Frederic Plais

Over the weekend, we responded to the critical "DirtyFrag" Linux vulnerability (CVE-2026-43284 and CVE-2026-43500) by deploying an emergency kernel patch across all regions. While our systems are not affected by the RxRPC vulnerability (CVE-2026-43500) as we don't compile that kernel module, we were affected by the IPsec ESP vulnerability (CVE-2026-43284) and needed to apply patches immediately. To protect your data and minimize exploitation risk during the rollout, we temporarily restricted SSH and deployment access and performed brief service restarts. While this vulnerability "only" provided root access within affected systems, we recognize that such exploits are typically used as the first step in a chain of attacks, potentially leading to container escapes and broader infrastructure compromise. Given this risk, we chose to err on the side of caution by implementing temporary access restrictions during our update window. We understand this disruption was inconvenient, and the decision to disable SSH access was not made lightly. However, we believe these swift and decisive actions were essential to safeguarding your systems and data. Our priority is always to maintain the security and integrity of your infrastructure. All services have now been fully restored, and you can access your projects and deployments as normal. If you're still experiencing any issues, please don't hesitate to contact our support team. We appreciate your patience and understanding as we work to keep your hosting environment secure.

We're coming out of stealth to announce our cyber defense research lab. We are exploring data and post-training techniques to build superhuman cyber defenders. Our mission is to make sure the West always wins. The last 3 months we've built an automated data pipeline to create training data from 80k CVEs (aka public vulnerabilities). Our next topic? Post training a model that's better at fixing all the vulnerabilities in your codebase. Like really fixing them. Not saying it's secure when there are still ways to exploit them. Here are the questions that keep us awake at night: How do you train a model to defend without improving its capabilities to attack? What's the right reward? How to measure the defense capabilities? How do you create synth training data that reproduces real systems? What kind of access do you give an ai cyber defender? How far can you trust it? If you know insanely good cyber experts (red team, blue team, CTF aficionados) or ML engineers (synth data generation and post-training models), send them my way. We need to make models far better at defending.