Me

🚨 TL;DR: Attackers are sending fake Sentry bug alerts to projects using public Sentry DSNs. The fake alert is designed to trick AI agents into running a malicious `npx` command that looks like a Sentry profiling diagnostic. Do NOT run commands from Sentry issues/logs/alerts unless verified. These are not legitimate Sentry fix commands. The malicious package reportedly steals environment variables/secrets and sends them to advisory-tracker[.]com.

This guy sucks. At my first Pwn2Own he asked me over and over if it was my first CVE. I said no but he kept insisting, in front of everyone, he’d never seen my name credited before. Turns out he was confusing me with another woman in infosec. In charge of security research engagement for MSRC btw

Security research reporting is kinda the only situation where an individual has any power over a corporation. What goes unsaid: the researcher could easily sell exploits on the grey market and get rich. Most report out of morals, lowk a refusal to contribute to cyberwarfare. Vendors relying on those morals to bully are happily prodding good people until they crack

Personally I’d love to see two open standards emerge. A triage standard maintained by HackerOne since they have the strongest technical team out of any platform (I’m biased here) A mediation standard maintained by Immunefi since they seem to handle it the best Not owned by them. Maintained by them. And adopted by every platform Put both in public GitHub repositories. Let hackers, customers and platforms propose changes, discuss them publicly and vote on them. If AI is going to increase report volume by 10x or 100x, the least we can do is make sure that we have clear consistent standards across every platform The goal should be to make bug bounty more consistent, transparent and scalable before AI forces the issue for everyone. 3/3

Just shipped on Immunefi: Priority Mediation. For a while now, security researchers have been telling us the same thing: when you've put real work into a report and you believe in it, waiting weeks for a mediator to pick it up is brutal. Priority Mediation now lets researchers who are confident in their submission pay to get faster resolution with a hard commitment: resolution within 30 business days, mediator status updates at least every 7 business days along the way. A couple things I want to be explicit about, because they matter: 1) Free mediation requests are reviewed by the same trained mediators, using the exact same decision framework. 2) The tier you choose affects the queue, not the verdict. A paid mediation does not buy you a favorable outcome. It buys you speed and additional hands-on activity. Every case gets the same impartial review, full stop. If we ever blurred that line, the whole system would be worthless. This is one of several changes we're shipping based on direct researcher feedback. Keep it coming so we can usher in SR Summer.

Big news from Immunefi: we just shipped Proof of Duplicate, and it's *the* feature I've been wanting to see for a long time. For years, one of the most frustrating experiences a whitehat could have was submitting a report, putting in the hours of research, the careful write-up, the working PoC… and getting back a one-line "duplicate, closing." No justification and no transparency. No way to push back. That era is over. Starting now, when a submission is closed as a duplicate, it points to the original report. The researcher can read the original. They can compare the reports for themselves... and if they believe the call was wrong, they get a formal dispute button. Verdict upheld means the report stays closed. If the verdict is overturned, the report gets reopened and goes back through triage like nothing happened, including reward eligibility. This matters beyond the feature itself. The whitehat community is the immune system of crypto. Every protocol secured, every exploit prevented, every billion in TVL that didn't get drained. For this immune system to keep working, things have to keep improving for whitehats. Proof of Duplicate is just one piece. There will be more. SR Summer 2026 is coming.