Josh Bressers

@[email protected]
2.6K Followers
878 Following
796 Posts
VP of Security at Anchore - Podcaster (http://opensourcesecuritypodcast.com http://hackerhistory.com) - Blogger (http://opensourcesecurity.io) - He/Him
Podcasthttps://opensourcesecurity.io/
Webhttps://bress.net
Cookies?Yes please
TTY1
Signaljoshbressers.01
Show threadJosh Bressers57m ago

@hdm disclosure was always the hardest part of vulnerabilities

This will probably drive the price of exploits to zero

It could end up with a wave of full disclosure drops. Or it could drive vulnerability research to zero

I bet there’s not a lot of untapped coordination energy

Show threadJosh Bressers3h ago
@Admax Yeah, I'm pretty excited for that one too :)
Josh Bressers5h ago
sjvn1d ago
Close enough.
Josh Bressers7h ago

This week I had a chat with Michael Winser about securing open source at scale

We recorded prior to the events of the last few weeks, everything Michael talks about with securing our infrastructure is spot on

We touch on package repositories, Alpha Omega, foundations, and more. Michael is doing some really interesting work

https://opensourcesecurity.io/2026/2026-03-michael-winser/

#opensource #alphaomega #supplyChainSecurity

Open Source Security at scale with Michael Winser

Josh talks to Michael Winser about a talk he gave at FOSDEM as well as his work on Alpha Omega at the Linux Foudnation. Michael is approaching open source security in a way that nobody has ever tried before. What if we could fund some really big, really hard projects? It’s not cheap or easy, but he’s getting it done. We spend a lot of the time discussing package registries, which are a huge topic. Michael is doing some amazing work helping package registries which is the first step in a very long journey.

Open Source Security
Show threadJosh Bressers22h ago
@algernon @jak2k we don’t make mistakes, we have happy accidents!
Show threadJosh Bressers1d ago
@algernon I am very interested in this internet punching technology
Show threadJosh Bressers3d ago

@bagder @gregkh @hanno

Probably add @sjvn to this

Finding vulnerabilities in code is something humans are bad at. There are a few that are good (like Hanno), but I would say in general it's not a common skill

So the bar for LLMs to find vulnerabilities is very very low

Show threadJosh Bressers3d ago

@bagder I talked to @Foxboron about this a bit at KubeCon a few days ago

The Linux distros figured a lot of this stuff out, then everyone decided they were dumb and slow :)

And now we have <gestures at everything>

Show threadJosh Bressers3d ago

@bagder I love this message. Open source was never about trust and will never be about trust

It’s always been about the ability to verify

Josh Bressers3d ago
daniel:// stenberg://4d ago

Don’t trust, verify

https://daniel.haxx.se/blog/2026/03/26/dont-trust-verify/

#curl

Don’t trust, verify

Software and digital security should rely on verification, rather than trust. I want to strongly encourage more users and consumers of software to verify curl. And ideally require that you could do at least this level of verification of other software components in your dependency chains. Attacks are omnipresent With every source code commit and … Continue reading Don’t trust, verify →

daniel.haxx.se