An attacker has never said “that’s out of scope”

Over the next year Cloudflare will make nearly every feature we offer available to any customer who wants to buy and use it. https://t.co/YAt2DoO8Du #BirthdayWeek

i mean it's a great therapeutic experience

i bet the cat doesn’t know about AWS and the horrors of a terraform lock being inaccessible

There's ALWAYS a bug. Always. The app that everyone & their mom uses? The one that's owned by Megacorp X/Y/Z/whatever? Littered with bugs. The app being developed by engineers making $500k+/yr? Crawling with bugs. The app that's been through 30 pentests? Bugs. Go find them.

I’m well respected in the bug community, but unfortunately bugs don’t live very long so in a month or two I’ll have to earn the bug community’s respect again

Triagers who communicate well throughout the reports, address CVSS concerns, and respond with understanding and kindness really make a difference :)

I don't know why we think the American public, whose base level of health literacy is completely infantile, should be able to make decisions that impact public health.

What are your favorite MCP servers?

For those not familiar with the dynamics here, talented cyber folks often choose to work for the U S. gov despite lower pay because of: 1. stability 2. a more direct mission of protecting the public from U.S. adversaries. With both in major flux, there will be talent flight.

I see we're doing the quarterly open source tools/research debate again. I'll just say this: Phishing got much harder when @mrgretzky released evilnginx AD got more secure after @SpecterOps released Certified Pre-Owned AD got more secure when @TimMedin showed us kerberoasting

https://t.co/Ub0ArzTFpo

Third person games perform slightly better on Twitch than first person games The reason why might be really dumb: Video encoding

A contractor said something during this project which I thought was both compassionate and the sign that he was a skilled professional, and I thought I’d share: Scene: My mother, who has some mobility challenges, is sketching out what she wants in her kitchen. He listens.

what did you cook today?

At the height of One Million Checkboxes's popularity I thought I'd been hacked. A few hours later I was tearing up, extraordinarily proud of some brilliant teens. A thread about my favorite story from running OMCB....

One day, the technique for exploiting this vulnerability will be available. Not today, but one day. Working with other bug hunters makes a huge difference. Two minds bouncing ideas off each other leads to peak efficiency.

Took the plunge and started blogging about bug bounties - my first post is live! AI can be a powerful tool for bug hunting at speed when combined with human intuition. https://t.co/X9V3suyGyk Feedback most welcome!

@NahamSec A small secret in bug bounty, gamification is king. The same report could be $1k or $10k. Learn the program, write good reports, and show impact. Don't assume the people running the program know what you know, show the business impact and wow them.