve been at this for quite some time in that respect. I think the other thing that I wanted to do, having grown up as a hacker, like gotten into pen testing and then kind of moved across into the
the entrepreneurship kind of role a little bit later on in life was to basically create a better operating environment for people that hack in good faith, right? Cause I’ve been at this since the late nineties and the environment that security research and even just people that think like a hacker are now able to operate in, that’s relatively recent in the story. I think a lot of new entrance to the mix and a lot of players on the field right now don’t actually acknowledge the fact that this hasn’t been.
you know, as anywhere near as easy a conversation ⁓ as it is today, you know, up until fairly recently. So that was a big part of what I wanted to try to make an impact on. And Bug Crowd partly helped with that. Disclose.io is really kind of the policy and the overall, you know, environment shifting project that I kicked off in 2018 or so. Yeah. So Disclose.io, like where it really started was this idea that’s, you know, as I just said, like
Josh Bressers (04:02) Yeah. Yeah. So tell us about disclose.io.
Casey Ellis (04:12) from a thinking, from a policy, from a legal standpoint, like a lot of the original kind of computer crime laws kind of assume that if you’re hacking a computer, you’re automatically a bad person. And then you have to prove that you’re not, right? Which is not how jurisprudence is meant to work. It’s kind of just dumb in general, because it nets out to a chilling effect for people that are doing security research that has the ability to actually help make things safer. So like that just to me felt like a really stupid problem. It’s like,
you know, hackers are the internet’s immune system and we’ve got this like immune deficiency that we can actually solve. ⁓ Why don’t we do that? So basically what Disclose.io is, is a whole bunch of different tools. It’s a boilerplate, vuln disclosure policy that focuses on making sure that there’s safe harbor in both directions so that it’s safe for the hackers that are trying to help and that it’s safe for the organizations that are launching a program because they don’t want to give bad guys carte blanche to do whatever they like, right? ⁓
that language has been developed. There’s all sorts of different people from all sorts of different kind of positions of pretty heavy influence around this stuff that have worked on actually crafting that language. know, Department of Justice, Department of Defense, some of the biggest kind of internet providers over the years, all that kind of stuff. And the thing of it is like writing, it sounds kind of boring on that side, ⁓ but the reality is that like writing, ⁓
Writing policy language or writing a legal document that’s easy to read, ⁓ legally as complete as it can possibly be and provides adequate protections in both directions is a really difficult thing to do. Like that’s actually kind of a design problem. So that was the thing that we’re trying to solve originally. And that stuff has been adopted since it got picked up for the CISA, ⁓ Federal Civilian, like the Binding Operational Directive 2001 and…
2020, it got rolled out into election security here in the US as well. It’s been picked up globally as well at this point in time, which is pretty cool. So that’s sort of the core of it. But then what we’ve gone and done on top is to actually build out a maturity model. So for organizations, for example, to have, if you’re a researcher and you’re doing proactive research, or you just happen to stumble across something that’s broken on the internet, ⁓ it’s really hard to figure out oftentimes, like who to tell.
and whether it’s safe to do that or not. And there are whole bunch of standards and tools to try to make that easier, but those standards aren’t very, very well adopted still, even in 2026. So what we’ve done is created basically a directory and a maturity model to kind of rank organizations based on where they’re up to in that process. And the idea is that like, if you’re a company that’s being transparent about the fact that like, yeah, writing software is hard.
we’re going to do everything we can to keep vulnerabilities and risks out of our systems, but we’re going to assume that we’re not perfect. And that sometimes feedback is going to come in from the outside world. Like to me, that’s gesture of security maturity that’s like the average person can kind of understand, right? It’s like, oh, it’s a neighborhood watch for the internet. I get that. And ultimately that should convert to trust. So that’s kind of where we’re trying to take all of that.
That’s it. Those are a couple of things. There’s a bunch of other tools as well. But yeah, in general, if you’re, if you’re a hacker, if you’re someone who runs a PSIRT or a security program, go check it out.
Josh Bressers (07:32) Yeah, yeah, and so the framework thing you’re talking about, is that on disclose.io right now? Oh, it is, okay, I’ll have to go dig for that. I told Casey before you record, I actually haven’t looked at disclose.io in quite a while, and so I’m excited to dig through it again.
Casey Ellis (07:37) Yeah, correct.
Yeah,
the whole project went through a bit of a, it had a little bit of a quiet period there. I mean, in terms of what I’ve been up to as well, ⁓ something that I’ve shared a fair bit about and not to go into it too deep right now, but I actually had unexpected heart surgery about two years ago. So I had a genetic thing pop off that required some urgent attention and that obviously took me offline for a little bit.
getting some time to sit and think and recover and actually think about what’s important and then start to create some direction and strategy around this stuff and bring other people around it. That was the lull, but obviously it’s getting a lot more active now. So yeah, it’s good times.
Josh Bressers (08:25) And for anyone
listening who might not understand, Casey talked about safety and being worried and kind of legal issues. Probably 10 plus years ago, if you found a vulnerability in something and you were going to tell the company, you didn’t know. It was not uncommon for them to say, we’re going to sue you. We’re going to put you in jail. Or for people to actually be arrested for doing some of this stuff. It was scary.
Casey Ellis (08:47) Yep. Yep.
Yeah, a hundred percent. That was the default environment that I grew up in. And like, it’s really cool to me that that default in a lot of places has changed. think a part of what we’re trying to get out there is that that change is not evenly distributed yet. Like there is actually another project on Disclose.io which is a threats ⁓ database. And it kind of builds on the stuff that Jericho did with attrition.org back in the day, right? So if you receive
Josh Bressers (08:59) Yeah. Yeah.
Yeah.
Casey Ellis (09:23) a threat ⁓ that’s clearly intended to chill. It’s not because you’ve been operating in bad faith, but it’s because you’re doing good faith security research that the vendor doesn’t like and they’re trying to use CFAA or DMCA or whatever to suppress that. You can actually upload evidence of that onto this particular repo and we’ll publish it. ⁓ Because there’s this idea of accountability, actually telling the story that no, this is actually still a thing.
Josh Bressers (09:44) Nice.
Casey Ellis (09:52) Right? Like it’s definitely not the default thing anymore, but it is very much still a thing that happens out there. And then trying to really, you know, tell stories to educate people on how to suck at it less is a big part of what we’re trying to do with that on both sides as well. Cause I do think that security researchers still have this habit of coming in really hot and not understanding that, you know, on the vendor side, like they’re trying to run a business and run a security program. Like there’s, there’s empathy and pragmatism that needs to be kind of.
Josh Bressers (10:12) Yes.
Casey Ellis (10:19) worked on on both ends of this. And I think that’s always going to be true. But that’s big part of the problem that we try to solve.
Josh Bressers (10:24) That’s right, every security report is critical when it’s reported by the researcher.
Casey Ellis (10:30) Yeah, yeah. And sometimes that’s honestly, sometimes that’s true. But as a researcher actually going into it with a degree of humility and understanding that you’re never going to have full context. ⁓ I think that’s a really important place to start from as well. So yeah, it’s all a set of balancing acts. the challenge now is that you throw AI on top of all of it. We’re doing everything like stupid.
you know, doing stupid things faster with more energy like right across the board in all directions now. So it’s just, it’s getting more and more important to solve these things, I think.
Josh Bressers (11:00) Yes.
Yes, yes. Okay, one more set up and that’s what do we mean when we’re talking about disclosure? Because you and I know what that means, but not everyone listening does.
Casey Ellis (11:09) Sure. That’s actually,
yeah, that’s a really, that’s a really good call out. ⁓ Yeah. So basically disclosure for starters, it’s a shitty way of saying it because like disclosure actually describes several parts of the process and they’re not all the same thing. Right. So the basic kind of chain of things is, is a finder discovers an issue. They’re either doing proactive research or they just come across something that’s broken and they’re like, okay, I have a vulnerability. ⁓ I need to.
Josh Bressers (11:22) Yeah.
Casey Ellis (11:37) tell someone about that so that they can fix it. ⁓ That’s generally referred to as vulnerability disclosure, which is kind of dumb because it’s usually not a public thing ⁓ when that happens. I tend to refer to that as vulnerability reporting because it just is a bit cleaner from a process standpoint. ⁓ The entire kind of process is generally referred to as a whole as vulnerability disclosure, but words are hard. That’s just kind of where that’s at. ⁓
Josh Bressers (11:54) that’s fair.
You also have a website
literally named disclose.io
Casey Ellis (12:06) Yeah, yeah,
yeah, no, 100%. Sometimes you got to go with, you know, if you pay the pipe, you pick the tune, right? So sometimes it’s good to go along with that. But yeah, so you report the vulnerability to the vendor, the vendor and you and anyone else who might need to be involved from a fixed standpoint, get involved, and there’s a conversation that goes on or not. Like usually that’s the bit that breaks initially. But if that part’s successful, then there’s coordination around what’s going to be done to actually fix this thing.
Josh Bressers (12:11) Yep, yep.
Casey Ellis (12:34) And off the back of that, generally the piece that follows is that there is some sort of advisory, there’s some sort of notification that’s pushed out to the public ⁓ that says, hey, this thing is vulnerable. You need to apply a patch. Or if it’s hosted, sometimes it’s this thing was vulnerable. If you need to do kind of any kind of proactive or reactive, you know, threat hunting or mitigations or different things like that, like that’s.
That’s what you should look and what you should do. Like the purpose of the disclosure part where it’s actually published, ⁓ twofold. One is to basically alert users of the software that there’s a risk that they need to deal with or there has been a risk they should go back and see if that caused any particular issues for them. ⁓ But on the other side of it, it’s to basically educate everyone else. It’s like, OK, here’s an example of a vulnerability that was found. ⁓
you should probably try to avoid that if you’re a hunter and you’re trying to help out, this is how you can look for it and different things that you can actually use to inspire your own research going forward. So yeah, that was a really, I mean, I’ve got a blog post on this that I’ll send you afterwards that is a lot more articulate than I just was, but that’s the overall idea.
Josh Bressers (13:46) Yeah, I mean, I have no complaints with that. It’s a hard thing to describe. so, okay. All right, so that’s all our setup. So here’s like the meat and potatoes of the discussion is all of this, kind of the, all of the LLMs, the AI, the, mean, there’s mythos has been in the news for the last how many weeks. And it feels like a lot of this is kind of becoming a real thing and disclosure or reporting is as you, guess more accurately would call it.
Casey Ellis (13:49) Well, I appreciate that.
Josh Bressers (14:15) feels like it’s in the middle of it all. And it’s kind of bizarre just because I think historically this was a very small group of people that would often do these sort of things. now like, mean, so my kind of my canary in the coal mine for a lot of this is Daniel Stenberg. He’s the maintainer of Curl. And I know I talked to Daniel back in 2025.
Casey Ellis (14:19) Yes.
Yeah.
Josh Bressers (14:40) And he was talking about, you know, all the AI slop reports and how terrible they were. And they were all fake. you know, the AIs were hallucinating function names and it was just a ridiculous waste of time. And he like, he quit the bug bounty they had on Hacker One. And since then he has, we’ll say drastically changed his tune. And it’s not that he’s changed. It’s that everything else has changed. And so now they’re getting like real reports from, I mean, the reports sometimes still suck.
Casey Ellis (15:01) Yeah.
Yes.
Josh Bressers (15:08) That’s they’re not fixed, but you know what I mean? It’s like the tooling has come a long way here. And so now this concept of disclosure, like anyone can run an LLM and find a security vulnerability, but that’s the easy part. And it was always the easy part was finding the stuff, right?
Casey Ellis (15:23) 100%.
Yeah, yeah, no, 100%. I think the other thing to call out from a ⁓ bona fide standpoint, going back to where you were asking at the front of the show, I’ve been working with Frontier Labs since late 22 on security of their systems, but also offensive use of AI. ⁓ How does offensive training of AI actually improve AI’s ability to generate code that’s less shit?
being secure, which is kind of the main reason that the big vendors actually do that stuff. And also working with startups like Dreadnode who do evals for open weight models and all that kind of stuff on basically like the pure offensive security ⁓ application of AI and LLMs since probably late 23. So I’ve been kind of neck deep in this space for a little while now. ⁓
Yeah, the convergence, like what I saw at the time, on top of that, working with the White House around AI security policy and the national cyber strategy back in 2020 and 21 as well. like there’s been this whole kind of, okay, this thing’s coming over the hill. It’s going to drop itself on us real quick. It’s going to become an issue of retail politics on the policy side, but it’s also going to really upset the economics that we’re kind of used to.
as attackers and defenders right across the board. So how do we start to get our heads around what to do with that? yeah, just sorry to digress there, but everyone’s talking out their ass about AI right now. So I feel like it’s important to actually say, no, I’ve been working on this for a fair bit of time as well. So I’m not just working as hard as I can not to make shit up. I think the symmetry piece that you’re calling out there is exactly, exactly right.
Josh Bressers (16:56) Yes.
Casey Ellis (17:12) Yeah, the thing that happened early on with with ⁓ the Daniel, I think really kind of made a commonly talked about issue is that if you’ve suddenly got the ability to put, you know, vulnerability reports out into the world with the prospect of getting paid and you’re someone who wants to get paid, like no matter whether you’re a security researcher or not, that’s just something that is going to attract noise. Right. Like that’s the and we’ve seen that.
you know, through the last 14 years of doing bug crowd, like we’d have people, you know, Photoshopping false XSS returns back in like 2014, 2015. So this whole idea of people just kind of making crap up and throwing it at the wall for the potential of getting paid, that’s not a new phenomena. And to me, it’s actually not, it shouldn’t be that surprising to people either, because like, you know, you’re building like economically incentivized games that are designed to attract people to break things.
So the fact that they fuck with the system that you’ve built to actually do that is not to me a huge shock, right? ⁓ So just putting that part out there to begin with, and I actually don’t think that everyone at this point in time, actually I’ve been saying this for a while, I don’t think that every organization should run a bug bounty program in a public sense. ⁓ I think every organization has a vulnerability disclosure program, whether they like it or not. People are doing research, they just might not be getting the report, but there’s a big difference between that.
Josh Bressers (18:14) Yeah.
Casey Ellis (18:38) and actively incentivizing people to try to be helpful, right? So that’s one big call out. And that’s an important one, because I feel like the whole thing is kind of thrown out with the same bathwater right now. It’s like, research is a super annoying, like screw this blah. And I’m like, well, there’s a bit more nuance to it than that. ⁓
Josh Bressers (18:58) Well, researchers
can be super annoying and they could be super correct. Like, I’ve dealt with many that are both.
Casey Ellis (19:00) 100%.
Well, yeah, and the most, I think, difficult case to kind of deal with there is when it is both, right? You’ve got folks that don’t necessarily understand, you know, all the stuff that we just talking about around empathy for the defender and blah, blah, blah, blah, blah. ⁓
Josh Bressers (19:12) Yeah.
Casey Ellis (19:22) But they’re also right in terms of what they’ve found and ignoring that ends up being at the peril of the user because you’ve basically exposed a risk or seen a risk exposed that you’re now gonna ignore going forward because it was annoying. Like that’s a dumb problem to have, but it’s a reasonable one at the same time, right? What’s that?
Josh Bressers (19:37) Yeah. So, so you know what this reminds me of Casey is you’ll probably relate to this completely is I remember
back when fuzzing was becoming a thing. This was probably like 2006 give or take. And there was a researcher, I was at Red Hat at the time and I was doing, you know, just an obscene amount of coordination. That’s a basically was my job. And I remember at one point someone sent us, so like, here’s 300 PDF files that crash. Like whatever PDF library was hip at that time. I can’t even remember anymore. And we’re like, you can’t be serious.
He’s like, what? gave you 300 reproducers. That’s great. We’re like, no, this is not great. Like, this is an enormous amount of work. You just dumped on top of us. Like help, please anything. It was, it was wild.
Casey Ellis (20:09) Ahem.
Yeah, yep, yep.
And this is the thing, like to me, there’s a couple of different dynamics that are in play at the same time. The first is that there are still a butt ton of bugs out there, which is kind of what you were getting at with the way Dan’s changed his tune over the past little period of time, because LLMs have objectively gotten better at vulnerability discovery, especially when there’s source code available. ⁓ And that’s capability that’s improved for
Josh Bressers (20:32) Yes.
Casey Ellis (20:46) pretty much everyone right across the board over the last six months, most dramatically, but it’s been steadily improving for the last probably two or three years. ⁓ But then also, I think, you know, the other thing that’s happening for him is because he’s removed that incentive to just try to get paid. ⁓ His signal to noise ratio has changed in terms of the kind of people that are actually motivated enough to submit a report in the first place. So I think that’s the other part of what he’s experiencing that’s probably not getting talked about quite as much.
Josh Bressers (21:04) sure.
That’s fair. I hadn’t even considered that point. So that’s fair. And yeah, completely. Yes, 100%. Okay, that makes sense. Because I mean, one other thing that’s important, I think, we don’t talk about all the time, is so like, curl, even if they’re not paying money for the bug bounty, like having your name on a curl security advisory is, like, I always laugh about, know, exposure is the greatest currency of all, but like,
Casey Ellis (21:17) That’s a real thing. Yeah. Yeah.
Yeah, so yeah.
Yeah.
Josh Bressers (21:41) In this particular instance, that is actually, if I’m like a security person looking for work or, you know, trying to show up on portfolio, my name on a curl advisory is actually like huge.
Casey Ellis (21:50) That’s a big deal.
100%. Yeah. I am the cavalry came out with this, like the five P’s of hacking and hacker motivations. was prestige, profit, protects, patriotism and puzzling. And I love that because like, yeah, profit is definitely a reason to do stuff. Like prestige is a reason to do stuff. I think is as like the job market and the general kind of global economic environment gets
Twitchy-er, that becomes more of a motivation for folk. But in the middle of that, you’ve still got people that are just literally puzzling and actually wanting to make the internet safer in the process as well. So like there’s all these, and then you’ve got patriots who are like, that’s a whole class that we won’t go into here, that’s, you know, there’s all these different motivations that kind of kick in. And I think, ⁓
Yeah, there’s a bunch of different reasons to do this. I think going back to sort of where does this all go from a disclosure ecosystem standpoint, you know, the bit that I’m kind of getting more and more convicted about and more and more motivated to lean into and have been for a while now is the fact that like that’s going to exist regardless, right? Like this is, you know, back to what I said before, this idea that organizations feel like they can shut down a bug bounty program or shut down a VDP. And then all of a sudden research stops.
and therefore there’s no more vulnerabilities. I’m like, that’s ostrich risk management. you know what mean? That’s not how this works at all. ⁓ So that is kind of a primitive to the system that we’re working with. That’s sort of how I see it. And yeah, it’s inconvenient, especially in this particular season that we’re in right now, but we’ve got to actually figure out a way through that because I don’t feel like we’ve really got a choice.
Josh Bressers (23:35) Yeah, I, a hundred percent. mean, and the thing is, so, you know, I’ll, back to my fuzzing example maybe is this feels similar where I remember when fuzzing started, it was like very overwhelming and very, the world is going to end. And then what actually happened is we fuzzed a ton of stuff and a lot of tooling got better. This is where we saw like a lot of the compilers started getting, you know, snap canaries and, and what mem check. I don’t even remember all the crap that was added now. It’s been so long.
Casey Ellis (23:42) Yeah. Yeah.
Josh Bressers (24:04) But know, like the, the ecosystem adjusted.
Casey Ellis (24:07) That’s
like pre-ASLR too, right? So you’ve got all these memory randomization toolings that were ultimately a product of that research at a system level that we now take for granted. But yeah, there was a bumpy period that we had to go through to get to that place.
Josh Bressers (24:11) Yep, that’s right.
Yes.
Yup, yup. Yeah. It was rough. mean, I I remember I was, I was at the coal face for all of that. And it was just like, ⁓ my goodness, this is terrible. But I, I also kind of hope I don’t have to live through that again, but I mean, we’ll, we’ll see.
Casey Ellis (24:36) Yeah, I this is gonna be really rocky ⁓ Like I think it’s gonna actually be a lot worse and and that’s me Doing as best as I possibly can not to be a doomer because I don’t you know subscribe to that kind of fatalist or nihilist thinking about this stuff But you know the reason that I’m kind of a little yeah, I do feel like there’s a more positive
Josh Bressers (24:40) think so. I think it’s gonna be worse.
Casey Ellis (25:03) side to this that we can actually get to, but the road to that’s going to be pretty rough. ⁓ As an example, this whole thing around, let’s go ⁓ clean out a whole bunch of open source library vulnerabilities and fix them and then figure out how we can do, you know, LLM assisted patching and blah, blah, blah, blah, blah. Like that’s all great. And that’s all going to, I think, actually yield a ton of results.
But the challenge is like, you know using curl as an example, okay Dan fixes a thing like how many products does curl exist in that have now got a Yeah that they now have to regression test that and make sure that any of the changes that were made for the sake of improving security don’t Break the functionality of the product that they’ve sometimes gone off and sold right? You’ve got this like crazy long chain ⁓ long tail of supply chain risk ⁓
Josh Bressers (25:36) All of them.
Casey Ellis (25:55) And in the meantime, if that library or that fix is published publicly, then as a bad guy, I don’t need to really go off and find it anymore. just diff the patch that’ll tell me exactly where the vulnerable function is. And all I’ve got to do from that point on is to, is to write an exploit for it. So there’s a whole bunch of like that sort of, I feel like the internet’s built on, you know, the pile of turtles that the internet’s built on in 2026 is a lot taller than it was in 2006. And I think that’s
a part of why think it’s going to get kind of bumpy to get to a steady state.
Josh Bressers (26:27) don’t think it’s bigger. I just don’t think we knew, right? The water was not very clear. I still think like we had open source all the way down. had, I mean, we have more now than we did. And I will say with things like NPM, where now when you like NPM install one package, you end up with like 300, which that maybe didn’t exist in 2006.
Casey Ellis (26:46) I think, yeah,
I agree with what you’re saying in terms of open source underpinning a lot of things back then as well. But yeah, that’s kind of what I’m getting at, like the number of turtles, right? So like, yeah, I’m gonna via code a project, great. And it’s like this like really simple thing, but all of a sudden it’s got like 7,000 packages wrapped into it because NPM decided that was a good, cool thing to do. ⁓
Josh Bressers (26:57) Yeah, that’s fair. That’s fair.
Right,
right.
Casey Ellis (27:11) Yeah, one of those gets patched and you’ve got how many instances of that out there on the internet that are potentially exploitable at that point in time. And then what does the long tail of all of that getting fixed look like? That’s the big one that keeps me up at night, but I think there’s a bunch of different variations of that that exist that we haven’t really tested yet as well. Yeah.
Josh Bressers (27:28) Yeah, yeah.
Yeah. And like, we don’t know. I mean, we’ve been working on this for decades at this point of how do we, how do we handle like all the dependencies, all the supply chain things. And we don’t know. I mean, we, I wish I could say there was a quick fix. And the thing that makes it even harder is a lot of, mean, this is one of the things I talk about on this show over and over again, is just like the fact that a lot of open source is a person who works on it one Sunday, a quarter and
their problem isn’t like you can’t even give them money to make some of this better, right? The best you could do is employ them full time because they just, they have a Sunday, a quarter, like that’s it. You know what I mean? Cause they have a job, they have a family, they have other things going on. And I don’t think there’s a good understanding of what this actually looks like. And one of my examples is like, if you talk to people like the Linux foundation or the OpenSSF the open source security foundation, like,
Casey Ellis (28:11) Yeah.
Josh Bressers (28:27) They don’t understand this either, right? Like a lot of people think open source is, know, the Linux kernel or Kubernetes or these, you know, well-funded, well-staffed giant projects when the reality is like 99 % of it, probably 99.9 % is like a random person. It’s like, I hate that XKCD comic because it’s, it’s correct, like all the fricking time and like, except it’s not one block of a person in Nebraska.
Casey Ellis (28:51) Yeah. Yep.
Josh Bressers (28:56) It’s a thousand blocks stacked on top of each other that are all one person in some random place.
Casey Ellis (29:02) Yeah, yeah, it’s, yeah, I think being able to talk about this type of stuff, like I wrote a post just after Mythos dropped that blew up way more than I thought it would, because I kind of called out the fact that like AI is not really the problem here. Like the problem is that, know, vulnerability management, vulnerability intake, like the ability to have a conversation between someone or something that’s found a problem, you know.
validating whether or not that’s true, but then going off and doing something about it. Like we’re already pretty bad at that. ⁓ And what we’ve gone and done with AI at this point in time is kind of multiplied effectiveness on both the discovery and the fixed side by a factor of 10, ⁓ which is great because it’s like, cool, we’re better at fixing now. We’ve got more tooling, but then you go off and look at the other side and how much of a gap that creates or reveals in the process. It’s like, shit, okay.
⁓ We maybe need to rethink, and this is where, because I know we’re getting the time here, but like something to call out. I do think that the bright spark and something that I’ve been talking to a lot of people about in the security industry is that like AI does make prototyping and building out tooling to go off and try out things that you think could potentially solve or help with problems like these. Like it puts it in the hands of folks that aren’t necessarily
platform developers, but have deep experience of what the problems actually look like at the call phase. And I think the more folk that are actually trying to think through, what do the solutions that we’re working with in five or 10 years time look like, and how do I start actually proving ⁓ whether or not that’s a useful thing today? There’s never been an easier time to start doing that. I don’t think there’s ever been a better time to start doing that. So this idea of trying to like…
call out some of the entrepreneurial spirit that exists in the hacking community and say, hey, like go start building some shit because we’re gonna need it. ⁓ And you might have ideas locked up in you that you just didn’t do because it felt like it was too hard to do that. Like it’s easier now. like get talking to folk about it and start thinking about what the solutions might look like.
Josh Bressers (31:14) Yeah, yeah. Okay, so as we land this plane, what does this look like for anyone listening who maybe isn’t a hacker trying to solve the problem, but it’s just an open source project or a company or somebody that, like, what should they be doing? Like, what are the next steps for someone trying to just figure out what everything going on means for them?
Casey Ellis (31:17) Hey.
Yeah, what does gestures vaguely ⁓ imply? For maintainers and for open source folk, mean, for starters, I do think Daniel telling his story was really helpful. ⁓ And it was funny because I think a lot of people just presumed I’d be pissed off by it it felt like he was slagging on Bug Bounty. But I’m like, no, he’s right. Like the stuff that he’s talking about here is absolutely a problem. ⁓
Josh Bressers (31:41) Right.
Yeah. yeah.
Yes.
Casey Ellis (32:04) And truth need more with itself. So let’s get talking about it and start to figure out how to fix it. So I do think that those sorts of things and actually sharing for more broadly, like what is the experience of this like for folks that are ultimately kind of propping up the internet? I don’t think that’s well known to your point earlier. So I do think there is definitely a storytelling and a socialization component of that that would be really helpful.
I do think just very practically like, it’s going to get louder. ⁓ like thinking through, ⁓ even from like a threat modeling standpoint, ⁓ if you’ve got the ability to do that in-house, if you don’t find people that’ll help you with it and just kind of tiger team out your processes and try to figure out like where are the weak spots? Where can we expect to see like supply chain attacks? Cause those are ramping up pretty crazily at the moment and they’re
definitely an open source thing, but also just this idea of like, how do we triage and prioritize vulnerabilities that are coming in? Like how do we ⁓ improve our muscle group to be able to differentiate signal from noise in that process and then to prioritize? You know, with the anticipation that it’s gonna just get noisier and noisier and that we’ll never be perfect at writing secure code and that’s okay, we’re gonna get better at it, but that’s never.
a problem that gets solved to 100%. So there’s always going to be this input that you need to figure out how to triage and prioritize. And I think honestly, that’s the biggest problem that people have right now. Because a lot of it, there’s a lot of signal buried there in the noise. Both have gone up. So the question becomes, how do you distinguish between the two, but then prioritize the signal? Because you’re going to end up still with a throughput problem if you don’t do both.
Josh Bressers (33:54) Yeah, for sure. And obviously you have a website people can go look at.
Casey Ellis (33:58) Yes. Yeah, yeah. Reach out to us at disclose.io in particular. ⁓ There’s a lot of tooling in there. Something that we’re starting to do more of is to basically put together like best practice and kind of frankly like etiquette guides for security researchers in particular. It’s like, how do you get into this, particularly for young players that are just getting into it for the first time? They’re like a three out of 10 for usefulness, but they’re 12 out of 10 for enthusiasm.
And they’re actually a big part of the problem without realizing it. Like they’re not operating in bad faith. They’re just enthusiastic and trying to jump in and help out. So it’s like, how do you steer that energy into something that’s more useful and more productive? Like I would love to hear from open source folk on how we can give better advice around that because I’m mostly talking about it through the lens of, know, steering security research towards corporates on the backend. That’s most of my background. So that would be cool.
Josh Bressers (34:26) Bye!
Yes.
Yeah.
Yeah. Well, I mean, so I’ll tell you now, one of the challenges you have with open source is like, there’s no open source isn’t like a thing, right? It’s 10 million things and every one of them is a little different and it’s tough, right? And this is where like things like the Apache Software Foundation, for example, or Linux kernel, they have well-defined process for interacting with them if you’re a security researcher. But like, if you pick on some random project owned by some random person,
Casey Ellis (34:56) Yeah. It’s a universe of things. Yes.
Josh Bressers (35:17) they might not even know what a security vulnerability is, much less what they hate. Like, what the CVE, what the hell is that? What do I do here?
Casey Ellis (35:24) Yep, yep,
yep, yep. And we didn’t even touch that rabbit hole, but I do think, ⁓ yeah, that would be really helpful to get those stories out there and to, frankly, get some assistance from you guys on our end around how to do it better. But the other thing I would say just to parking it, because you invoked CVE, ⁓ is don’t expect the cavalry to show up anytime soon.
Josh Bressers (35:47) There’s no calvary
Casey Ellis (35:47) ⁓
is not coming. I think there’s work being done on solving that problem, but the safest assumption right now, just given the fact that like people that are trying to maintain and orchestrate on the vulnerability side are experiencing the stress that you are multiplied by a thousand. ⁓ You can’t necessarily rely on that. And that’s, it’s less fragile for you to think about how you’re to do it for yourself first and then be in a position to use help if it becomes available going forward.
Josh Bressers (36:05) Yeah. Yeah.
Definitely. Yes. Yes. Well, I assure you the people who think we can do some work on this and in like the CVE land, they do not understand the problem. I’ve talked to a bunch of them. Like they don’t know what open source is at all. And they literally like their brains cannot comprehend the size of what we’re dealing with here. It is going to be a wild couple of years, I think just because like, holy cow.
Casey Ellis (36:35) Hmm. Hmm.
Indeed, Yeah, the alternative advice is like go buy a farm somewhere and learn how to use an abacus.
Josh Bressers (36:48) I have a friend ⁓
who bought a farm to leave tech and they were like, this is so much worse than tech. Everything is broken all the time. I have to get up early and I stay up late. He’s like, if I’m not helping an animal or a plant, I’m fixing something that’s broken. So I’m like, you’ve ruined my dream.
Casey Ellis (37:03) Yeah, that
does tend to be, yeah, that sounds about right.
Josh Bressers (37:10) I know,
right? There’s like, there’s nothing else. There’s nowhere to go. I guess we have to fix this. So.
Casey Ellis (37:14) Yeah, grass is always greener. And you know,
it’s people that are irrationally pissed off about problems that they think that they can solve. I think they’re the ones that are responsible for the internet still working in the first place. So, you know, if you’re in that mix, like keep at it, because like we got to keep going. Indeed. Yeah, likewise, man. Likewise. Good to catch up.
Josh Bressers (37:25) yeah, yeah, that’s right.
right we need your positive energy. Alright Casey this has been a treat man. Cool cool.
So I’ll put a bunch of links in the show notes for people. They’ll come find you and and yeah it this has been awesome I just want to thank you so much.
Casey Ellis (37:45) Thank you. Yeah, thanks. Thanks for the opportunity to chat and thanks for digging into this as well. You know, like I said, I think, I think ⁓ we’ve got some bumpy stuff coming up, ⁓ but there are definitely roads through this. And I think the more people that are thinking about that and talking about that, the better. I appreciate the, chance to have a chat. Yeah. No worries, man. Cheers.
Josh Bressers (38:03) Yeah, I’m sure you’ll be back. So until next time, my friend.