This week on #OpensourceSecurity I chat with @caseyjohnellis about vulnerability disclosure

This is a pretty hip topic right now, and on any list of the best in the business, Casey is at the top

I guarantee anyone who listens to this one will learn something useful

https://opensourcesecurity.io/2026/2026-05-vulnerability-disclosure-casey-ellis/

A new edition of my newsletter ~ this week in security ~ is now out, featuring: Canvas school login pages defaced; a new deepfake tech is alarmingly accurate, hackers used a screensaver file to hack SSL provider DigiCert, leaky vibe-coded apps, and a Verge reporter gets run over by a robot lawnmower — for journalism!

Read online: https://this.weekinsecurity.com/this-week-in-security-may-10-2026-edition/

Sign up/RSS and support the newsletter: https://this.weekinsecurity.com

“We are going to crave more authentic in-person experiences as our online interactions are seemingly less authentic”

@thedarktangent utterly nailing it

I’ve a soft spot for researchers who revisit old problems and bugs and have another go. One of my top talks and research for this year by Yuqi Qui on DNS ECS bypasses, aka Rebirthday attack

Took a year worth of research to do. They spent a huge chunk of time perfecting their internet-wide scanning approach and working with vendors to get this resolved.

Super impressive stuff from Yuqi

NEW by me: Cloud app host Vercel says it was hacked and that some customers' data was taken.

Vercel blames an earlier breach at Context AI (*unrelated to OpenAI). Hackers allegedly used their access in March to hack a Vercel employee, who had linked a Context AI app to their work account.

https://techcrunch.com/2026/04/20/app-host-vercel-confirms-security-incident-says-customer-data-was-stolen-via-breach-at-context-ai