More Open Source Security episodes

Vulnerability disclosure with Casey Ellis thumbnail

Vulnerability disclosure with Casey Ellis

Published 25 May 2026

Duration: 37:49

The evolution of vulnerability disclosure highlights challenges in prioritizing critical issues, outdated legal frameworks, and the role of initiatives like Disclosed.io in standardizing policies, alongside AI's impact on detection, open-source risks, triage complexities, and the need for collaboration and transparency to address systemic security barriers.

Episode Description

Josh talks to Casey Ellis about why vulnerability disclosure is so hard, and also so important. Casey is one of the best in this space having been a B...

Overview

The podcast explores the evolution of vulnerability disclosure, tracing its transition from a niche practice to a widespread framework for addressing security risks. Casey Ellis, a pioneer in the field through platforms like Bugcrowd and Disclosed.io, emphasizes the need for safer environments for ethical hackers, legal protections for vulnerability researchers, and updated policies to align with modern cybersecurity challenges. Bugcrowd enables organizations to collaborate with researchers to preempt malicious actors, while Disclosed.io works to reform outdated laws that unfairly target security researchers, advocating for safe harbor and standardized policies supported by government and industry stakeholders. Key challenges include refining vulnerability prioritization, improving legal clarity, and fostering collaboration between researchers and vendors. The discussion also highlights the growing role of AI in security, which has enhanced vulnerability detection capabilities but introduced new complexities in disclosure processes, risk management, and ecosystem-wide patching.

The content delves into the intricacies of vulnerability disclosure processes, from identification and reporting to coordinated resolution and public advisories, while noting the misuse of the term disclosure to describe reporting efforts. AIs impact is a recurring theme, with improved tools enabling more accurate findings but also increasing noise in vulnerability submissions and complicating risk management. Open-source softwares role in modern infrastructure is examined, underscoring challenges in maintaining security across fragmented projects and supply chains. The podcast underscores systemic issues like the difficulty of achieving secure code perfection, the need for maturity models to evaluate organizational security practices, and the importance of balancing legal protections for researchers with effective vulnerability management. Finally, it addresses ongoing struggles in open-source maintenance, the need for community-driven solutions, and the interplay between AI, policy, and the evolving economics of cybersecurity.

What If

  • What if you integrated AI-driven vulnerability detection tools into your disclosure workflow?
    Concrete move: Develop a custom script or integrate an open-source AI model (e.g., LLM-based analyzers) to automate initial vulnerability identification in your software stack.
    Why now: AI tools like LLMs are now capable of accurate vulnerability detection, reducing noise and improving the signal-to-noise ratio of reports, as seen in projects like curls improved triage.
    Expected upside: Faster identification of critical issues, reduced manual effort, and proactive resolution before external researchers can exploit them.

  • What if you built a lightweight, open-source disclosure framework for legal safety?
    Concrete move: Create a boilerplate legal template (inspired by Disclosed.ios safe harbor principles) for vulnerability disclosure programs, including clauses for researcher protection and vendor liability limits.
    Why now: Outdated laws like CFAA and DMCA still stigmatize researchers; clear, standardized policies are critical to avoid legal risks, as highlighted by Casey Elliss work with policymakers.
    Expected upside: Enable broader adoption of disclosure programs without legal exposure, encouraging more developers to participate in security transparency.

  • What if you launched a community-funded open-source triage tool for vulnerability prioritization?
    Concrete move: Develop a collaborative, AI-enhanced triage platform (like a GitHub bot) that ranks reported vulnerabilities by severity, leveraging criteria from maturity models and threat modeling frameworks.
    Why now: The gap between vulnerability discovery and prioritization is a systemic issue; tools like this can address the "long tail" of open-source risks and improve signal clarity.
    Expected upside: Reduce overwhelming report volumes, ensure critical issues are addressed first, and foster community adoption as a shared resource for solo developers and small teams.

Takeaway

  • Implement a private vulnerability disclosure program to establish a structured process for receiving and resolving reports without exposing your organization to misuse, even if you dont offer public bug bounties.
  • Adopt a maturity model for security practices to evaluate and improve your organizations ability to handle vulnerabilities transparently, prioritizing accountability and feedback from external researchers.
  • Draft clear legal safe harbor policies for researchers, ensuring they can disclose vulnerabilities without risk, and collaborate with legal experts to align with frameworks like CISAs guidelines or Disclosed.ios standards.
  • Leverage AI tools for vulnerability detection but invest in triage processes to filter noise, as AI increases report volume and complexity, requiring better prioritization of critical issues.
  • Create a researcher etiquette guide for open-source contributions, outlining best practices for reporting vulnerabilities to reduce friction and ensure constructive engagement with maintainers.

Recent Episodes of Open Source Security

29 Jun 2026 AIBOM, CBOM, and HBOM with Allan Friedman

The evolution of Software Bill of Materials (SBOM) beyond manufacturing into cryptographic, hardware, and AI domains faces challenges in unified integration, compliance, tooling, and dependency tracking, requiring open-source collaboration, standardized frameworks, and adaptive policies to meet industry demands in procurement and risk management.

22 Jun 2026 Packagist and Composer security with Jordi Boggiano

Strategies for securing open-source ecosystems include malware detection via third-party feeds, transparency logs, rapid incident response, blocking malicious downloads, private registry controls, immutable package releases, standardized workflows, MFA enforcement, and technical proposals like artifact validation and build attestation, while addressing challenges like maintainer hacking, AI risks, usability trade-offs, and the need for ecosystem-wide alignment and human verification.

15 Jun 2026 Sustaining Open VSX with Mike and Thabang

Eclipse Foundation's OpenVSX, a VS Code extension repository, surged to 600M monthly downloads, evolved to a commercial model with enterprise SLAs and security teams, while addressing scalability, open-source balance, and funding challenges for AI expansion.

8 Jun 2026 Hacking your CI/CD with Francois Proulx

Critical vulnerabilities in open source CI/CD pipelines, including hijacking and supply chain attacks via social engineering or compromised builds, are highlighted through incidents like TJ Actions and Ultralytics, with mitigation strategies emphasizing secure credentials, externalized workflows, threat modeling, and tools like *Smoked Meat* and *Bagel* to enhance incident response and supply chain security.

1 Jun 2026 Open source verification with Sal Kimmich

Cybersecurity challenges include complex application ecosystems, overlooked kernel vulnerabilities, supply chain risks, and systemic risks from under-resourced organizations prioritizing surface-level controls, alongside calls for regulatory reforms, proactive threat modeling, secure development practices, and addressing tribal nations' unique legal and sovereignty concerns.

More Open Source Security episodes