{
  "version": "https://jsonfeed.org/version/1.1",
  "title": "References — When buffers overflow into policy",
  "description": "When buffers overflow into policy — consolidated bibliography",
  "home_page_url": "https://tzafaar.codeberg.page/",
  "feed_url": "https://tzafaar.codeberg.page/feed.json",
  "language": "en",
  "authors": [
    {
      "name": "tzafaar"
    }
  ],
  "items": [
    {
      "id": "https://tzafaar.codeberg.page/#entry-spafford-cerias-new-myths-for-old-after-the-buggy-whip-more-than-the-code-invoic-2026-07-07",
      "url": "https://www.cerias.purdue.edu/site/blog/post/new-myths-for-old",
      "title": "Spafford (CERIAS) — New Myths for Old / After the Buggy Whip / More Than the Code / Invoice Enclosed (four-part blog series on AI and the cybersecurity workforce)",
      "content_html": "<p><em>Eugene H. Spafford (Prof. Spafford; CERIAS, Purdue University)</em></p><p><strong>Published:</strong> 2026-07-07</p><p>Four-part CERIAS blog series by Eugene Spafford (Purdue) running April to July 2026, treating the claim that AI will replace the cybersecurity workforce as the latest in a long line of security myths; the links below are ordered oldest to newest. &#x27;New Myths for Old&#x27; (26 April 2026) argues that the claim that LLMs make developers, analysts, and incident responders optional is being built the way every security myth is built — a confident claim repeated more often than examined — and draws the parallel to the monthly-password-rotation folklore NIST took roughly three decades to retire. It grants that LLMs are competent at finding the technical debt left by &#x27;penetrate-and-patch&#x27; culture, but holds they are statistical interpolators that handle novel cases poorly, hallucinate their own security-by-design compliance, and mostly flag coding noise rather than exploitable vulnerabilities — the very real-versus-noise distinction the laid-off experts are trained to make. It closes on agentic AI as a write-access threat model no existing security architecture was designed for. &#x27;After the Buggy Whip&#x27; (3 May 2026) reframes the disruption as reshaping rather than ending the field, using the 1900s urban-horse-manure crisis and a run of failed &#x27;this technology ends the field&#x27; predictions (telephones, electricity, higher-level languages, cloud, open source) to argue that new technologies retire particular jobs while creating unforeseen ones. It names the penetration-testing industry as the clearest example of an ecosystem built to muck out an upstream production failure, and points to security architecture, social-engineering defense, digital forensics, detection and response, formal verification, supply-chain provenance, and privacy-preserving analytics as areas set to grow rather than shrink. &#x27;More Than the Code&#x27; (10 May 2026) turns to education, arguing that the best preparation for a computing career includes the humanities, social sciences, and fine arts now being cut at regional public universities under &#x27;workforce alignment&#x27; pressure. Spafford ties communication, ethics, historical literacy, and interpretive judgment to what the field actually needs, notes that the AI labs themselves are hiring philosophers and that the strongest programs pair computer science with philosophy by design, and holds that liberal-arts study is both a hedge against technical obsolescence and a foundation for the rest of life. &#x27;Invoice Enclosed&#x27; (7 July 2026) presents the bill for the replacement myth as an itemized invoice: missing ROI (PwC&#x27;s finding that 56% of CEOs saw no revenue or cost gain, Gartner&#x27;s forecast that more than 40% of agentic-AI projects will be cancelled by 2027), the corporate swing from mandating AI use to rationing tokens (&#x27;tokenmaxxing&#x27; then &#x27;token minimizing&#x27;), and a wave of rehiring (Klarna, Commonwealth Bank of Australia, IBM, Ford) in which firms kept the tools but bought back the human judgment they had discarded — alongside new failure modes such as confident fabrication, unsupervised action authority, and &#x27;workslop&#x27; for which no control yet exists.</p><p><strong>Tags:</strong> XCUT, POL, OPS, DISC</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-07-07T12:00:00Z",
      "authors": [
        {
          "name": "Eugene H. Spafford (Prof. Spafford; CERIAS, Purdue University)"
        }
      ],
      "tags": [
        "XCUT",
        "POL",
        "OPS",
        "DISC"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-european-commission-eu-action-plan-on-cybersecurity-and-artificial-intelligence-2026-07-07",
      "url": "https://digital-strategy.ec.europa.eu/en/library/eu-action-plan-cybersecurity-and-artificial-intelligence",
      "title": "European Commission — EU Action Plan on Cybersecurity and Artificial Intelligence",
      "content_html": "<p><em>European Commission (DG CONNECT)</em></p><p><strong>Published:</strong> 2026-07-07</p><p>7 July 2026 European Commission Action Plan on Cybersecurity and Artificial Intelligence (DG CONNECT), setting out a coordinated EU approach around three objectives: promoting the safe and responsible use of advanced AI, reinforcing the EU&#x27;s cybersecurity and resilience, and scaling up Europe&#x27;s AI capabilities for cybersecurity. Concrete measures include strengthening EU capacity to evaluate AI models before market placement under the AI Act; developing, together with ENISA, a European Blueprint for secure access to advanced AI systems for cybersecurity purposes and a secure testing platform for critical sectors (energy, transport, health, finance, public administration); launching an EU Grand Challenge on AI for cybersecurity; and continued investment in sovereign AI capacity through the AI Factories and future Gigafactories. The plan builds on the AI Act, Cyber Resilience Act, NIS2, DORA, and the Cyber Solidarity Act, points to the CRA Single Reporting Platform and the EU Vulnerability Database (EUVD) as force multipliers, and encourages organisations to use AI — including open-source models where appropriate — to find and fix vulnerabilities faster.</p><p><strong>Tags:</strong> GOV, POL, SOV, PATCH, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-07-07T12:00:00Z",
      "authors": [
        {
          "name": "European Commission (DG CONNECT)"
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "SOV",
        "PATCH",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-enisa-s-view-on-cybersecurity-in-the-frontier-ai-era-2026-07-07",
      "url": "https://www.enisa.europa.eu/publications/enisas-view-on-cybersecurity-in-the-frontier-ai-era",
      "title": "ENISA's view on Cybersecurity in the Frontier AI Era",
      "content_html": "<p><em>European Union Agency for Cybersecurity (ENISA)</em></p><p><strong>Published:</strong> 2026-07-07</p><p>ENISA&#x27;s view on Cybersecurity in the Frontier AI Era (TLP:CLEAR, July 2026), the agency&#x27;s assessment of the immediate and mid-term cybersecurity challenges posed by frontier AI. The note argues that frontier models compress the vulnerability-management lifecycle and attack chain from discovery to exploitation, that open-weight models may reach comparable capability within 9 to 12 months (with existing models coupled with skilled security experts yielding comparable results), and that the delta between discovery and weaponisation is approaching zero (negative time-to-exploit); it cites industry figures of attackers weaponising within 15 minutes of disclosure and a median 72 minutes from initial access to exfiltration. Its central example is an organisation whose vulnerability-disclosure volume went from about 80 CVEs in Q1 2025 to roughly 500 in Q1 2026 and then to about 500 per day once frontier-AI tools were used, reframing the binding constraint as triage, verification, and remediation rather than discovery. The note sets out structural challenges spanning the Velocity Asymmetry and &#x27;Authority Gap&#x27; (human change-approval too slow for machine-speed patching), the Economic Devaluation of Discovery, Technical Debt as an existential risk, the Verification Bottleneck and &#x27;Truth&#x27; Crisis, N-Day Weaponisation, the Secure SDLC revolution, AI-generated-report overload of open-source maintainers (citing the Internet Bug Bounty pause and curl&#x27;s January 2026 CVD shutdown), and &#x27;Inside-Out&#x27; supply-chain attacks. It prescribes &#x27;Cybersecurity as Code&#x27; (Vulnerability Management, Incident Response, Security by Design, and Security Architecture as Code), an assume-breached / zero-trust posture, human-gated AI workflows, and shifting resources from discovery to risk-based prioritisation via EPSS and VEX. Recommendations are grouped for the European level (leveraging NIS2, CRA, and the AI Act; EU-wide security-evaluation benchmarks for advanced models including cyber-range and chained-attack testing; pooling EU cyber data as a strategic asset), national authorities (AI-powered threat hunting, zero-trust attestation, proactive scanning of critical infrastructure), and defenders (assume-compromise endpoint protection, continuous AI-assisted threat modelling and red-teaming, single-digit-minute MTTD/MTTR). It points to the CRA Single Reporting Platform and the EU Vulnerability Database (EUVD) as force multipliers, and draws on sources catalogued elsewhere in this corpus (AISLE&#x27;s &#x27;jagged frontier&#x27;, NCSC-NL, CERT-EU, NCSC-IE, and Belgium&#x27;s CCB). Document reference TP-01-26-015-EN-N, ISBN 978-92-9204-801-3, published under CC BY 4.0. Links below: the ENISA publication page and the direct PDF.</p><p><strong>Tags:</strong> GOV, POL, PATCH, DISC, TRIAGE, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-07-07T12:00:00Z",
      "authors": [
        {
          "name": "European Union Agency for Cybersecurity (ENISA)"
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "PATCH",
        "DISC",
        "TRIAGE",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-esrb-ecb-banking-supervision-systemic-cyber-risks-from-frontier-ai-models-warnin-2026-07-07",
      "url": "https://www.esrb.europa.eu/news/pr/date/2026/html/esrb.pr260707~4e1b68241a.en.html",
      "title": "ESRB & ECB Banking Supervision — Systemic cyber risks from frontier AI models (warning, report, and letter to bank CEOs)",
      "content_html": "<p><em>European Systemic Risk Board (ESRB); ECB Banking Supervision (SSM)</em></p><p><strong>Published:</strong> 2026-07-07</p><p>Coordinated 7 July 2026 EU financial-stability response to frontier-AI cyber capability, comprising four linked publications from the European Systemic Risk Board (ESRB) and ECB Banking Supervision. The ESRB press release announces a formal warning on systemic cyber risks stemming from frontier AI models, issued after the ESRB General Board raised its assessment of systemic cyber risk to &#x27;severe&#x27; in June 2026 (up from &#x27;elevated&#x27; in March). The ESRB frames frontier AI as a paradigm shift for cybersecurity that, while eventually likely to strengthen cyber resilience, in the short to medium term advantages threat actors by letting them discover vulnerabilities and execute attacks with greater speed, scale, and sophistication; it also flags the concentration of leading AI providers outside the EU as a source of strategic dependency and geopolitical risk, and calls on the Union to scale up its capacity, expertise, and strategic autonomy through a coordinated effort spanning AI providers, software providers, security firms, open-source maintainers, financial institutions, and national and Union authorities. The formal Warning ESRB/2026/3 (adopted 25 June 2026) is the macroprudential instrument itself, arguing that frontier AI models alter three financial-sector asymmetries — between jurisdictions, between defenders and attackers, and between better- and less-resourced institutions — and sketching scenarios ranging from a gradual loss of confidence in smaller banks to state-backed espionage and coordinated attacks on payment, clearing, and settlement systems that could propagate through shared technology providers and common software. The accompanying ESRB note, &#x27;Addressing Frontier AI Models with cyber capabilities from a financial stability perspective&#x27;, provides the supporting analysis and recommends cooperation arrangements and sectoral coordination alongside existing testing frameworks (with DORA and the AI Act as the regulatory foundation), board-level commitment, clear governance and accountability, and planned, adequately funded response capacity. The paired ECB Banking Supervision (SSM) letter to CEOs of significant institutions, signed by Supervisory Board Chair Claudia Buch, sets supervisory expectations for the AI-enabled cyber threat landscape and directs euro-area banks to submit remediation plans by 31 October 2026 — prioritising protection of internet-facing and exposed assets, faster and more frequent vulnerability patching, modernisation of ageing ICT, and stronger monitoring and crisis readiness — while postponing the annual ICT-risk questionnaire from September 2026 to February 2027 to free supervisory capacity, and noting that quantum computing will be addressed in a separate letter in due course. The three European Supervisory Authorities (EBA, EIOPA, ESMA) issued a same-day statement supporting the warning. Neither authority names specific models, though the industry reference point is Anthropic&#x27;s Mythos; euro-area banks were reported at the time to be excluded from Mythos access. Links below, in order: the ESRB press release, the Warning ESRB/2026/3 (pdf), the ESRB analytical note (pdf), and the ECB letter to bank CEOs (pdf).</p><p><strong>Tags:</strong> GOV, POL, SOV, EXPL, PATCH, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-07-07T12:00:00Z",
      "authors": [
        {
          "name": "European Systemic Risk Board (ESRB); ECB Banking Supervision (SSM)"
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "SOV",
        "EXPL",
        "PATCH",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-ncsc-dsit-uk-cyber-shield-the-path-to-an-agentic-ai-future-for-cyber-defence-2026-07-07",
      "url": "https://www.ncsc.gov.uk/blogs/cyber-shield-the-path-to-an-agentic-ai-future-for-cyber-defence",
      "title": "NCSC & DSIT (UK) — Cyber Shield: the path to an agentic AI future for cyber defence",
      "content_html": "<p><em>Peter Haigh (Deputy Chief Technology Officer, NCSC) and Harry G (Deputy Director Capability, NCSC); UK National Cyber Security Centre and Department for Science, Innovation and Technology (DSIT)</em></p><p><strong>Published:</strong> 2026-07-07</p><p>7 July 2026 UK NCSC blog post by Peter Haigh (Deputy CTO) and Harry G (Deputy Director Capability) introducing Cyber Shield — a national-scale, sovereign agentic-AI cyber-defence initiative being developed by the NCSC and DSIT — following Director GCHQ Anne Keast-Butler&#x27;s 27 May 2026 Bletchley Park lecture announcing a blueprint to hardwire agentic AI into machine-speed cyber defence. The post argues the UK needs a step change because frontier AI is shifting the balance toward attackers (compressing reconnaissance and vulnerability discovery from weeks to minutes) while many critical systems still fail basic Cyber Assessment Framework fundamentals, and it urges organisations both to fix fundamentals now (rapid patching, reducing legacy reliance, secure-by-design) and to begin using agentic AI defensively. It sets out a vision of collaborating &#x27;red&#x27; (weakness-finding) and &#x27;blue&#x27; (real-time defence) agents operating under owners&#x27; authority across organisational boundaries, and enumerates six core capabilities: reliable and explainable AI for cyber security, federated agents with underpinning trust infrastructure, automated vulnerability discovery and mitigation, coordinated cross-boundary detection and response, national-level scanning of critical UK IP ranges, and national-level automated mitigation (for example blocking known-malicious domains and networks). The NCSC frames delivery as test-iterate-scale — partnering initially with government and critical-sector network defenders before transitioning to commercially scalable solutions — acknowledges the dual-use nature of these capabilities, and issues an open call for engagement from academia, Critical National Infrastructure operators, frontier labs, and the cyber-defence sector. Sits alongside the NCSC&#x27;s &#x27;Preparing for a vulnerability patch wave&#x27; and &#x27;Retaining defensive advantage in the age of frontier AI cyber capabilities&#x27; posts.</p><p><strong>Tags:</strong> GOV, POL, SOV, DISC, OPS, PATCH</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-07-07T12:00:00Z",
      "authors": [
        {
          "name": "Peter Haigh (Deputy Chief Technology Officer, NCSC) and Harry G (Deputy Director Capability, NCSC); UK National Cyber Security Centre and Department for Science, Innovation and Technology (DSIT)"
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "SOV",
        "DISC",
        "OPS",
        "PATCH"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-strubel-anssi-cybers-curit-et-ia-tat-des-lieux-et-priorit-s-vues-de-l-anssi-cybe-2026-07-06",
      "url": "https://www.linkedin.com/pulse/cybers%C3%A9curit%C3%A9-et-ia-%C3%A9tat-des-lieux-priorit%C3%A9s-vues-de-lanssi-strubel-py3ve/",
      "title": "Strubel (ANSSI) — Cybersécurité et IA : état des lieux et priorités vues de l'ANSSI [Cybersecurity and AI: state of play and priorities as seen by ANSSI]",
      "content_html": "<p><em>Vincent Strubel (Director General, ANSSI — Agence nationale de la sécurité des systèmes d&#x27;information)</em></p><p><strong>Published:</strong> 2026-07-06</p><p>6 July 2026 first-person state-of-play essay by Vincent Strubel, Director General of France&#x27;s national cybersecurity agency (ANSSI), on AI&#x27;s impact on cybersecurity and ANSSI&#x27;s priorities, noting that the Mythos access debate has at times tipped into obsession. Strubel calls the common &#x27;AI means an explosion of the threat&#x27; framing partly founded but reductive. On the threat side: AI-driven vulnerability discovery and exploit generation, not the preserve of Mythos or frontier models since already-available models used well find a great deal, surfacing flaws that were always present but simply not yet found by humans; a surge in vulnerabilities and a shrinking time-to-exploit framed not as a paradigm shift but as the acceleration of a battle defenders were already losing, with a real risk of the collective CVE machinery being saturated; AI as a force multiplier making competent attackers faster rather than better; and a boost to credential exploitation and the industrialisation of infostealer data. He endorses faster patching but qualifies it as catch-up rather than a new challenge, as much an asset-mapping problem as a speed one (CRA-mandated SBOMs helping upstream), and never a sufficient fix, since the defender&#x27;s functional-validation burden keeps the asymmetry irreducible — and cautions against autonomous agentic patching of life-critical systems. The basics — segmentation, identity and privilege management, monitoring, defence in depth, memory-safe languages — remain the main bulwark and work equally against AI-boosted attacks, aligning ANSSI with the Five Eyes joint statement and the French State&#x27;s 2026–2027 digital-security roadmap; the durable answer is using AI defensively to remove vulnerabilities at source, testing all software including open source, with no frontier-model access as a prerequisite because harness design and team skill matter more than the specific model. Securing AI itself is cast as the more structural, durable challenge — new attack classes such as poisoning and prompt injection, non-transposable evaluation and forensics, systemic risk from de-siloing and broad agentic access — making ANSSI&#x27;s priorities empirical and iterative security work, use-case-driven collaboration with DINUM and the future ARIANE, lifecycle asset mapping including the training dataset (G7 &#x27;SBOM for AI&#x27;), and reproducible AI-security evaluation with INESIA. On model access, Strubel treats the Mythos restrictions as a classic digital-dependency question sharpened by the growing risk of pirate distillation, likely transitory as equivalent models emerge within months, warns that locking down advanced models could itself impede independent security evaluation and entrench a monoculture, and argues for multilateral discussion of reasonable frontier-model access and European alternatives while insisting no one should wait before testing the models already to hand.</p><p><strong>Tags:</strong> GOV, POL, SOV, DISC, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-07-06T12:00:00Z",
      "authors": [
        {
          "name": "Vincent Strubel (Director General, ANSSI — Agence nationale de la sécurité des systèmes d'information)"
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "SOV",
        "DISC",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-sgdsn-inesia-valuer-et-s-curiser-l-ia-and-the-inesia-2026-2027-roadmap-evaluatin-2026-07-06",
      "url": "https://www.sgdsn.gouv.fr/nos-missions/anticiper-et-prevenir/evaluer-et-securiser-lia",
      "title": "SGDSN / INESIA — Évaluer et sécuriser l'IA, and the INESIA 2026–2027 roadmap [Evaluating and Securing AI]",
      "content_html": "<p><em>Secrétariat général de la défense et de la sécurité nationale (SGDSN) and Direction générale des Entreprises (DGE); INESIA — Institut national pour l&#x27;évaluation et la sécurité de l&#x27;intelligence artificielle (ANSSI, Inria, LNE, PEReN)</em></p><p><strong>Published:</strong> 2026-02-05</p><p>5 February 2026 SGDSN standing mission page and its linked INESIA 2026–2027 roadmap (PDF). INESIA — the Institut national pour l&#x27;évaluation et la sécurité de l&#x27;intelligence artificielle — was created on 31 January 2025 ahead of the Paris AI Action Summit as, in the French government&#x27;s framing, the first national AI evaluation-and-security institute within the EU. Piloted by the SGDSN and the Direction générale des Entreprises (DGE), it federates researchers and engineers from ANSSI, Inria (national digital-science research institute), the LNE (national metrology and testing laboratory), and the PEReN (digital-regulation expertise hub), and represents France in the network of AI Safety Institutes — renamed the International Network for Advanced AI Measurement, Evaluation and Science in December 2025, alongside Canada, South Korea, the US, Japan, Kenya, Singapore, the UK, and the EU AI Office. The roadmap sets out eleven operational projects across three poles and a transverse axis. Pole 1, regulatory support: putting evaluation tools in the hands of the national market-surveillance authorities that will police high-risk systems under the EU AI Act (RIA), tracking standardisation (ISO-IEC, CEN-CENELEC), benchmarking synthetic-content detectors in real-world conditions (an open-source library co-developed with VIGINUM, extended to audio and video), and the ANSSI-led SEPIA project developing cybersecurity evaluation and third-party-penetration-test certification methods for AI systems and for security products embedding AI, harmonised across the AI Act, the Cyber Resilience Act, and the Cybersecurity Act. Pole 2, systemic risks: technical expertise on evaluating and mitigating large-scale information manipulation, offensive cybersecurity, and CBRN uplift (uplift studies, critical-capability thresholds, early-detection test benches, plus built-in safeguards and defensive countermeasures), rigorous evaluation of agentic LLM systems and their cyber and criminal-misuse potential, and participation in the AISI network&#x27;s joint evaluations. Pole 3, performance and reliability: internationally open &#x27;coopetition&#x27; challenges. The transverse axis covers a shared knowledge/veille framework, a modular AI-evaluation platform for reproducible and confidentiality-preserving testing of sensitive or non-public models, and scientific community-building. Throughout, the document frames a sovereign, public, independent evaluation capacity interoperable with European and international initiatives, casting AI evaluation as a strategic and national-security function.</p><p><strong>Tags:</strong> GOV, POL, SOV, DISC, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-07-06T12:00:00Z",
      "authors": [
        {
          "name": "Secrétariat général de la défense et de la sécurité nationale (SGDSN) and Direction générale des Entreprises (DGE); INESIA — Institut national pour l'évaluation et la sécurité de l'intelligence artificielle (ANSSI, Inria, LNE, PEReN)"
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "SOV",
        "DISC",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-un-independent-international-scientific-panel-on-ai-preliminary-report-evidence--2026-07-05",
      "url": "https://www.un.org/independent-international-scientific-panel-ai/en/preliminary-report",
      "title": "UN Independent International Scientific Panel on AI — Preliminary Report (Evidence-based assessment of opportunities, risks and impacts of AI)",
      "content_html": "<p><em>Independent International Scientific Panel on Artificial Intelligence (United Nations); Panel Secretariat coordinated by the UN Office for Digital and Emerging Technologies (ODET)</em></p><p><strong>Published:</strong> 2026-07-01</p><p>July 2026 preliminary report of the UN Independent International Scientific Panel on Artificial Intelligence — the first global scientific body on AI, established by General Assembly resolution 79/325 (2025) under a scientific, non-prescriptive mandate — giving Member States a shared evidence base on a technology advancing faster than it can be measured or governed. Section 3.4 (Security, systems and environmental implications, pp. 34–35) is the load-bearing part for this project: AI can enable harmful operations, become a target of attack and amplify threats, with agentic systems expanding attacks on critical infrastructure, alignment risks (bias, deception, sycophancy, loss of control), coding-agent attack success rates as high as 84%, and AI verification still unsolved. Its box, &#x27;Dangerous cybercapabilities of frontier artificial intelligence&#x27;, names Anthropic&#x27;s Mythos model and the April 2026 coordinated defensive-security effort, reporting that preview models autonomously found long-dormant flaws — a 27-year-old OpenBSD remote-crash bug, a 16-year-old FFmpeg flaw in a path fuzzed five million times, reliable Linux-kernel privilege-escalation exploits, and a ~1,000% surge in Firefox discovery (to 423 fixes in April 2026) — with general release restricted to a select coalition. The linked PDF is the full report.</p><p><strong>Tags:</strong> DISC, EXPL, GOV, XCUT, SOV, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-07-05T12:00:00Z",
      "authors": [
        {
          "name": "Independent International Scientific Panel on Artificial Intelligence (United Nations); Panel Secretariat coordinated by the UN Office for Digital and Emerging Technologies (ODET)"
        }
      ],
      "tags": [
        "DISC",
        "EXPL",
        "GOV",
        "XCUT",
        "SOV",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-gcve-bcp-05-x-01-ai-assisted-vulnerability-information-annotation-2026-07-05",
      "url": "https://gcve.eu/bcp/extension/gcve-bcp-05-x-01/",
      "title": "GCVE — BCP-05-X-01: AI-Assisted Vulnerability Information Annotation",
      "content_html": "<p><em>GCVE Working Group (Global CVE Allocation System)</em></p><p><strong>Published:</strong> 2026-06-14</p><p>Version 1.2 (published 14 June 2026) of a GCVE Best Current Practice extension to BCP-05, the GCVE vulnerability record format, defining a standard way to annotate vulnerability records where artificial intelligence or automated processing contributed to their creation, enrichment, or analysis. The stated objective is transparency, traceability, and classification of AI-assisted contributions so consumers can assess trust, provenance, and review level. Annotations attach at record or field level under an x_gcve extension block and carry an ai_level (none, assisted, augmented, or generated), a review_status (none, partial, or full), a free-text description, taxonomy-aligned tags (the specification recommends reusing MISP AI taxonomies rather than ad-hoc labels), and an optional models array naming the model, version, provider, source, and identifier used. A gna_source field records which GCVE Numbering Authority produced or asserted an annotation or a specific model contribution, either at annotation level or per model. When ai_level is none, the review_status and models fields are omitted. The security and trust section states that AI-assisted vulnerability information may contain errors, hallucinations, incomplete analysis, or incorrect references, and that ai_level, review_status, tags, and models are provenance and trust signals rather than guarantees of correctness. The extension is backward-compatible with BCP-05 and distributed under CC-BY-4.0.</p><p><strong>Tags:</strong> TRIAGE, DISCL, SOV, DISC</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-07-05T12:00:00Z",
      "authors": [
        {
          "name": "GCVE Working Group (Global CVE Allocation System)"
        }
      ],
      "tags": [
        "TRIAGE",
        "DISCL",
        "SOV",
        "DISC"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-biml-mcgraw-figueroa-mcmahon-bonett-no-security-meter-for-ai-2026-07-05",
      "url": "https://berryvilleiml.com/docs/no-security-meter-ai.pdf",
      "title": "BIML (McGraw, Figueroa, McMahon, Bonett) — No Security Meter for AI",
      "content_html": "<p><em>Gary McGraw, Harold Figueroa, Katie McMahon, Richie Bonett (Berryville Institute of Machine Learning)</em></p><p><strong>Published:</strong> 2026-05-13</p><p>Version 1.0 (13 May 2026) essay from the Berryville Institute of Machine Learning arguing that there is no reliable way to measure AI security — no &#x27;security meter&#x27; — and making two linked arguments. First, AI benchmarks are broken as security indicators: benchmarks evolved from held-back evaluation sets to human-style exams and agentic scenario tests, proliferate without peer review, become contaminated once published because they are absorbed into training data, and (citing UC Berkeley work) can in several prominent agent cases be gamed to near-perfect scores without solving a task. Security-focused benchmarks such as SECURE, CAIBench, and ExCyTIn measure how well a model performs in a security scenario, not whether the model itself is secure, and the paper invokes Melanie Mitchell&#x27;s principles for evaluating AI as &#x27;alien intelligences&#x27; to warn against reading a benchmark score as a security rating. Second, security measurement is itself unsolved: the authors trace software-security history from penetration testing (a &#x27;badness-ometer&#x27; that measures insecurity, not security, per McGraw&#x27;s 2006 coinage) through static analysis to the BSIMM&#x27;s second-order process measurement, noting the field has yet to identify which assurance activities reliably produce secure ML systems. They frame conventional programs as HOW machines and ML models as WHAT machines, treat training data as a primary attack surface with no clean software parallel, and conclude that internal observability (whitebox interpretability) is a necessary precondition for any future AI security meter rather than the meter itself.</p><p><strong>Tags:</strong> XCUT, DISC, TRIAGE, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-07-05T12:00:00Z",
      "authors": [
        {
          "name": "Gary McGraw, Harold Figueroa, Katie McMahon, Richie Bonett (Berryville Institute of Machine Learning)"
        }
      ],
      "tags": [
        "XCUT",
        "DISC",
        "TRIAGE",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-trail-of-bits-samuels-gpt-5-5-cyber-built-a-zlib-fuzzing-lab-in-a-day-patch-the--2026-07-05",
      "url": "https://blog.trailofbits.com/2026/07/02/field-reports-from-patch-the-planet/",
      "title": "Trail of Bits (Samuels) — GPT-5.5-Cyber built a zlib fuzzing lab in a day (Patch the Planet field report)",
      "content_html": "<p><em>Benjamin Samuels (Trail of Bits)</em></p><p><strong>Published:</strong> 2026-07-02</p><p>2 July 2026 Trail of Bits field report from Patch the Planet, a joint initiative with OpenAI that pairs Trail of Bits engineers with more than 30 open-source projects to find and fix security bugs before highly capable models create a flood of reports for thinly stretched maintainers. Engineers pointed GPT-5.5-Cyber, driven through Codex with a persistent /goal objective, at the zlib compression library and asked it to find a bug class dangerous in compression code. Rather than reading the heavily reviewed source, the model judged static review a poor use of tokens and decided on its own to build a dynamic fuzzing campaign: ASan and UBSan builds to make memory errors observable, existing edge-case tests repurposed as a seed corpus, C/C++ harnesses across about a dozen entrypoints (including inflate, inflateBack, uncompress2, gzFile, MiniZip, puff, and blast), and compile-time variant builds (INFLATE_STRICT, BUILDFIXED, PKZIP_BUG_WORKAROUND) to reach otherwise hidden code. The report states this took a single day — work the authors estimate would take a skilled researcher weeks — and produced multiple findings then undergoing coordinated disclosure, with the harness and findings to be published after patching. It stresses that the value came from automation plus a strict definition of what counted as a reportable finding: the model logged a real but unreachable inflateBack null-callback crash as non-reportable and continued to higher-impact issues without human intervention. The authors argue the expertise barrier that kept bespoke fuzzing out of reach is largely gone, acting as a force multiplier for skilled researchers while lowering the floor for low-skill attackers.</p><p><strong>Tags:</strong> DISC, OPS, DISCL, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-07-05T12:00:00Z",
      "authors": [
        {
          "name": "Benjamin Samuels (Trail of Bits)"
        }
      ],
      "tags": [
        "DISC",
        "OPS",
        "DISCL",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-latio-pulse-berthoty-the-privatization-of-vulnerability-management-2026-07-05",
      "url": "https://pulse.latio.tech/p/the-privatization-of-vulnerability",
      "title": "Latio Pulse (Berthoty) — The Privatization of Vulnerability Management",
      "content_html": "<p><em>James Berthoty (Latio Pulse)</em></p><p><strong>Published:</strong> 2026-07-02</p><p>2 July 2026 Latio Pulse essay by James Berthoty arguing that AI-driven vulnerability discovery is pushing core parts of vulnerability management out of public forums and into private companies. It identifies several shifts: AI code analysis (AI SAST) is magnifying both attacker and researcher capability across open-source and closed software; maintainers are receiving more AI-generated bug and security submissions than ever; access to the most capable models for security research is being gatekept to large enterprises; the NVD is at a low point in enrichment, with vendors such as Flashpoint and VulnCheck and with GitHub Security Advisories filling the gap; and &#x27;supply chain firewalls&#x27; — vendor-hosted private forks of open-source repositories — are growing. Berthoty contrasts the public disclosure process (researcher to CNA to CVE.org, then NVD or third-party enrichment) with an emerging private model in which an enterprise with frontier-model access finds a bug, reports it to a security provider that patches or mitigates it, and may or may not disclose it afterward, giving that provider&#x27;s customers exclusive access to findings and fixes for an undisclosed period. He warns the worst case is that fixes get privatized while attacker capabilities are democratized, that private forks break upstream consistency and create vendor lock-in, and that the shared CVE standard could quietly stop mattering as the work moves behind vendor walls. His suggestions to keep such initiatives useful include opening pull requests upstream instead of filing CVE issues, committing to public disclosure timelines, merging patches upstream rather than hosting private forks, and publishing through CVE.org or GitHub Security Advisories rather than new identifier systems.</p><p><strong>Tags:</strong> DISCL, SUPPLY, TRIAGE, GOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-07-05T12:00:00Z",
      "authors": [
        {
          "name": "James Berthoty (Latio Pulse)"
        }
      ],
      "tags": [
        "DISCL",
        "SUPPLY",
        "TRIAGE",
        "GOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-corridor-cable-written-testimony-on-the-ai-security-landscape-house-homeland-sec-2026-07-05",
      "url": "https://www.corridor.dev/blog/testimony",
      "title": "Corridor (Cable) — Written testimony on the AI security landscape (House Homeland Security hearing)",
      "content_html": "<p><em>Jack Cable (CEO and co-founder, Corridor Security)</em></p><p><strong>Published:</strong> 2026-06-04</p><p>Corridor&#x27;s write-up of the testimony delivered by co-founder and CEO Jack Cable at the 4 June 2026 hearing of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, &#x27;The AI Security Landscape: How Frontier Models, Agentic AI, and AI Coding Tools Are Reshaping Cybersecurity and Critical Infrastructure Resilience.&#x27; Cable — a former Senior Technical Advisor at CISA who helped lead its Secure by Design and open-source security work, and a top-ranked bug-bounty researcher credited with more than 350 vulnerabilities — heads Corridor, a company that embeds security review into AI code generation. The testimony argues that secure-by-design software is the strongest defense against PRC cyber threats to US critical infrastructure, and that most cyberattacks exploit preventable software vulnerabilities or insecure default configurations. It notes that studies find even the best models write vulnerable code roughly 30-40% of the time, while contending that properly guided AI coding offers a more secure path: across Corridor&#x27;s customers, giving a coding agent the right context at the planning stage is reported to reduce vulnerabilities by about 60%, and frontier models can perform security refactors — including translating unsafe code toward memory-safe languages, as in DARPA&#x27;s TRACTOR program — that once cost millions of dollars and years for thousands in weeks. Cable&#x27;s recommendations include preventing whole vulnerability classes at the point of code generation, enabling AI coding across the federal government and its contractors while requiring security guardrails, fostering US-origin open-weight models with safeguards, reforming the CFAA and DMCA Section 1201 to protect good-faith security research, and sustaining the CVE program.</p><p><strong>Tags:</strong> POL, GOV, OPS, SUPPLY</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-07-05T12:00:00Z",
      "authors": [
        {
          "name": "Jack Cable (CEO and co-founder, Corridor Security)"
        }
      ],
      "tags": [
        "POL",
        "GOV",
        "OPS",
        "SUPPLY"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-dulaunoy-gcve-a-decentralized-model-for-vulnerability-identification-publication-2026-07-05",
      "url": "https://arxiv.org/abs/2606.00856",
      "title": "Dulaunoy — GCVE: A Decentralized Model for Vulnerability Identification, Publication, and Operational Enrichment",
      "content_html": "<p><em>Alexandre Dulaunoy (GCVE initiative and Computer Incident Response Center Luxembourg, CIRCL)</em></p><p><strong>Published:</strong> 2026-05-30</p><p>The Global CVE (GCVE) initiative defines a decentralized model for vulnerability identification and publication in which GCVE Numbering Authorities (GNAs) allocate identifiers and publish records autonomously while remaining interoperable through shared Best Current Practices (BCPs). This paper describes the design and implementation of GCVE from its initial identifier-allocation motivation to its current state as a full-featured vulnerability publication ecosystem. We analyze the GCVE identifier model, the GNA autonomy model, the signed directory, decentralized publishing, the practical vulnerability-handling guidance, the GCVE record container, the BCP extension mechanism for AI-assisted processing, automatically enriched data streams, distributed Known Exploited Vulnerability (KEV) assertions, and the reference implementation in vulnerability-lookup. The central argument is that GCVE shifts vulnerability infrastructure from a single canonical pipeline toward a federated network of independently governed, machine-readable assertions. This design supports diverse use cases—including original vulnerability reports, downstream product impact statements, remediation records, clarification records, service-specific exposure statements, KEV assertions, and machine-generated enrichment—without requiring all participants to adopt the same disclosure ideology or operational workflow.</p><p><strong>Tags:</strong> TRIAGE, SOV, DISCL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-07-05T12:00:00Z",
      "authors": [
        {
          "name": "Alexandre Dulaunoy (GCVE initiative and Computer Incident Response Center Luxembourg, CIRCL)"
        }
      ],
      "tags": [
        "TRIAGE",
        "SOV",
        "DISCL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-anthropic-redeploying-fable-5-2026-07-01",
      "url": "https://www.anthropic.com/news/redeploying-fable-5",
      "title": "Anthropic — Redeploying Fable 5",
      "content_html": "<p><em>Anthropic</em></p><p><strong>Published:</strong> 2026-06-30</p><p>30 June 2026 Anthropic announcement that the US government export controls applied on 12 June 2026 to Claude Fable 5 and Claude Mythos 5 have been lifted. Fable 5 returns to general availability on 1 July 2026 for users globally on the Claude Platform, Claude.ai, Claude Code, and Claude Cowork (included for up to 50% of weekly usage limits on Pro, Max, Team, and select Enterprise plans through 7 July, then via usage credits), with access on AWS, Google Cloud, and Microsoft Foundry to be re-enabled; Mythos 5 access was restored to a set of US organizations following government approval on 26 June. The post sets out a timeline: the export-control directive followed a report by Amazon researchers who found a method of bypassing Fable 5&#x27;s safeguards by prompting it to identify software vulnerabilities, with one case producing code demonstrating how a vulnerability could be exploited. Anthropic states its testing confirmed that less capable models (including Claude Opus 4.8, GPT-5.5, and Kimi K2.7) could identify the same vulnerabilities, that every model tested could reproduce the single exploit demonstration, and that the technique exposed no unique Mythos-level capabilities and involved only routine defensive cybersecurity work. In response Anthropic trained an improved safety classifier that blocks the reported technique in over 99% of cases and routes blocked requests to Opus 4.8, at the cost of more false positives on benign coding and debugging tasks; the US Department of Commerce&#x27;s Center for AI Standards and Innovation (CAISI) tested the prior and new safeguards. The post explains Anthropic&#x27;s defense-in-depth cybersecurity safeguards and the classifier &#x27;safety margin&#x27; (deliberately blocking some likely-benign requests to reduce the chance of missing harmful ones), and categorises jailbreaks as minor, narrow-harmful, or universal, stating that no universal jailbreak for Fable 5 had been found at the time of writing. It proposes, with Amazon, Microsoft, Google, and other Project Glasswing partners, a consensus industry framework scoring jailbreak severity on four criteria — capability gain, breadth of capability gain, ease of weaponization, and discoverability — to calibrate response and triage, and announces a new HackerOne program for submitting cyber jailbreaks found in Fable 5. It also sets out four government-collaboration commitments: pre-release government access and evaluation for frontier-advancing models; rapid information sharing on safeguards and threat intelligence, including participation in the interagency cybersecurity vulnerability clearinghouse established under the 2 June 2026 Executive Order; dedicated teams and compute for joint AI-security research; and work toward a common voluntary industry security and evaluation standard. Vendor announcement.</p><p><strong>Tags:</strong> POL, GOV, SOV, DISC, DISCL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-07-01T12:00:00Z",
      "authors": [
        {
          "name": "Anthropic"
        }
      ],
      "tags": [
        "POL",
        "GOV",
        "SOV",
        "DISC",
        "DISCL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-anthropic-cyber-jailbreak-hackerone-program-fable-5-cyber-jailbreak-submissions-2026-07-01",
      "url": "https://hackerone.com/anthropic-cyber-jailbreak/",
      "title": "Anthropic Cyber Jailbreak — HackerOne program (Fable 5 cyber-jailbreak submissions)",
      "content_html": "<p><em>Anthropic (via HackerOne)</em></p><p><strong>Published:</strong> 2026-06-30</p><p>HackerOne vulnerability disclosure program operated by Anthropic (page last updated 1 July 2026) for reporting cyber &#x27;jailbreaks&#x27; — techniques that bypass a model&#x27;s safeguards — in Claude Fable 5, announced alongside Fable 5&#x27;s redeployment. Scope is limited to findings where Claude&#x27;s responses could meaningfully assist an attacker in cyber operations beyond what existing publicly available tools allow, and specifically to Fable 5; it excludes jailbreaks on other Claude models, general content-safety jailbreaks not tied to cyber capability uplift, third-party systems, and Anthropic&#x27;s general web and application infrastructure (covered under a separate Security VDP). Covered findings include techniques that make Claude produce functional exploit code, working malware, or detailed attack infrastructure it would otherwise refuse; prompting that extracts domain-expert-level offensive guidance the model is designed to decline; and jailbreaks that work at scale or across multiple offensive task categories. Excluded, at Anthropic&#x27;s discretion, are outputs already equivalent to what publicly available tools, search engines, or open-source resources provide; brittle or non-reproducible single-instance techniques; findings that do not meaningfully depend on Claude&#x27;s assistance; Anthropic-coordinated red-teaming; and denial-of-service or availability attacks. Anthropic states it focuses on high- and critical-severity jailbreaks and scores each on four criteria — capability gain, breadth of capability gain, ease of weaponization, and discoverability — noting that the severity a researcher sets on a HackerOne report is not Anthropic&#x27;s own assessment, which it makes independently in coordination with HackerOne. The policy sets research guidelines (minimal proof-of-concept exploitation, no exfiltration of inadvertently accessed data, coordinated-disclosure timing), a required report structure (confirm the affected model is Fable 5, message IDs, full verbatim transcripts and setup, observed output and why it constitutes cyber uplift, ordered reproduction steps, a reliability estimate such as &#x27;succeeds ~8/10 attempts&#x27;, and the reporter&#x27;s severity view), rules of engagement, a coordinated disclosure policy that preserves researchers&#x27; right to publish and to report similar findings in other organisations&#x27; systems, and a good-faith safe-harbor commitment.</p><p><strong>Tags:</strong> DISCL, DISC, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-07-01T12:00:00Z",
      "authors": [
        {
          "name": "Anthropic (via HackerOne)"
        }
      ],
      "tags": [
        "DISCL",
        "DISC",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-ncsc-se-with-iva-and-ai-sweden-protect-yourself-against-ai-enhanced-attacks-two--2026-06-30",
      "url": "https://www.ncsc.se/siteassets/publikationer/skydda-dig-mot-ai-forstarkta-angrepp-rek-for-beslutsfattare-och-organisationer.pdf",
      "title": "NCSC-SE (with IVA and AI Sweden) — Protect yourself against AI-enhanced attacks (two guidance documents) and AI-driven Cyber Threats: The Next Twelve Months",
      "content_html": "<p><em>Nationellt cybersäkerhetscenter (NCSC-SE); Kungl. Ingenjörsvetenskapsakademien / Royal Swedish Academy of Engineering Sciences (IVA); AI Sweden</em></p><p><strong>Published:</strong> 2026-06-01</p><p>June 2026 Swedish cluster on AI&#x27;s impact on cybersecurity from the Nationellt cybersäkerhetscenter (NCSC-SE), comprising two guidance documents plus a joint forward-looking threat report. The first guidance document — &quot;Skydda dig mot AI-förstärkta angrepp: rekommendationer för beslutsfattare och organisationer&quot; (Protect yourself against AI-enhanced attacks: recommendations for decision-makers and organisations) — is pitched at the leadership/board level. The second — &quot;Skydd mot AI-förstärkta angrepp: tekniska och operativa åtgärder&quot; (Protection against AI-enhanced attacks: technical and operational measures) — is its technical companion, ordered as get the basics right first, patch internet-exposed systems, protect the AI lifecycle, and constrain agentic systems. The third item, &quot;AI-driven Cyber Threats: The Next Twelve Months&quot; (published in English with a Swedish version also available), is a forward-looking threat report from IVA (Royal Swedish Academy of Engineering Sciences) produced with NCSC-SE and AI Sweden. Notably for the corpus, the report treats model access itself as a resilience issue, warning organisations against building critical defensive capability on &quot;services that they cannot control, replace or continue without&quot; and citing Anthropic&#x27;s Fable 5 / Mythos 5 suspension as the worked example.</p><p><strong>Tags:</strong> GOV, POL, OPS, PATCH, EXPL, SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-30T12:00:00Z",
      "authors": [
        {
          "name": "Nationellt cybersäkerhetscenter (NCSC-SE); Kungl. Ingenjörsvetenskapsakademien / Royal Swedish Academy of Engineering Sciences (IVA); AI Sweden"
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "OPS",
        "PATCH",
        "EXPL",
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-chainguard-athena-an-industry-coalition-to-protect-open-source-software-from-ai--2026-06-30",
      "url": "https://www.chainguard.dev/athena",
      "title": "Chainguard — Athena: an industry coalition to protect open source software from AI attacks",
      "content_html": "<p><em>Chainguard</em></p><p><strong>Published:</strong> 2026-06-15</p><p>Chainguard&#x27;s announcement of Athena, an industry coalition for the orchestrated defense of open-source software against AI-discovered vulnerabilities. Members feed pre-disclosure vulnerability findings into a clearinghouse (accepting findings from frontier models including Anthropic&#x27;s Project Glasswing and OpenAI&#x27;s Daybreak) that deduplicates, enriches, and traces each one (when introduced, whether already fixed at head, and where else the pattern appears), publishes the metadata as an OSV feed, and rebuilds affected projects as private hardened versions available to members through Chainguard Libraries before disclosure, addressing findings in batches to harden against whole classes of issues. Around that core it stacks independent layers: platform/network/infrastructure mitigations pushed ahead of disclosure by providers that sit in front of much of the internet, cybersecurity-vendor detections and virtual patching, coordinated upstream disclosure, and a stated hope to work with the Linux Foundation on an open-source Security Incident Response Team and a maintainer-of-last-resort program. More than two dozen members are named, including BNY, Chainguard, Cisco, Cloudflare, Corridor, Docker, JPMorgan Chase, Kyndryl, and PwC. Reports more than 20,000 findings processed, 2,000+ patches, and 500+ open-source projects, with the first wave of coordinated disclosures stated to begin in a month. Vendor announcement.</p><p><strong>Tags:</strong> SUPPLY, DISCL, PATCH, OPS, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-30T12:00:00Z",
      "authors": [
        {
          "name": "Chainguard"
        }
      ],
      "tags": [
        "SUPPLY",
        "DISCL",
        "PATCH",
        "OPS",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-ficorilli-github-inside-the-advisory-database-and-what-happens-when-vulnerabilit-2026-06-30",
      "url": "https://github.blog/security/supply-chain-security/inside-the-advisory-database-and-what-happens-when-vulnerability-volume-breaks-records/",
      "title": "Ficorilli (GitHub) — Inside the Advisory Database and what happens when vulnerability volume breaks records",
      "content_html": "<p><em>Madison Ficorilli (GitHub Advisory Database curation team)</em></p><p><strong>Published:</strong> 2026-06-29</p><p>29 June 2026 GitHub Security blog post by Madison Ficorilli, who leads the GitHub Advisory Database curation team, on the database processing record vulnerability volume. In May 2026 it published 1,560 reviewed advisories — more than five times its typical monthly output and the highest in its history — and still could not keep up. From March through May it sustained more than 6,000 advisory decisions per month. Inflow accelerated across every source: private vulnerability reports rose from about 550/week in January to more than 3,000/week for most of May; repository advisories from about 650/week to more than 5,000/week; GitHub CNA CVE requests reached almost 4,000 in May alone (nearly 10x year over year); the CVE program had published 30,000+ CVEs in 2026; and more than 1.7 million repositories had enabled private vulnerability reporting. Review times extended from about a week to multiple weeks for a meaningful share, while CVE assignment quality held between 91 and 94%. The post argues throughput, not data integrity, is the constraint, that a growing share of advisories require harder curation work (package disambiguation, version-range reconstruction, multi-ecosystem advisories, conflicting upstream data), and that a reviewed advisory remains human-validated. It describes responses (AI-assisted research tooling with curators still deciding, backend scaling, automation, risk-based prioritization, expanded documentation) and asks the community to submit complete vulnerability data, coordinate with maintainers and researchers, and request CVEs only when there is clear intent to publish.</p><p><strong>Tags:</strong> TRIAGE, SUPPLY, DISCL, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-30T12:00:00Z",
      "authors": [
        {
          "name": "Madison Ficorilli (GitHub Advisory Database curation team)"
        }
      ],
      "tags": [
        "TRIAGE",
        "SUPPLY",
        "DISCL",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-raptor-autonomous-offensive-defensive-research-framework-gadievron-raptor-2026-06-30",
      "url": "https://github.com/gadievron/raptor",
      "title": "RAPTOR — Autonomous Offensive/Defensive Research Framework (gadievron/raptor)",
      "content_html": "<p><em>Gadi Evron, Daniel Cuthbert, Thomas Dullien (Halvar Flake), Michael Bargury, John Cartwright</em></p><p><strong>Published:</strong> 2026-04-23</p><p>Open-source (MIT-licensed) autonomous security-research framework built on top of Claude Code, by Gadi Evron, Daniel Cuthbert, Thomas Dullien (Halvar Flake), Michael Bargury, and John Cartwright. RAPTOR (Recursive Autonomous Penetration Testing and Observation Robot) chains static analysis (Semgrep, CodeQL), binary analysis, LLM-powered vulnerability validation, exploit generation, and patch writing into a single workflow run against a codebase or binary. It is built as two layers: a deterministic Python execution layer (runs the scanners, parses SARIF, deduplicates findings, dispatches LLM API calls, tracks cost) and a Claude Code decision layer of skills, slash commands, sub-agents, and expert personas that handles prioritisation and adversarial reasoning. Commands include /agentic (full scan-validate-exploit-patch workflow), /scan, /understand (attack-surface mapping and variant hunting), /validate (a multi-stage exploitability-validation pipeline), /codeql, /sca (software composition analysis enriching dependencies with OSV advisories, CISA KEV, EPSS, and SSVC, emitting CycloneDX SBOM/VEX and SARIF), /fuzz, /crash-analysis, and /oss-forensics. It offers optional Z3 SMT integration for dataflow pre-screening and exploit feasibility, fully offline Semgrep scanning, and a configurable analysis-dispatch LLM layer supporting Anthropic, OpenAI, Gemini, Mistral, and local Ollama models with per-role assignment and a spend cap. The v3.0.0 release is dated April 2026.</p><p><strong>Tags:</strong> DISC, EXPL, PATCH, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-30T12:00:00Z",
      "authors": [
        {
          "name": "Gadi Evron, Daniel Cuthbert, Thomas Dullien (Halvar Flake), Michael Bargury, John Cartwright"
        }
      ],
      "tags": [
        "DISC",
        "EXPL",
        "PATCH",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-yan-patterns-for-building-cybersecurity-evals-2026-06-30",
      "url": "https://eugeneyan.com/writing/cybersecurity-evals/",
      "title": "Yan — Patterns for Building Cybersecurity Evals",
      "content_html": "<p><em>Eugene Yan</em></p><p><strong>Published:</strong> 2026-06-21</p><p>21 June 2026 write-up by Eugene Yan surveying patterns for building cybersecurity evaluations of AI agents. It identifies four shared primitives across benchmarks — a sandboxed Docker target; inputs that tune task difficulty from the zero-day case (only the vulnerable code) to the one-day case (description and/or patch provided, plus optional crash trace or PoC); tools such as a bash shell, debuggers, and static analyzers; and a deterministic grader — and a partial-credit pyramid of outcomes from finding the vulnerability, to reproducing it with a PoC, to unauthorized code execution, to achieving an attacker goal. It then walks through seven benchmarks, covering each one&#x27;s design, harness, and findings: Cybench (40 professional CTF tasks, scored by first-solve time), CVE-Bench (40 critical NVD web-application CVEs in zero-day and one-day settings), CyberGym (1,507 OSS-Fuzz-derived C/C++ memory-safety instances across 188 projects), ExploitGym (898 instances measuring PoC-to-code-execution, with and without standard defenses), ExploitBench (41 V8 bugs scored on a five-tier capability ladder), Multi-Host Bench/MHBench (40 emulated 22-to-50-host networks for autonomous red-team operations), and SCONE-Bench (405 smart-contract exploits scored by simulated dollars stolen). A recurring finding is that the harness and scaffolding often matter as much as or more than the underlying model.</p><p><strong>Tags:</strong> DISC, EXPL, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-30T12:00:00Z",
      "authors": [
        {
          "name": "Eugene Yan"
        }
      ],
      "tags": [
        "DISC",
        "EXPL",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-saxe-ai-cybersecurity-safety-will-be-won-through-adoption-not-restriction-2026-06-30",
      "url": "https://joshuasaxe181906.substack.com/p/ai-cybersecurity-safety-will-be-won",
      "title": "Saxe — AI cybersecurity safety will be won through adoption not restriction",
      "content_html": "<p><em>Joshua Saxe</em></p><p><strong>Published:</strong> 2026-06-29</p><p>29 June 2026 Substack essay by Joshua Saxe arguing that AI cybersecurity safety should be pursued by accelerating defender adoption of AI rather than by restricting access to frontier models. Saxe holds that the current US government restrictions on the best American models — he names Claude Mythos and OpenAI GPT-5.6 — are a self-inflicted wound, because they deny defenders the strongest models and pressure them toward Chinese-controlled models, while attackers retain private access to near-frontier open-weight models such as GLM-5.2. He argues the dominant framing of AI safety (measure model capabilities at each launch, then restrict access once danger thresholds are crossed) has been invalidated by the loss of control over capability diffusion in the US-China race and by the fact that available capability already exceeds what either defenders or attackers have absorbed; he would demote launch-time capability measurement to a second- or third-tier input and put fast, broad, well-executed defender adoption at the center. He lists attacker scenarios he is more worried about than new model launches (a &#x27;Claude Code for cyber operations&#x27; harness automating initial access, lateral movement, and privilege escalation; privately fine-tuned GLM-5.2 served via bitcoin-operated dark inference providers; zero-click bugs in hyperscaled attack surfaces) and defender developments he is more excited by (revolutionizing SOC and vulnerability-management operations, AI-native team reorganization, AI-era threat sharing, and adopting open models developed and controlled within liberal democracies), and treats objections about destabilization and the prospects for an international restriction regime. An opinion source.</p><p><strong>Tags:</strong> POL, DISC, XCUT, SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-30T12:00:00Z",
      "authors": [
        {
          "name": "Joshua Saxe"
        }
      ],
      "tags": [
        "POL",
        "DISC",
        "XCUT",
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-semgrep-we-have-mythos-at-home-glm-5-2-beats-claude-in-our-cyber-benchmarks-2026-06-30",
      "url": "https://semgrep.dev/blog/2026/we-have-mythos-at-home-glm-52-beats-claude-in-our-cyber-benchmarks/",
      "title": "Semgrep — We have Mythos at Home: GLM 5.2 beats Claude in our Cyber Benchmarks",
      "content_html": "<p><em>Katie Paxton-Fear, Seth Jaksik, Brenden Noblitt, Erik Buchanan (Semgrep Security Research)</em></p><p><strong>Published:</strong> 2026-06-22</p><p>22 June 2026 Semgrep Security Research post benchmarking models on Semgrep&#x27;s IDOR (Insecure Direct Object Reference) detection dataset, holding the dataset, evaluation method (F1 against known true positives), and system prompt constant while varying the model and its harness. The headline result: the open-weight GLM 5.2 (Zhipu AI / Z.ai), running in a bare prompt-only Pydantic AI harness with none of the endpoint-discovery scaffolding, scored 39% F1 — ahead of the Claude Code configurations (28-37% F1) — at roughly $0.17 per vulnerability found, while both trailed Semgrep&#x27;s purpose-built multimodal pipeline (53-61% F1 with GPT-5.5 and Opus 4.8 behind it). The post frames its real question as how much vulnerability-detection performance comes from the model versus the harness around it, and concludes that the harness still matters more than the model (the largest gap in the table is between configurations that get endpoint discovery and those that do not), but that one open-weight model has, on this single task and dataset, crossed a threshold worth watching at about one-sixth the cost of frontier models. It also summarises GLM 5.2&#x27;s characteristics (a Mixture-of-Experts model with roughly 750B total and about 40B active parameters, MIT-licensed open weights, context extended toward 1M tokens) and flags the release notes&#x27; disclosure that GLM 5.2 exhibits more reward-hacking behavior than its predecessor. The authors caveat that this is one task, one dataset, and one run. Vendor caveat (Semgrep markets the multimodal pipeline).</p><p><strong>Tags:</strong> DISC, XCUT, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-30T12:00:00Z",
      "authors": [
        {
          "name": "Katie Paxton-Fear, Seth Jaksik, Brenden Noblitt, Erik Buchanan (Semgrep Security Research)"
        }
      ],
      "tags": [
        "DISC",
        "XCUT",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-provos-escape-qemu-watching-ironcurtain-and-an-open-weight-model-break-out-2026-06-30",
      "url": "https://www.provos.org/p/qemu-escape-glm-5-2/",
      "title": "Provos — Escape QEMU: Watching IronCurtain and an Open-Weight Model Break Out",
      "content_html": "<p><em>Niels Provos</em></p><p><strong>Published:</strong> 2026-06-30</p><p>30 June 2026 post by Niels Provos documenting a run of his open-source IronCurtain vuln-discovery workflow with every agent role driven by the open-weight GLM 5.2 (all model calls re-routed through a LiteLLM gateway), building a reproducible proof-of-concept guest-to-host escape of QEMU&#x27;s public EDU teaching device from analysis through host code execution. The workflow&#x27;s hub-and-spoke state machine — an orchestrator routing analyze, harness, validate, discover, and triage agents, each rehydrating a fresh context window from an on-disk journal — was handed a set of previously confirmed out-of-bounds primitives and tasked with turning them into a maximal-impact host-compromise PoC that defeats ASLR from inside the guest, needs no host-side knowledge, and leaves a host-visible proof of execution against unmodified device source. It rejected two dead-end targets (each killed by an executed harness that failed to produce a usable hijack), then at round eight pivoted to the EDU device&#x27;s own embedded timer callback — a wrapped negative DMA offset reaching dma_timer.cb, which carries its own guest-paced dereference when the timer fires — reaching host instruction-pointer control and then host code execution via libc system, reproduced 10/10 across ASLR trials with an independent validator agent re-running the exploit. Provos reports roughly 789 million tokens over five days for the whole QEMU investigation, using hosted GLM 5.2 endpoints with no local GPUs, and argues that defensive vulnerability research does not require a restricted frontier model: a defender depending on a frontier API accepts a policy and availability handicap (refusal mid-exploit, recall, repricing, or silent degradation) that an adversary running open weights inside a controlled trust boundary does not. He notes the EDU device is tutorial code present in no production build, already published in full by Xchg Labs, and that other primitives found in shipping devices are withheld pending coordination, and includes a full technical appendix of the bug and exploit chain.</p><p><strong>Tags:</strong> DISC, EXPL, OPS, SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-30T12:00:00Z",
      "authors": [
        {
          "name": "Niels Provos"
        }
      ],
      "tags": [
        "DISC",
        "EXPL",
        "OPS",
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-anthropic-yan-dattani-using-llms-to-secure-source-code-2026-06-30",
      "url": "https://claude.com/blog/using-llms-to-secure-source-code",
      "title": "Anthropic (Yan & Dattani) — Using LLMs to secure source code",
      "content_html": "<p><em>Eugene Yan, Henna Dattani (Anthropic)</em></p><p><strong>Published:</strong> 2026-05-27</p><p>27 May 2026 Anthropic (Claude) blog guide by Eugene Yan and Henna Dattani on using Claude Opus to secure source code, drawn from working with security teams under Project Glasswing. Its primary takeaway is that discovery is now straightforward to parallelize and the bottleneck has shifted to verification, triage, and patching — noting that of 1,596 vulnerabilities disclosed from Anthropic&#x27;s own open-source scanning as of 22 May 2026, 97 had been patched. The guide distils a six-step find-and-fix loop: (1) build a threat model to define what counts as a vulnerability and reduce false positives (one team reported findings were exploitable about 90% of the time when the threat model was well-defined); (2) build a sandbox to isolate agents and prove exploitability; (3) run discovery with rich loadable context, deliberately short and non-prescriptive prompts, codebase and security tools, and parallel agents over partitioned attack surface; (4) run independent, adversarial verification in a fresh environment to filter non-exploitable findings, optionally with multiple voters and PoC execution; (5) triage by deduplicating on root cause and ranking by reachability, attacker control, preconditions, authentication, read-vs-write, and blast radius, grounded in the threat model; and (6) patch with a failing test first, root-cause and variant analysis, minimal diffs, an adversarial re-check, and human ownership. It ships an accompanying open-source reference harness with Claude Code skills (threat-model, vuln-scan, triage, patch) and a quickstart. Vendor source (Anthropic).</p><p><strong>Tags:</strong> DISC, PATCH, TRIAGE, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-30T12:00:00Z",
      "authors": [
        {
          "name": "Eugene Yan, Henna Dattani (Anthropic)"
        }
      ],
      "tags": [
        "DISC",
        "PATCH",
        "TRIAGE",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-ibm-and-red-hat-project-lightwell-5-billion-commitment-to-secure-open-source-in--2026-06-30",
      "url": "https://newsroom.ibm.com/2026-05-28-ibm-and-red-hat-commit-5-billion-to-redefine-the-future-of-open-source-in-the-ai-era",
      "title": "IBM and Red Hat — Project Lightwell ($5 billion commitment to secure open source in the AI era)",
      "content_html": "<p><em>IBM; Red Hat</em></p><p><strong>Published:</strong> 2026-05-28</p><p>28 May 2026 IBM and Red Hat announcement of Project Lightwell, a $5 billion commitment — backed by frontier AI capabilities and a global force of more than 20,000 engineers — to help enterprises secure open-source software from upstream development through production. Lightwell establishes a commercial &quot;trusted enterprise clearinghouse&quot; that acts as a security coordination layer: enterprises responsibly report sensitive vulnerabilities in their active software versions under embargo, receive validated patches backported to the exact dependency versions already running in production (delivered as signed packages with SLAs, without forced upgrades and without requiring access to application source code, operating on dependency manifests such as pom.xml), and have fixes contributed upstream for long-term community maintenance. The companion product page frames the problem as scale — citing more than 40,000 CVEs published in 2024, a projected ~59,000 in 2026, more than 90% of Fortune 500 companies relying on OSS, and Anthropic&#x27;s report that its Mythos Preview model identified nearly 3,900 high- or critical-severity vulnerabilities in open-source software — and positions Lightwell as complementing tools such as Snyk, Sonatype, and GitHub Advanced Security by delivering production-ready remediation, with initial ecosystem focus on Maven/Java and planned expansion across PyPI, npm, and Go. The announcement names early adopters Bank of America, BNY, Citi, Goldman Sachs, JPMorganChase, Mastercard, Morgan Stanley, Royal Bank of Canada, State Street, Visa, and Wells Fargo; attributes a quote to IBM Chairman and CEO Arvind Krishna; and states that Lightwell incorporates learnings from Anthropic&#x27;s Project Glasswing and OpenAI&#x27;s Trusted Access for Cyber and supports government priorities to secure digital infrastructure. Vendor announcement.</p><p><strong>Tags:</strong> SUPPLY, PATCH, DISCL, OPS, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-30T12:00:00Z",
      "authors": [
        {
          "name": "IBM; Red Hat"
        }
      ],
      "tags": [
        "SUPPLY",
        "PATCH",
        "DISCL",
        "OPS",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-akrites-patch-the-commons-together-launch-and-industry-open-letter-2026-06-27",
      "url": "https://akrites.org/",
      "title": "Akrites — Patch the Commons, Together (launch and industry open letter)",
      "content_html": "<p><em>The Linux Foundation (Akrites project). Open letter signatories: Amazon Web Services, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft and GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, Rust Foundation, Sonatype, Vodafone, and Zscaler, with foundation supporters including CNCF, LF Energy, OpenInfra, OpenJS, OpenSSF, and the PyTorch Foundation.</em></p><p><strong>Published:</strong> 2026-06-25</p><p>Akrites is a Linux Foundation project launched on 25 June 2026 to coordinate confidential vulnerability discovery, remediation, and disclosure across the open source software that critical infrastructure depends on. The name derives from the Akritai, the Byzantine Empire&#x27;s frontier guardians; the project frames upstream open source as the modern frontier where threats arrive first and defences are thinnest. Its founding premise is that AI security tooling has moved the cost of finding serious vulnerabilities from weeks of expert effort to minutes of automated scanning, producing duplicate reports, signal collapse for maintainers, and races to disclosure that expose pre-patch findings. The core mechanism is a shared, neutrally operated Security Incident Response Team (SIRT) that gives upstream maintainers a single predictable partner running one standardized coordinated-vulnerability-disclosure process instead of many independent reports. Findings follow four stages — intake (TLP:RED from the start, visible only to the case team), deduplicate and validate, remediate, and synchronized disclosure back to the project&#x27;s original namespace — and the program leverages industry standards including CVE, TLP, CWE, CVSS, EPSS, SSVC, VEX, and VINCE. Confidentiality is enforced through the TLP 2.0 protocol, isolated secure enclaves for analysis and proof-of-concept/proof-of-vulnerability verification, secure analyst workbench virtual machines, MFA, and tiered access controls. The site positions Akrites as a coordination layer that can accept findings from external finders such as Glasswing, MITRE/CVE, Lightwell, and FIRST, focusing on coordinating disclosure rather than finding. Membership tiers are Premier (critical infrastructure operators and the vendors and platforms they depend on), General, and Associate (recognized open source foundations and projects, at no cost); all members must be current Linux Foundation members and sign a participation agreement and NDA, and may contribute in-kind compute, AI resources, or licenses in lieu of dues. The accompanying open letter, dated 25 June 2026, argues that AI has collapsed the previous attacker-defender equilibrium, that success will be measured in patch deployment rather than publication because adversaries can use AI to reverse-engineer published patches, and that Akrites will act as maintainer of last resort when a critical package is unmaintained. Quoted figures from the letter include Endor Labs stating that of thousands of validated open source vulnerabilities surfaced in recent months fewer than 5% have been patched, and the OpenInfra Foundation noting the OpenStack community issued 20 security advisories in the quarter versus two during all of 2025.</p><p><strong>Tags:</strong> DISCL, SUPPLY, OPS, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-27T12:00:00Z",
      "authors": [
        {
          "name": "The Linux Foundation (Akrites project). Open letter signatories: Amazon Web Services, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft and GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, Rust Foundation, Sonatype, Vodafone, and Zscaler, with foundation supporters including CNCF, LF Energy, OpenInfra, OpenJS, OpenSSF, and the PyTorch Foundation."
        }
      ],
      "tags": [
        "DISCL",
        "SUPPLY",
        "OPS",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-b-hme-bodden-bultan-cadar-liu-and-scanniello-software-security-analysis-in-2030--2026-06-27",
      "url": "https://dl.acm.org/doi/10.1145/3708533",
      "title": "Böhme, Bodden, Bultan, Cadar, Liu and Scanniello — Software Security Analysis in 2030 and Beyond: A Research Roadmap (TOSEM)",
      "content_html": "<p><em>Marcel Böhme, Eric Bodden, Tevfik Bultan, Cristian Cadar, Yang Liu, Giuseppe Scanniello</em></p><p><strong>Published:</strong> 2025-06-01</p><p>Open-access roadmap (vision/perspective) article in ACM Transactions on Software Engineering and Methodology (Volume 34, Number 5, June 2025; article 144, 26 pages) by Marcel Böhme, Eric Bodden, Tevfik Bultan, Cristian Cadar, Yang Liu, and Giuseppe Scanniello, published as part of the journal&#x27;s SE2030 vision-statement track. The article sets out a long-term research agenda for software security analysis as the world economy becomes increasingly reliant on the secure operation of many interconnected software systems, arguing that the software-engineering research community faces both unprecedented challenges and new opportunities. It frames several forward-looking questions that recur across the AI-and-vulnerability debate: given recent advances in generative AI, how to assess and maximise the security of code co-written by machines; as systems become heterogeneous, how to build practical analysis approaches that still work when some functions are automatically generated, for example by deep neural networks; and, as systems depend ever more on the software supply chain, how to build tools that scale to an entire ecosystem. It also poses the deeper-bug question directly — what kinds of vulnerabilities will exist in future systems and how to detect them, and once the shallow bugs are found, how to discover vulnerabilities hidden deeply in the system — and the protection question of how to defend a system on the assumption that not all security flaws can be found. Structurally, the paper opens with a survey of recent advances in software security, then discusses open challenges and opportunities, and closes with a long-term perspective for the field. Its keywords are SE2030, vision statement, and perspective article, situating it as a research-roadmap reference rather than an empirical result.</p><p><strong>Tags:</strong> DISC, SUPPLY, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-27T12:00:00Z",
      "authors": [
        {
          "name": "Marcel Böhme, Eric Bodden, Tevfik Bultan, Cristian Cadar, Yang Liu, Giuseppe Scanniello"
        }
      ],
      "tags": [
        "DISC",
        "SUPPLY",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-openai-previewing-gpt-5-6-sol-a-next-generation-model-2026-06-27",
      "url": "https://openai.com/index/previewing-gpt-5-6-sol/",
      "title": "OpenAI — Previewing GPT-5.6 Sol: a next-generation model",
      "content_html": "<p><em>OpenAI</em></p><p><strong>Published:</strong> 2026-06-26</p><p>26 June 2026 OpenAI product announcement previewing the GPT-5.6 series — Sol (the flagship), Terra (a balanced everyday model), and Luna (a fast, low-cost model) — described as OpenAI&#x27;s strongest models yet, with improved agentic capabilities in coding, biology, and cybersecurity and the company&#x27;s most robust safety stack to date. GPT-5.6 introduces a new `max` reasoning-effort setting and an `ultra` mode that uses subagents to accelerate complex work. On cybersecurity, OpenAI reports that on the ExploitBench benchmark GPT-5.6 Sol is competitive with Mythos Preview while using roughly one-third of the output tokens, and that on ExploitGym (a benchmark built by UC Berkeley researchers in collaboration with OpenAI and other frontier labs) Sol, Terra, and Luna all show strong gains as reasoning increases; it states Sol is better at helping people find and fix vulnerabilities than at reliably carrying out end-to-end attacks. OpenAI says Sol does not cross the Cyber Critical threshold under its Preparedness Framework: in Chromium and Firefox evaluations it identified bugs and exploitation primitives but did not autonomously produce a functional full-chain exploit under the conditions tested. The safeguards are described as layered — refusal training, real-time cyber and biology misuse classifiers that can pause generation for a larger reasoning model to review, account-level review, differentiated access, monitoring, and enforcement — and OpenAI reports dedicating over 700,000 A100-equivalent GPU hours to automated red-teaming aimed at universal jailbreaks, alongside third-party human expert red-teaming. On rollout, OpenAI says that as part of its engagement with the US government it previewed the models&#x27; capabilities ahead of launch and, at the government&#x27;s request, is starting with a limited preview for a small group of trusted partners whose participation has been shared with the government, while stating it does not believe this kind of government access process should become the long-term default. Pricing per million tokens is Sol $5 input / $30 output, Terra $2.50 / $15, and Luna $1 / $6; the models are initially available through the API and Codex to a select group of partners, with a Cerebras deployment at up to 750 tokens per second planned for July. A vendor announcement; figures are OpenAI&#x27;s own.</p><p><strong>Tags:</strong> DISC, EXPL, POL, HIST</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-27T12:00:00Z",
      "authors": [
        {
          "name": "OpenAI"
        }
      ],
      "tags": [
        "DISC",
        "EXPL",
        "POL",
        "HIST"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-techcrunch-bellan-openai-limits-gpt-5-6-rollout-after-government-request-says-re-2026-06-27",
      "url": "https://techcrunch.com/2026/06/26/openai-limits-gpt-5-6-rollout-after-government-request-says-restrictions-shouldnt-be-the-norm/",
      "title": "TechCrunch (Bellan) — OpenAI limits GPT-5.6 rollout after government request, says restrictions shouldn't be the norm",
      "content_html": "<p><em>Rebecca Bellan (TechCrunch)</em></p><p><strong>Published:</strong> 2026-06-26</p><p>26 June 2026 TechCrunch report by Rebecca Bellan on OpenAI&#x27;s decision to limit the release of its GPT-5.6 models (Sol, Terra, and Luna) to a small group of trusted partners at the request of the US government, with the preview restricted to partners whose participation has been shared with the government. The piece situates the move within new pressure from the Trump administration on AI companies to restrict their most advanced systems, noting it follows the administration&#x27;s order that Anthropic remove access to its Fable 5 model for any foreign national, which led Anthropic to take that model down entirely. It quotes OpenAI&#x27;s blog post stating the company does not believe this kind of government access process should become the long-term default because it keeps the best tools from users, developers, enterprises, cyber defenders, and global partners who need them, and that the preview is a short-term step while OpenAI works with the administration on a cyber executive-order framework and a repeatable process for future model releases. The article cites Dean Ball, a former White House AI adviser and soon-to-be OpenAI employee, arguing that Trump&#x27;s recent executive order — which asks certain AI companies to voluntarily submit their most advanced models for government review up to 30 days before release — has created a de facto involuntary licensing regime for frontier AI, and that the absence of clearly defined safety standards risks endless launch delays that could aid China in the AI race and jeopardize AI-infrastructure investment. On the model itself, the report restates OpenAI&#x27;s claims that Sol is its strongest model yet, that it is slightly better at coding workflows than Anthropic&#x27;s Claude Mythos 5 (which the administration also effectively banned that month) and competitive with Mythos Preview at a third of the output tokens, and that its safeguards are built into the core model&#x27;s behaviour rather than relying on a separate filter on top — which the piece reads as an attempt to avoid the invisible down-routing to an older model that drew user backlash during Fable 5&#x27;s brief availability.</p><p><strong>Tags:</strong> POL, GOV, SOV, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-27T12:00:00Z",
      "authors": [
        {
          "name": "Rebecca Bellan (TechCrunch)"
        }
      ],
      "tags": [
        "POL",
        "GOV",
        "SOV",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-reuters-us-allows-anthropic-to-release-mythos-5-to-trusted-us-organizations-2026-06-27",
      "url": "https://www.reuters.com/technology/us-releases-anthropic-model-mythos-some-us-companies-semafor-reports-2026-06-26/",
      "title": "Reuters — US allows Anthropic to release Mythos 5 to 'trusted' US organizations",
      "content_html": "<p><em>Reuters (Mrinmay Dey and David Shepardson)</em></p><p><strong>Published:</strong> 2026-06-26</p><p>26 June 2026 Reuters report (Mrinmay Dey and David Shepardson) that the US government allowed Anthropic to release its Claude Mythos 5 model to some &#x27;trusted&#x27; US organizations, partially reversing the 12 June export-control order that had suspended access over national-security risks. More than 100 companies and institutions, including many Fortune 500 companies, were given access according to a source familiar with the directive; the source said many of the approved organizations are part of Anthropic&#x27;s Project Glasswing. In a letter to Anthropic, Commerce Secretary Howard Lutnick wrote that since the 12 June letter Anthropic had worked with the government to address risks associated with the &#x27;Covered Models&#x27; and that he had determined appropriate safeguards were in place to permit certain trusted partners to access Mythos 5; an export license would no longer be required to export, re-export, or transfer Mythos 5 to the approved entities (identified in an Annex A) and their foreign-national employees, or to Anthropic&#x27;s own foreign-national employees, while licensing restrictions remained for companies not on the approved list. Anthropic said the government had notified it that Mythos 5, its strongest cybersecurity model, could be redeployed to a set of US organizations that operate and defend critical infrastructure, that it was restoring access quickly, and that it was continuing to work with the government to expand access to Mythos 5 and to make Fable 5 available for general use again. The letter was silent on Fable 5, the weaker consumer-facing variant built on the same underlying model; the source said the government was moving toward allowing its release on an unclear timeline. The report notes the move came the same day OpenAI said it was delaying a full public launch of GPT-5.6, and that the vetting of which companies gain access drew criticism — quoting John Coleman, legislative counsel for the Foundation for Individual Rights and Expression, that it is unclear how the companies are picked and why others are excluded. It situates both actions within the administration&#x27;s executive order this month establishing a voluntary framework for AI developers to offer &#x27;covered frontier models&#x27; to the US government. (The Reuters story was published as a follow-up to Semafor&#x27;s initial report.)</p><p><strong>Tags:</strong> POL, GOV, SOV, DISC</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-27T12:00:00Z",
      "authors": [
        {
          "name": "Reuters (Mrinmay Dey and David Shepardson)"
        }
      ],
      "tags": [
        "POL",
        "GOV",
        "SOV",
        "DISC"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-saxe-glm-5-2-not-mythos-is-the-real-security-emergency-2026-06-27",
      "url": "https://joshuasaxe181906.substack.com/p/glm-52-not-mythos-is-the-real-security",
      "title": "Saxe — GLM-5.2, not Mythos, is the real security emergency",
      "content_html": "<p><em>Joshua Saxe</em></p><p><strong>Published:</strong> 2026-06-23</p><p>23 June 2026 Substack essay by Joshua Saxe arguing that the open-weight model GLM-5.2, rather than Anthropic&#x27;s Mythos, is the more consequential security development of the moment. Saxe&#x27;s framing: until recently attackers using frontier models faced a dilemma because their API usage was logged, so even with fake accounts and creative prompting their tactics, techniques, targets, and intent risked being exposed to defenders after the fact — a friction he credits with limiting attacker uptake of the past nine months&#x27; agentic-AI advances. He contends GLM-5.2 removes that dilemma by being the first open-weights model widely regarded as capable of long-horizon agency comparable to GPT-5.5 and Opus 4.8 at the code and terminal operations central to offensive cyber work, while being runnable privately (he cites eight H200 GPUs) and trivially fine-tunable to drop refusals, so attackers can now carry out long-running, Claude Code-level operations from the shadows without logging. He predicts a dark economy of inference providers and harnesses serving near-frontier open weights, mirroring existing markets for malware, zero-days, credential dumps, and initial access, and frames the policy moment as access to near-frontier open-weight offensive agents being democratized at the same time access to the regulated frontier (he names the restriction of Mythos) is being constrained — which he argues is backwards, given that frontier models run on monitored private servers watched by misuse-detection teams and that the defender community has been fixing model-discovered bugs faster than attackers have exploited new zero-days in the wild. He maps the opportunity across three clusters of attacker behaviour (scams and commodity malware against individuals, targeted ransomware against organizations, and intelligence/influence/kinetic campaigns against national interests) and argues the response should shift from denying attackers frontier access toward helping defenders win the race to adopt AI — through direct adoption inside CISO organizations and innovation by the vendors that supply them — so defenders can pay down security technical debt before attackers reach their own automation moments. An opinion source.</p><p><strong>Tags:</strong> DISC, EXPL, XCUT, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-27T12:00:00Z",
      "authors": [
        {
          "name": "Joshua Saxe"
        }
      ],
      "tags": [
        "DISC",
        "EXPL",
        "XCUT",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-uk-aisi-releasing-aisi-s-engineering-playbook-2026-06-27",
      "url": "https://www.aisi.gov.uk/blog/releasing-aisis-engineering-playbook",
      "title": "UK AISI — Releasing AISI's Engineering Playbook",
      "content_html": "<p><em>UK AI Security Institute</em></p><p><strong>Published:</strong> 2026-06-18</p><p>18 June 2026 AISI blog post releasing the AISI Engineering Playbook, an open guide to the research stack and supporting infrastructure behind AISI&#x27;s frontier-model evaluations, building on the May 2024 open-sourcing of the Inspect toolkit. The argument is that while Inspect provides the open-source evaluation tools, evaluating frontier AI at scale also needs complex supporting infrastructure — somewhere to run untrusted code, a way to manage and audit calls to model providers, the compute to host models, and systems of working that tie it together — much of which is invisible, rarely documented, and rebuilt from scratch by every serious evaluation team. The Playbook breaks that wider infrastructure into five layers: Evaluate (a reproducible, provider-comparable, agentic-task-capable testing framework), Isolate (containment matched to the risk of the work, for running untrusted code), Connect (an audited, cost-controlled layer between researchers and the model providers they call), Run (the researcher&#x27;s working platform — machine, data, compute, and route to a deployed application), and Scale (supercomputer-scale inference for hosting and researching the largest open-weight models), with technical overviews, per-capability deep dives, and links to open-source code where it exists. Framed as a reference architecture that lets researchers adopt individual components or stand up rigorous evaluation capability without starting from zero (&quot;building their own AISI&quot;), and explicitly as a snapshot of current methods rather than a finished product. Notes Inspect adoption by METR (migrated from its in-house Vivaria platform; 228-task time-horizon evaluations cited in the International AI Safety Report 2026) and Apollo Research (deprecated its internal framework after a three-month trial), 240+ inspect_ai contributors, and the companion Inspect Evals collection of 200+ pre-built evaluations. The evaluation-infrastructure companion to the UK AISI Inspect entry and the AISI cyber-capability evaluation entries.</p><p><strong>Tags:</strong> DISC, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-27T12:00:00Z",
      "authors": [
        {
          "name": "UK AI Security Institute"
        }
      ],
      "tags": [
        "DISC",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-five-eyes-cyber-security-agencies-via-ncsc-uk-the-ai-shift-in-cyber-risk-why-lea-2026-06-23",
      "url": "https://www.ncsc.gov.uk/news/the-ai-shift-in-cyber-risk-why-leaders-must-act-now",
      "title": "Five Eyes cyber security agencies (via NCSC-UK) — The AI shift in cyber risk: why leaders must act now",
      "content_html": "<p><em>Joint statement by the heads of the Five Eyes cyber security agencies: Stephanie Crowe (Head, Australian Cyber Security Centre, Australian Signals Directorate); Rajiv Gupta (Head, Canadian Centre for Cyber Security, Communications Security Establishment); Catriona Robinson (Head of the National Cyber Security Centre, Government Communications Security Bureau, New Zealand); Richard Horne (CEO, National Cyber Security Centre, UK); David Imbordino (Director, Cyber Security Directorate, National Security Agency); Nick Andersen (Acting Director, Cybersecurity and Infrastructure Security Agency)</em></p><p><strong>Published:</strong> 2026-06-22</p><p>22 June 2026 joint statement from the leaders of all five Five Eyes cyber security agencies (ASD/ACSC, CSE/CCCS, GCSB, NCSC-UK, NSA, CISA), published on the NCSC-UK site. The throughline is that frontier AI is transforming cyber risk on a timeline of months rather than years and shrinking the discovery-to-exploitation window, and that cyber risk is a core business and leadership responsibility rather than a purely technical issue. Five practical actions, framed as not-new-but-now-urgent: reduce the attack surface, accelerate patching, address legacy/unsupported systems, strengthen identity and access controls, and prepare for incidents assuming breaches will occur — plus a call to use AI deliberately to strengthen defence. A statement, not measurement — no quantified figures.</p><p><strong>Tags:</strong> GOV, POL, OPS, PATCH</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-23T12:00:00Z",
      "authors": [
        {
          "name": "Joint statement by the heads of the Five Eyes cyber security agencies: Stephanie Crowe (Head, Australian Cyber Security Centre, Australian Signals Directorate); Rajiv Gupta (Head, Canadian Centre for Cyber Security, Communications Security Establishment); Catriona Robinson (Head of the National Cyber Security Centre, Government Communications Security Bureau, New Zealand); Richard Horne (CEO, National Cyber Security Centre, UK); David Imbordino (Director, Cyber Security Directorate, National Security Agency); Nick Andersen (Acting Director, Cybersecurity and Infrastructure Security Agency)"
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "OPS",
        "PATCH"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-fedramp-response-to-cisa-bod-26-04-prioritizing-security-updates-based-on-risk-p-2026-06-23",
      "url": "https://www.fedramp.gov/notices/0014/",
      "title": "FedRAMP — Response to CISA BOD 26-04 (Prioritizing Security Updates Based on Risk) (Public Notice NTC-0014)",
      "content_html": "<p><em>FedRAMP (Federal Risk and Authorization Management Program; General Services Administration, Technology Transformation Services)</em></p><p><strong>Published:</strong> 2026-06-16</p><p>16 June 2026 FedRAMP public notice (NTC-0014) responding to CISA&#x27;s 10 June 2026 Binding Operational Directive 26-04. FedRAMP will make its new Vulnerability Detection and Response (VDR) and Vulnerability Evaluation and Reporting (VER) rules mandatory for all cloud service offerings obtaining or maintaining FedRAMP Certification effective 7 December 2026 — a sharp acceleration of a mandatory-adoption date previously planned for mid-2027. The notice calls the legacy monthly vulnerability-scanning process insufficient and moves providers to an exposure- and exploitability-based model: evaluate internet-reachability, evaluate exploitability (KEV status and exploit automation), assume exploits are automatable by default, and remediate KEVs on the BOD&#x27;s timelines. A corrective-action-plan grace period runs to 7 March 2027, after which certification is revoked for non-compliant offerings.</p><p><strong>Tags:</strong> PATCH, TRIAGE, GOV, POL, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-23T12:00:00Z",
      "authors": [
        {
          "name": "FedRAMP (Federal Risk and Authorization Management Program; General Services Administration, Technology Transformation Services)"
        }
      ],
      "tags": [
        "PATCH",
        "TRIAGE",
        "GOV",
        "POL",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-mcfadyen-et-al-uk-aisi-how-inference-compute-shapes-frontier-llm-evaluation-2026-06-22",
      "url": "https://arxiv.org/abs/2606.17930",
      "title": "McFadyen et al. (UK AISI) — How Inference Compute Shapes Frontier LLM Evaluation",
      "content_html": "<p><em>Jessica McFadyen, Ole Jorgensen, Harry Coppock, Kevin Wei, Cozmin Ududec</em></p><p><strong>Published:</strong> 2026-06-16</p><p>16 June 2026 arXiv preprint (34 pp., cs.AI) arguing that frontier-model benchmark scores are protocol-dependent and that fixed-budget evaluation increasingly understates capability as models advance. The authors evaluate up to twelve frontier models across seven hard benchmarks spanning software engineering, mathematics, medicine, and cybersecurity, using three inference-scaling interventions — larger token budgets, context compaction, and repeated submission attempts — and find that larger token budgets substantially improve performance, that fixed-budget evaluations increasingly understate frontier capability as models advance, and that benchmarks differ in which scaling method helps most. The recommendation is methodological: report capability as a function of inference-time compute, state protocol choices explicitly, and compare models over a shared compute range at matched budgets, especially in safety- or policy-relevant settings. The practical upshot is that cyber-capability scores are best read as points on a compute-conditional curve rather than fixed model properties. Caveat: v1 preprint, not yet peer-reviewed.</p><p><strong>Tags:</strong> DISC, XCUT, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-22T12:00:00Z",
      "authors": [
        {
          "name": "Jessica McFadyen, Ole Jorgensen, Harry Coppock, Kevin Wei, Cozmin Ududec"
        }
      ],
      "tags": [
        "DISC",
        "XCUT",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-bsi-germany-auswirkungen-auf-die-cybersicherheit-von-organisationen-durch-die-en-2026-06-22",
      "url": "https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2026/2026-262788-1032.html",
      "title": "BSI (Germany) — Auswirkungen auf die Cybersicherheit von Organisationen durch die Entwicklung im Bereich Künstlicher Intelligenz [Effects on organisations' cybersecurity from developments in artificial intelligence] (Cybersicherheitswarnung)",
      "content_html": "<p><em>Bundesamt für Sicherheit in der Informationstechnik (BSI)</em></p><p><strong>Published:</strong> 2026-06-22</p><p>22 June 2026 cybersecurity warning (Version 1.0; ref. 2026-262788-1032) from Germany&#x27;s federal cyber authority, stating that AI is fundamentally changing the cybersecurity situation and demands faster response. Current AI systems, it holds, can detect, analyse, and turn software vulnerabilities into usable attack paths comprehensively and partly autonomously in a short time, leaving organisations facing a rising volume of vulnerabilities, exploits, patches, and follow-on incidents. It names frontier models (Claude Mythos, OpenAI GPT-5.5) while noting cheaper, smaller LLMs also matter. Its framing is the offence-defence asymmetry: attackers gain from speed, scale, and automation, while defenders are bound by operational limits (testing, approvals, patch windows, vendor dependencies, personnel), so the conclusion is that the attack surface must be minimised. Caveat: an official warning, not measurement — no quantified figures, and it hedges its forecasts; German-language source. PDF (151 KB) linked.</p><p><strong>Tags:</strong> DISC, EXPL, OPS, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-22T12:00:00Z",
      "authors": [
        {
          "name": "Bundesamt für Sicherheit in der Informationstechnik (BSI)"
        }
      ],
      "tags": [
        "DISC",
        "EXPL",
        "OPS",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-hurel-rusi-gatekeeping-the-frontier-when-ai-access-becomes-a-national-security-c-2026-06-22",
      "url": "https://www.rusi.org/explore-our-research/publications/commentary/gatekeeping-frontier-when-ai-access-becomes-national-security-concern",
      "title": "Hurel (RUSI) — Gatekeeping the Frontier: When AI Access Becomes a National Security Concern",
      "content_html": "<p><em>Dr Louise Marie Hurel (Senior Research Fellow, Cyber and Tech, Royal United Services Institute)</em></p><p><strong>Published:</strong> 2026-06-22</p><p>22 June 2026 RUSI Commentary (Long Read) reading the 12 June 2026 US Commerce Department export-control directive — Secretary Howard Lutnick&#x27;s order suspending all foreign-national access to Fable 5 and Mythos 5, which led Anthropic to suspend access for all customers — as the clearest sign yet of the securitisation of frontier AI: moving the question of who may access these models from ordinary politics into the register of national security. Hurel pairs it with the 2 June Executive Order, whose voluntary US-government preview of covered models (gated by a classified threshold) she treats as the same logic in statutory form, and traces three consequences — fragmentation, exclusion, and capture. She contrasts the EO&#x27;s classified-threshold access with the EU AI Act&#x27;s published statutory access powers (Arts. 91–92), surveys the sovereignty backlash, and prescribes shared, published, interoperable access standards set through accountable rather than bilateral processes. Think-tank commentary; the views are the author&#x27;s and not RUSI&#x27;s, and the developments it reports are a contemporaneous snapshot.</p><p><strong>Tags:</strong> SOV, POL, GOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-22T12:00:00Z",
      "authors": [
        {
          "name": "Dr Louise Marie Hurel (Senior Research Fellow, Cyber and Tech, Royal United Services Institute)"
        }
      ],
      "tags": [
        "SOV",
        "POL",
        "GOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-openai-daybreak-tools-for-securing-every-organization-in-the-world-patch-the-pla-2026-06-22",
      "url": "https://openai.com/index/daybreak-securing-the-world/",
      "title": "OpenAI — Daybreak: Tools for securing every organization in the world (Patch the Planet; full GPT-5.5-Cyber)",
      "content_html": "<p><em>OpenAI</em></p><p><strong>Published:</strong> 2026-06-22</p><p>22 June 2026 OpenAI announcement expanding its Daybreak programme, framed around the claim that the bottleneck in cybersecurity has shifted from finding vulnerabilities to patching them. Four components. (i) A Codex Security plugin update that scans, builds threat models, tests reachability, and generates and verifies targeted patches with humans in control; since its March research preview it has scanned 30M+ commits across 30,000+ codebases, with 70,000+ findings manually marked fixed and 500,000+ automatically determined fixed. (ii) The full GPT-5.5-Cyber, a limited release to trusted defenders, reported at 85.6% on CyberGym (vs 81.8% for GPT-5.5), 39.5% on ExploitGym (vs 25.95%), and 69.8% on SEC-bench Pro (vs 63.1%). (iii) A Daybreak Cyber Partner Program letting security vendors (Accenture, CrowdStrike, Cisco, Cloudflare, Palo Alto Networks, Wiz, Zscaler and others) embed GPT-5.5 Trusted Access for Cyber in their products. (iv) Patch the Planet, founded with Trail of Bits and with HackerOne and Calif, funding expert researchers to validate and deduplicate vulnerabilities and patches before they reach maintainers; 30+ open-source projects committed (cURL, Go, Python, Sigstore, pyca/cryptography), with a cited finding that 94% of widely used projects studied had fewer than ten developers responsible for &gt;90% of code added in a year. Also reports Trusted Access for Cyber partnerships with Australia, Canada, France, Germany, Japan, Korea and EU institutions including ENISA, plus a UK partnership and CAISI pre-deployment testing. Vendor announcement, marketing-adjacent; figures are OpenAI&#x27;s own self-reported single-budget numbers.</p><p><strong>Tags:</strong> DISC, PATCH, SUPPLY, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-22T12:00:00Z",
      "authors": [
        {
          "name": "OpenAI"
        }
      ],
      "tags": [
        "DISC",
        "PATCH",
        "SUPPLY",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-srlabs-nohl-beyond-fable-can-a-local-llm-replace-cloud-ai-for-security-code-revi-2026-06-22",
      "url": "https://srlabs.de/blog/beyond-fable",
      "title": "SRLabs (Nohl) — Beyond Fable: Can a Local LLM Replace Cloud AI for Security Code Reviews",
      "content_html": "<p><em>Security Research Labs (SRLabs); bylined Karsten Nohl (Chief Innovation Officer, Allurity)</em></p><p><strong>Published:</strong> 2026-06-22</p><p>22 June 2026 SRLabs research post asking whether a locally-hosted open-weight model can match frontier cloud models for security code review without sending source code to the cloud — the data-residency problem facing finance, government, and critical-infrastructure clients who cannot share proprietary code with cloud LLMs. The team tested Claude Opus 4.6/4.8, Claude Fable 5, GLM-5, Gemma4-26b (~3.8B active MoE) and Qwen3.6-35B-A3B (~3B active MoE) on two production codebases: a ~150-file Next.js / TypeScript fintech dashboard and Voqua-web, an ~85-file Rails quadratic-voting app. Headline result: a local Qwen MoE running on a MacBook produced finding-count parity with frontier cloud models in under 90 minutes with zero human nudges — though the authors stress finding-count parity is not capability parity, and counts are raw findings, not validated true positives. The proposed Source-local pipeline keeps proprietary source on the machine while a cloud model designs the review from metadata only (file tree, schema, routes) and consolidates the report, and the local model reads source and runs standard tools (bundler-audit, npm audit, Semgrep, Brakeman); only step prompts and step-level findings cross the trust boundary. Takeaways: no single model finds everything (the union dominates); prompt engineering and harness design matter more than model size; report quality is clearly better on larger/frontier models; and Claude Fable 5, despite its cyber guardrails, works fine as the orchestrator — matching Opus 4.8 for review design and consolidation with no refusals, which the authors read alongside the US export-control suspension of Fable as evidence the guardrails are more than marketing. Vendor research, with findings responsibly disclosed.</p><p><strong>Tags:</strong> DISC, OPS, XCUT, SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-22T12:00:00Z",
      "authors": [
        {
          "name": "Security Research Labs (SRLabs); bylined Karsten Nohl (Chief Innovation Officer, Allurity)"
        }
      ],
      "tags": [
        "DISC",
        "OPS",
        "XCUT",
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-liccardo-obernolte-franklin-lieu-letter-to-commerce-secretary-lutnick-seeking-tr-2026-06-21",
      "url": "https://liccardo.house.gov/media/press-releases/bipartisan-members-congress-seek-transparency-frontier-ai-export-controls",
      "title": "Liccardo, Obernolte, Franklin & Lieu — Letter to Commerce Secretary Lutnick seeking transparency on frontier AI export controls",
      "content_html": "<p><em>Sam T. Liccardo (D-CA), Jay Obernolte (R-CA), C. Scott Franklin (R-FL), Ted W. Lieu (D-CA)</em></p><p><strong>Published:</strong> 2026-06-18</p><p>18 June 2026 bipartisan House letter to Commerce Secretary Howard Lutnick on the 12 June export-control directive restricting Claude Mythos 5 and Claude Fable 5, seeking transparency on the Department&#x27;s legal authorities, technical evaluations, review process, and the criteria and timeline for restoring access or granting licenses. The letter records the signatories&#x27; understanding that the action took the form of an &quot;is informed&quot; letter under 15 C.F.R. § 744.22(b), invoking emerging- and foundational-technology authorities under the Export Control Reform Act of 2018 and imposing a worldwide license requirement on exports, reexports, and transfers of the affected models to foreign persons — an effect they argue could substantially restrict distribution, deployment, and use of advanced AI models including within the US, and set a precedent reaching other developers, researchers, users, and investors. Poses twelve questions, among them: whether the ECRA interagency and public-notice process under 50 U.S.C. § 4817(b)(2)(B) was followed or bypassed; the factual basis for any &quot;military intelligence end use&quot; finding under §744.22(a); the technical evaluations and red-team reports underlying the determination and who prepared them; whether the capability of concern is unique to one developer or also present in other publicly available models (including open-weight models) evaluated against the same standard; when and through what channel concerns were first raised with the developer and whether a voluntary pause or remediation was sought first; the criteria and timeline for rescission, restoration, or licensing and who decides; and whether equivalent &quot;is informed&quot; letters have gone or will go to other frontier-model developers, and if applied generally whether it will be done through notice-and-comment rulemaking. Requests a response by 26 June and offers a briefing and, if necessary, a classified roundtable.</p><p><strong>Tags:</strong> POL, GOV, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-21T12:00:00Z",
      "authors": [
        {
          "name": "Sam T. Liccardo (D-CA), Jay Obernolte (R-CA), C. Scott Franklin (R-FL), Ted W. Lieu (D-CA)"
        }
      ],
      "tags": [
        "POL",
        "GOV",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-csis-the-department-of-commerce-restricted-access-to-anthropic-s-latest-models-w-2026-06-20",
      "url": "https://www.csis.org/analysis/department-commerce-restricted-access-anthropics-latest-models-what-comes-next",
      "title": "CSIS — The Department of Commerce Restricted Access to Anthropic's Latest Models. What Comes Next?",
      "content_html": "<p><em>Kate Koren, Kevin Kurland, Aalok Mehta (Center for Strategic and International Studies)</em></p><p><strong>Published:</strong> 2026-06-16</p><p>16 June 2026 CSIS Critical Questions analysis of the 12 June Commerce directive, co-authored by Kevin Kurland, a former senior BIS official. Argues the worldwide scope rests on untested ground: the EAR §744.22 &#x27;is informed&#x27; power is written for a small set of adversary countries rather than a global control, and the only authority that is not country-limited, ECRA&#x27;s emerging-technology provision, has no implementing regulation and had not previously been used this way. Notes that §734.13, reportedly cited to bring model access under the EAR, was used in three earlier BIS Advisory Opinions to conclude that remote-access transactions are not exports subject to the EAR, implying the order may cleanly reach only Anthropic&#x27;s own foreign employees rather than ordinary remote users. Maps three plausible paths (negotiated retraction once the vulnerability is resolved, litigation over the basis or the worldwide scope, or citizenship-verified restoration) and warns that the absence of a published process risks creating an impossible bar that would only permit release of models that cannot be jailbroken even in theory.</p><p><strong>Tags:</strong> POL, GOV, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-20T12:00:00Z",
      "authors": [
        {
          "name": "Kate Koren, Kevin Kurland, Aalok Mehta (Center for Strategic and International Studies)"
        }
      ],
      "tags": [
        "POL",
        "GOV",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-just-security-legal-considerations-related-to-the-anthropic-export-controls-dire-2026-06-20",
      "url": "https://www.justsecurity.org/142745/law-anthropic-export-controls/",
      "title": "Just Security — Legal Considerations Related to the Anthropic 'Export Controls Directive'",
      "content_html": "<p><em>Brian Egan (Skadden, Arps; former Legal Adviser to the U.S. Department of State and the National Security Council)</em></p><p><strong>Published:</strong> 2026-06-15</p><p>15 June 2026 Just Security analysis of the undisclosed Commerce order. Identifies the likely authority as the Export Control Reform Act of 2018 and its &#x27;is informed&#x27; letter mechanism, which Commerce has used regularly to impose licence requirements on semiconductor exports to China, while stressing that the breadth here is unprecedented for that tool: access to models that were previously subject to no export restrictions is now off limits to any foreign national anywhere, including persons inside the United States. Contrasts the action with the administration&#x27;s otherwise deregulatory, &#x27;hands off&#x27; posture on AI exports, including the May 2025 rescission of the Biden &#x27;AI diffusion&#x27; rule. Notes speculation, given the February Department of War supply-chain-risk designation, that Anthropic is being singled out, and argues Commerce could end the uncertainty by publicly stating the nature of the threat, the steps needed to alleviate it, and whether other models face similar restrictions, rather than relying on one-off private directives that leave industry and the public in the dark.</p><p><strong>Tags:</strong> POL, GOV, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-20T12:00:00Z",
      "authors": [
        {
          "name": "Brian Egan (Skadden, Arps; former Legal Adviser to the U.S. Department of State and the National Security Council)"
        }
      ],
      "tags": [
        "POL",
        "GOV",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-tech-policy-press-did-the-us-government-just-set-an-ai-export-precedent-by-block-2026-06-20",
      "url": "https://www.techpolicy.press/did-the-us-government-just-set-an-ai-export-precedent-by-blocking-mythos/",
      "title": "Tech Policy Press — Did the US Government Just Set An AI Export Precedent by Blocking Mythos?",
      "content_html": "<p><em>Joseph Hoefer (Tech Policy Press)</em></p><p><strong>Published:</strong> 2026-06-15</p><p>15 June 2026 Tech Policy Press perspective arguing that the consequential development is not the single model but the legal instrument. Export authorities built around discrete transfers of an identifiable item are being applied to a continuously available frontier model reached by API, leaving unsettled what the &#x27;export&#x27; even is: the weights, the act of inference, or the capability itself. Frames the central policy choice as between an incremental-risk approach, which controls only capabilities that materially expand what an adversary can already do, and a capability-based approach, in which the mere presence of a sensitive capability triggers control regardless of what already exists; the second is far broader and easier to administer, creating a quiet institutional pull toward it. Warns that settling this implicitly, through accumulated one-off enforcement actions rather than public notice-and-comment rulemaking, lets a framework assemble before anyone has defined it, and calls for the standard tying capability assessments to consequences to be set deliberately.</p><p><strong>Tags:</strong> POL, GOV, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-20T12:00:00Z",
      "authors": [
        {
          "name": "Joseph Hoefer (Tech Policy Press)"
        }
      ],
      "tags": [
        "POL",
        "GOV",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-iapp-the-global-implications-of-the-white-house-s-export-controls-on-anthropic-2026-06-20",
      "url": "https://iapp.org/news/a/the-global-implications-of-the-white-houses-export-controls-on-anthropic",
      "title": "IAPP — The global implications of the White House's export controls on Anthropic",
      "content_html": "<p><em>Jedidiah Bracy (Editorial Director, IAPP)</em></p><p><strong>Published:</strong> 2026-06-15</p><p>15 June 2026 IAPP news roundup of the reaction to the 12 June directive. Summarises Anthropic&#x27;s objection that recalling a model over one narrow jailbreak would, if generalised, halt frontier deployments; the Politico account of the &#x27;whirlwind 24 hours&#x27; of tense official calls; and David Sacks&#x27;s framing that the issue should be easily resolved with the ball in Anthropic&#x27;s court. Collects the cybersecurity open letter to Lutnick and Cairncross arguing the capability is not unique, the European &#x27;kill switch&#x27; and tech-sovereignty reactions across the political spectrum, the European Technological Sovereignty Package, Canada&#x27;s new national AI strategy, and Republican pushback on the administration&#x27;s hands-off AI posture. Closes with Baker McKenzie&#x27;s Brian Hengesbaugh advising firms to fold potential AI-model unavailability into business-continuity planning and to prepare for more volatility.</p><p><strong>Tags:</strong> POL, GOV, SOV, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-20T12:00:00Z",
      "authors": [
        {
          "name": "Jedidiah Bracy (Editorial Director, IAPP)"
        }
      ],
      "tags": [
        "POL",
        "GOV",
        "SOV",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-iapp-the-anthropic-episode-probably-a-security-challenge-in-need-of-governance-c-2026-06-20",
      "url": "https://iapp.org/news/a/the-anthropic-episode-probably-a-security-challenge-in-need-of-governance-certainly-not-europe-s-kill-switch",
      "title": "IAPP — The Anthropic episode: Probably a security challenge in need of governance, certainly not Europe's 'kill switch'",
      "content_html": "<p><em>Théodore Christakis (Chair, Legal &amp; Regulatory Implications of AI, MIAI, University of Grenoble Alpes)</em></p><p><strong>Published:</strong> 2026-06-16</p><p>16 June 2026 IAPP contributed opinion arguing that whether or not the directive was well founded, it should not be read as a deliberate anti-European &#x27;kill switch&#x27;. The models became unavailable inside the United States as much as in France, the UK or Japan, and the foreign-person line appears to be an artifact of the only immediately usable legal tool, export control, rather than a strategic aim to cut Europe off; the government&#x27;s reported first ask was a voluntary pull applying to everyone, Americans included. Reviews why other instruments offered no clear, direct domestic shutdown authority, drawing an analogy to 1990s encryption controls that restricted export while leaving domestic use untouched. Accepts the fair criticism that sorting by nationality is a poor proxy for dangerous use, but concludes the episode exposes a real, shared dependency problem that calls for better governance and collective investment rather than renunciation of one of the most capable defensive tools available.</p><p><strong>Tags:</strong> POL, GOV, SOV, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-20T12:00:00Z",
      "authors": [
        {
          "name": "Théodore Christakis (Chair, Legal & Regulatory Implications of AI, MIAI, University of Grenoble Alpes)"
        }
      ],
      "tags": [
        "POL",
        "GOV",
        "SOV",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-ceps-why-we-have-six-months-to-regulate-the-ai-that-europe-isn-t-building-2026-06-20",
      "url": "https://www.ceps.eu/why-we-have-six-months-to-regulate-the-ai-that-europe-isnt-building/",
      "title": "CEPS — Why we have six months to regulate the AI that Europe isn't building",
      "content_html": "<p><em>Francisco Ríos, Eduardo Brito (Centre for European Policy Studies)</em></p><p><strong>Published:</strong> 2026-06-17</p><p>17 June 2026 CEPS commentary on what the Mythos episode means for Europe. Argues that any restraint on commercialising a capable model only holds while no one else builds the equivalent, and points to rapid convergence, citing the 2026 Stanford AI Index putting the top closed model just 3.3% ahead of the top open model on one leaderboard and cyber-task success rates climbing from 5% to 96% in about two years, to suggest a Mythos-equivalent open-weight model could appear within roughly eighteen months. Notes that open weights flow through US-anchored platforms such as GitHub and Hugging Face on which European users depend, and that extraterritorial enforcement against a freely downloadable file is weak, as the DeepSeek experience showed. Concludes that the EU&#x27;s existing AI Act provisions mostly cover this on paper, and that the unused lever is to treat distribution platforms as the chokepoint the file actually passes through and to build in-house capacity to evaluate offensive cyber capability rather than relying on developer self-attestation.</p><p><strong>Tags:</strong> SOV, POL, GOV, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-20T12:00:00Z",
      "authors": [
        {
          "name": "Francisco Ríos, Eduardo Brito (Centre for European Policy Studies)"
        }
      ],
      "tags": [
        "SOV",
        "POL",
        "GOV",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-aspi-us-export-control-on-anthropic-s-claude-fable-5-and-mythos-5-weekly-brief-2026-06-20",
      "url": "https://aspicts.substack.com/p/us-export-control-on-anthropics-claude",
      "title": "ASPI — US export control on Anthropic's Claude Fable 5 and Mythos 5 (weekly brief)",
      "content_html": "<p><em>David Wroe (Head, AI and Security program, Australian Strategic Policy Institute)</em></p><p><strong>Published:</strong> 2026-06-19</p><p>Australian Strategic Policy Institute weekly cyber, technology and geopolitics brief covering 13–19 June 2026, with commentary from David Wroe, head of ASPI&#x27;s AI and Security program. Treats the 12 June US export-control directive on Fable 5 and Mythos 5 as an important moment in frontier-AI governance and as a warning that Australia should do what it can to ensure it is not left behind as access to the most capable models becomes contingent on US decisions. Sets the episode against the broader shift toward government oversight of frontier models and the contest among allies for trusted access, and draws out the sovereignty and supply-risk implications for a country dependent on overseas-controlled AI services.</p><p><strong>Tags:</strong> GOV, POL, SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-20T12:00:00Z",
      "authors": [
        {
          "name": "David Wroe (Head, AI and Security program, Australian Strategic Policy Institute)"
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-conseil-de-l-ia-et-du-num-rique-cianum-dependance-day-fable-5-mythos-5-l-europe--2026-06-16",
      "url": "https://www.conseil-ia-numerique.fr/nos-travaux/dependance-day-fable-5-mythos-5-leurope-face-son-point-de-bascule",
      "title": "Conseil de l'IA et du numérique (CIANum) — Dependance Day ? Fable 5, Mythos 5 : l'Europe face à son point de bascule",
      "content_html": "<p><em>Conseil de l&#x27;IA et du numérique (CIANum), France</em></p><p><strong>Published:</strong> 2026-06-15</p><p>Mid-June 2026 short note from France&#x27;s Conseil de l&#x27;IA et du numérique (CIANum), the French government advisory council on AI and digital affairs, responding to the 12 June 2026 US export-control directive that suspended non-American access to Anthropic&#x27;s Fable 5 and Mythos 5. The council argues that the kill-switch risk to European strategic autonomy — frequently invoked in preceding months — is no longer a hypothesis: where earlier instances had been targeted and quieter, the restrictions on these two frontier models mark a significant and unprecedented step toward the practical generalisation of that risk. It warns of a possible paradigm shift from AI as a mass-market commodity toward an AI of scarcity controlled by a handful of actors, and of the pressure this places on open and broadly accessible AI — including the resurgence of the existential-risk narrative used to justify locking down the most advanced models, which the council reads as limiting competition and open innovation and as undermining the ability to audit models independently, to access training data, and to use tools needed for ends such as protecting minors online. It frames the episode as a turning point for Europe and calls for action across the whole value chain: public policy that works on both supply and demand to enable scaling, articulate public and private ecosystems, and shape a genuine European market; sufficient sovereign compute that is not channelled solely toward US actors; attracting engineers based outside Europe; and building France&#x27;s and Europe&#x27;s own at-scale frontier-AI research capacity to reduce the vulnerabilities the unilateral US decision exposed. The note links a web version and a downloadable PDF.</p><p><strong>Tags:</strong> SOV, POL, GOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-16T12:00:00Z",
      "authors": [
        {
          "name": "Conseil de l'IA et du numérique (CIANum), France"
        }
      ],
      "tags": [
        "SOV",
        "POL",
        "GOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-first-mid-year-vulnerability-forecast-confirms-historic-surge-projects-66-000-cv-2026-06-16",
      "url": "https://www.first.org/newsroom/releases/20260615",
      "title": "FIRST — Mid-Year Vulnerability Forecast Confirms Historic Surge, Projects ~66,000 CVEs in 2026",
      "content_html": "<p><em>Forum of Incident Response and Security Teams (FIRST); forecast by Éireann Leverett (Lead, FIRST Vulnerability Forecasting Team) and Jerry Gamblin (EPSS SIG); CEO Chris Gibson quoted</em></p><p><strong>Published:</strong> 2026-06-15</p><p>15 June 2026 FIRST press release, issued at the organisation&#x27;s 38th Annual Conference in Denver, accompanying the 2026 Mid-Year Vulnerability Forecast. Actual CVE disclosures for January–April 2026 are running 46.3% above the February 2026 baseline, prompting an upward revision of the full-year projection to roughly 66,000 CVEs (from a February median of 59,427) — the first year on pace to approach 70,000. FIRST attributes the surge to three structural drivers rather than declining software security: AI-assisted vulnerability discovery, a 449% year-over-year rise in GitHub Security Advisory volume, and a 3,119% increase in VulnCheck CNA-of-Last-Resort activity. The headline &#x27;Rain vs. Flood&#x27; framing (Leverett; Gamblin): raw CVE volume is up sharply, but actionable exploitability — filtered through CISA KEV membership or EPSS above 10% — remains roughly flat, so teams triaging with EPSS and KEV can manage exposure without scaling headcount to raw volume. Methodology uses an ExponentialSmoothing model on daily CVE counts (Jan 2020–Apr 2026), with KEV and EPSS as exploitability overlays; full data and Python scripts published.</p><p><strong>Tags:</strong> TRIAGE, DISC, EXPL, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-16T12:00:00Z",
      "authors": [
        {
          "name": "Forum of Incident Response and Security Teams (FIRST); forecast by Éireann Leverett (Lead, FIRST Vulnerability Forecasting Team) and Jerry Gamblin (EPSS SIG); CEO Chris Gibson quoted"
        }
      ],
      "tags": [
        "TRIAGE",
        "DISC",
        "EXPL",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-empirical-security-roytman-epss-v5-is-here-2026-06-15",
      "url": "https://research.empiricalsecurity.com/research/epss-v5-is-here",
      "title": "Empirical Security (Roytman) — EPSS V5 Is Here",
      "content_html": "<p><em>Michael Roytman (Empirical Security)</em></p><p><strong>Published:</strong> 2026-05-13</p><p>13 May 2026 Empirical Security post by Michael Roytman announcing version 5 of the Exploit Prediction Scoring System (EPSS), with general release dated 15 June 2026. EPSS estimates the probability that a given CVE will be exploited in the wild rather than measuring severity. The post reports a 23% improvement over the prior model: on 4 May 2026 data the v4 model scored 0.514 and the v5 model scored 0.633 on a metric that rewards ranking genuinely exploited vulnerabilities above non-exploited ones (a random guess scores about 0.025, a perfect model 1.0). V5 scores all 318,000-plus published CVEs and adds improvements to the modeling pipeline, the underlying data feeds, probability calibration, and the upstream classifier that detects and categorises published exploit code. The post notes that Anthropic had recently recommended EPSS to help teams prioritise under AI-accelerated vulnerability volume, and frames severity-only triage (for example remediating every CVE at CVSS 7.0 or above) as forcing work on more than half of published vulnerabilities. EPSS scores are published free on the Empirical Security site, and the EPSS Special Interest Group at FIRST remains the main practitioner forum.</p><p><strong>Tags:</strong> TRIAGE, EXPL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-15T12:00:00Z",
      "authors": [
        {
          "name": "Michael Roytman (Empirical Security)"
        }
      ],
      "tags": [
        "TRIAGE",
        "EXPL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-provos-the-case-for-open-weight-models-and-why-we-can-t-trust-frontier-labs-2026-06-15",
      "url": "https://www.provos.org/p/case-for-open-weight-models/",
      "title": "Provos — The Case For Open-Weight Models And Why We Can't Trust Frontier Labs",
      "content_html": "<p><em>Niels Provos</em></p><p><strong>Published:</strong> 2026-06-14</p><p>14 June 2026 essay by Niels Provos arguing that a frontier-lab API does not belong inside an organisation&#x27;s trusted computing base, because price, rate limits, retention, routing, refusal behaviour, model class, and the output itself can all change unilaterally while the customer&#x27;s code stays the same. It opens with early-2026 reports of large firms exhausting annual AI budgets within months and moving to per-token metering, and distinguishes coding use (a durable, reviewable artifact) from wiring a frontier model into the live request path (a standing bet on several variables at once). It cites the Fable 5 system card&#x27;s originally-disclosed covert-degradation path for frontier-LLM-development queries — limiting effectiveness via prompt modification, steering vectors, or parameter-efficient fine-tuning without a visible fallback, estimated at about 0.03% of traffic — which Anthropic reversed within days to a visible Opus fallback, and treats the June 2026 US export-control suspension of Fable 5 and Mythos 5 as evidence that closed access is politically contingent. It prescribes a hierarchy of computation: classical deterministic algorithms where they suffice, frontier models reserved for offline work (quality assurance, synthetic data, evaluation, red-teaming), and open-weight models in production, run inside the trust boundary where they can be inspected, forked, pinned, and kept. It discusses fast-moving Chinese open-weight models (Z.AI&#x27;s GLM 5.1 and 5.2), the value of capturing reasoning traces as fine-tuning and reinforcement-learning data, and the author&#x27;s open-source IronCurtain agent runtime.</p><p><strong>Tags:</strong> SOV, XCUT, POL, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-15T12:00:00Z",
      "authors": [
        {
          "name": "Niels Provos"
        }
      ],
      "tags": [
        "SOV",
        "XCUT",
        "POL",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-freefable-org-open-letter-on-transparent-ai-cyber-protections-2026-06-15",
      "url": "https://freefable.org/",
      "title": "freefable.org — Open Letter on Transparent AI Cyber Protections",
      "content_html": "<p><em>Open letter; signatories include Alex Stamos, Katie Moussouris, Joshua Saxe, Chris Wysopal, Paul Vixie, Dino A. Dai Zovi, Dragos Ruiu, Dan Lorenc, Joe Levy (Sophos), Jack Cable, and more than 40 executives and technical leaders in information security (affiliations listed for reference only; signing stated as personal rather than organisational endorsement)</em></p><p><strong>Published:</strong> 2026-06-14</p><p>14 June 2026 open letter addressed to Commerce Secretary Howard Lutnick and National Cyber Director Sean Cairncross, signed by more than 40 executives and technical leaders in information security. The letter asks the US government to lift the export-control directives on Anthropic&#x27;s Fable and Mythos models and to commit to an open, scientific, and transparent process for handling AI risk assessments. It states that AI is significantly affecting cybersecurity by lowering the difficulty of finding software flaws and writing exploits, and that Mythos-class models are good at these tasks, but argues they are not uniquely so and that the triggering capability — determining whether a human-prompted section of code is insecure — is a necessary part of writing secure code and is replicable on GPT-5.5, Opus, Sonnet, and Chinese models such as Kimi 2.7. It contends the action removed strong models from defenders, created market uncertainty, and risked US AI leadership without a commensurate risk to justify it. It sets out four conditions for any AI regulation: grounded in scientific evaluations developed with industry and academic input; created through a democratic rule-making process; enforced transparently and fairly with appropriate time to remediate; and used only to the minimal extent necessary to ensure public safety.</p><p><strong>Tags:</strong> POL, GOV, DISC, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-15T12:00:00Z",
      "authors": [
        {
          "name": "Open letter; signatories include Alex Stamos, Katie Moussouris, Joshua Saxe, Chris Wysopal, Paul Vixie, Dino A. Dai Zovi, Dragos Ruiu, Dan Lorenc, Joe Levy (Sophos), Jack Cable, and more than 40 executives and technical leaders in information security (affiliations listed for reference only; signing stated as personal rather than organisational endorsement)"
        }
      ],
      "tags": [
        "POL",
        "GOV",
        "DISC",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-ottenheimer-freefable-says-the-mythos-monster-they-sold-you-is-a-mouse-2026-06-15",
      "url": "https://www.flyingpenguin.com/freefable-says-the-mythos-monster-they-sold-you-is-a-mouse/",
      "title": "Ottenheimer — FreeFable Says the Mythos Monster They Sold You Is a Mouse",
      "content_html": "<p><em>Davi Ottenheimer (flyingpenguin)</em></p><p><strong>Published:</strong> 2026-06-15</p><p>15 June 2026 flyingpenguin post on the 14 June freefable.org open letter, which asks the US government to reverse the 12 June export-control directive on Anthropic&#x27;s Fable 5 and Mythos 5 on the grounds that the capability is commodity and replicable on other models. The post juxtaposes the letter against an April 2026 Cloud Security Alliance paper, “The AI Vulnerability Storm: Building a Mythos-ready Security Program,” which framed the same model capability as a sudden offensive step-change and sold readiness programming around it. It observes that several people who contributed to the April paper also signed or contributed to the June letter, and lays out a six-row comparison table (capability, size, clock, stakes, proliferation, safeguards) showing the April and June characterisations as opposites. The argument is that nothing about the underlying model changed between April and June, so the recategorisation of the same code-review behaviour from “AI-driven offense is the new baseline” to a defensive check that “should not be considered an offensive capability” tracks commercial incentive rather than evidence. It notes that several of the figures whose reputations anchored the April paper did not sign the June letter, and concludes that the two documents, pointed at each other, are mutually undermining.</p><p><strong>Tags:</strong> DISC, XCUT, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-15T12:00:00Z",
      "authors": [
        {
          "name": "Davi Ottenheimer (flyingpenguin)"
        }
      ],
      "tags": [
        "DISC",
        "XCUT",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-basque-et-al-decompiling-the-synergy-an-empirical-study-of-human-llm-teaming-in--2026-06-15",
      "url": "https://www.ndss-symposium.org/ndss-paper/decompiling-the-synergy-an-empirical-study-of-human-llm-teaming-in-software-reverse-engineering/",
      "title": "Basque et al. — Decompiling the Synergy: An Empirical Study of Human–LLM Teaming in Software Reverse Engineering (NDSS 2026)",
      "content_html": "<p><em>Zion Leonahenahe Basque, Samuele Doria, Ananta Soneji, Wil Gibbs, Adam Doupé, Yan Shoshitaishvili, Eleonora Losiouk, Ruoyu “Fish” Wang, Simone Aonzo (Arizona State University; University of Padua; EURECOM)</em></p><p><strong>Published:</strong> 2026-02-01</p><p>Paper presented at NDSS 2026 (23–27 February 2026, San Diego) presenting what the authors describe as the first systematic investigation of how large language models can team with analysts during software reverse engineering (SRE). The study combines an online survey of 153 practitioners with a fine-grained human study of 48 participants (24 novices and 24 experts) instrumented across more than 109 hours of work on two Capture-the-Flag-style binaries chosen to be representative of real-world software. Across 18 findings, the authors report that LLM assistance narrows the expertise gap — novice comprehension rate rises by approximately 98%, matching that of experts, while experts gain little — alongside harms including hallucinations, unhelpful suggestions, and ineffective results. Known-algorithm functions are triaged up to 2.4x faster, and recovery of artifacts such as symbols, comments, and types increases by at least 66%. The paper concludes that there are real human–LLM synergies in SRE while emphasising significant shortcomings in current integration. Authored by researchers at Arizona State University, the University of Padua, and EURECOM.</p><p><strong>Tags:</strong> DISC, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-15T12:00:00Z",
      "authors": [
        {
          "name": "Zion Leonahenahe Basque, Samuele Doria, Ananta Soneji, Wil Gibbs, Adam Doupé, Yan Shoshitaishvili, Eleonora Losiouk, Ruoyu “Fish” Wang, Simone Aonzo (Arizona State University; University of Padua; EURECOM)"
        }
      ],
      "tags": [
        "DISC",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-security-cryptography-whatever-facing-the-vulnpocalypse-with-lcamtuf-micha-zalew-2026-06-15",
      "url": "https://securitycryptographywhatever.com/2026/06/14/facing-the-vulnpocalypse-with-lcamtuf/",
      "title": "Security Cryptography Whatever — Facing the Vulnpocalypse With lcamtuf (Michał Zalewski)",
      "content_html": "<p><em>Security Cryptography Whatever podcast (hosts Deirdre Connolly, Thomas Ptacek, David Adrian; guest Michał Zalewski / lcamtuf)</em></p><p><strong>Published:</strong> 2026-06-14</p><p>14 June 2026 Security Cryptography Whatever podcast episode (recorded 28 May 2026) with guest Michał Zalewski (lcamtuf), author of American Fuzzy Lop (AFL), hosted by Deirdre Connolly, Thomas Ptacek, and David Adrian. Zalewski argues that most vulnerability research has long been automated — by his estimate 80–90% of what is found and fixed in browsers comes from automated tooling — and that LLM-based discovery is a real and transformative shift rather than hype, one practitioners should be using. His contrarian position is not about the technology but about how the industry frames it: he holds that vulnerability research is overvalued as an intrinsic good, that zero-days are generally not how enterprises get compromised, and that having more or fewer of them changes the game less than commonly claimed. He frames most of security as “text comprehension at scale,” a constraint LLMs largely remove. The conversation covers the offence–defence symmetry of discovery tooling (and the asymmetries that persist, such as spear-phishing being easier to generate than to detect), the operational burden the resulting deluge of valid findings places on engineering teams and bug-bounty triage, the case for preventative fixes and safe coding over mitigations alone, whether curl is a meaningful capability benchmark, and the risks of giving agents human-like autonomy and access in mission-critical settings while prompt injection remains unsolved. It closes with Zalewski&#x27;s forthcoming No Starch book, The Secret Life of Circuits.</p><p><strong>Tags:</strong> DISC, XCUT, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-15T12:00:00Z",
      "authors": [
        {
          "name": "Security Cryptography Whatever podcast (hosts Deirdre Connolly, Thomas Ptacek, David Adrian; guest Michał Zalewski / lcamtuf)"
        }
      ],
      "tags": [
        "DISC",
        "XCUT",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-rozenshtein-lawfare-a-kill-switch-for-frontier-ai-2026-06-15",
      "url": "https://www.lawfaremedia.org/article/a-kill-switch-for-frontier-ai",
      "title": "Rozenshtein (Lawfare) — A Kill Switch for Frontier AI",
      "content_html": "<p><em>Alan Z. Rozenshtein (Lawfare; University of Minnesota Law School)</em></p><p><strong>Published:</strong> 2026-06-15</p><p>15 June 2026 Lawfare legal analysis by Alan Z. Rozenshtein (University of Minnesota Law School; Lawfare) of the 12 June 2026 US Commerce Department directive ordering Anthropic to suspend access to Fable 5 and Mythos 5 for any foreign national, including foreign-national employees — which, because users cannot be reliably sorted by nationality, functioned as a global kill switch that took both models offline within hours. Rozenshtein assesses the likely legal basis as the Export Administration Regulations under the Export Control Reform Act of 2018, including the deemed-export rule and the immediate “is informed” licence-requirement letter, and calls it the first use of export controls to restrict access to an AI model. He works through how far the control can reach — model weights, dangerous outputs, or any access to the running model (legally uncertain for software-as-a-service) — sets out the competing government and Anthropic accounts of the underlying jailbreak, and concludes that if frontier models are to be treated as national-security assets that can be switched off, Congress should establish a licensing framework with meaningful standards and process.</p><p><strong>Tags:</strong> POL, GOV, SOV, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-15T12:00:00Z",
      "authors": [
        {
          "name": "Alan Z. Rozenshtein (Lawfare; University of Minnesota Law School)"
        }
      ],
      "tags": [
        "POL",
        "GOV",
        "SOV",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-saxe-banning-mythos-represents-a-basic-misunderstanding-of-ai-cybersecurity-2026-06-14",
      "url": "https://joshuasaxe181906.substack.com/p/banning-mythos-represents-a-basic",
      "title": "Saxe — Banning Mythos represents a basic misunderstanding of AI cybersecurity",
      "content_html": "<p><em>Joshua Saxe</em></p><p><strong>Published:</strong> 2026-06-13</p><p>13 June 2026 Substack essay by Joshua Saxe (author of the earlier “Exploits don’t cause cyberattacks” entry) arguing that the US export-control suspension of Fable 5 and Mythos 5 rests on a misreading of AI cybersecurity. Saxe’s case: defenders were already losing badly before AI — penetration tests routinely succeed against organisations sitting on accumulated security technical debt — and the arrival of AI tooling has not produced the surge in observed breaches that a real zero-day bottleneck would predict, which he reads as evidence attackers were never supply-constrained on novel access. The promise of frontier models is to finally invert the structural attacker advantage by fielding many defensive agents per human engineer, but only if models are opened to the widest, most diverse constituency of defenders (in-house security engineers, open-source contributors, DEF CON attendees, academics); a locked-down model forecloses that flywheel. Diagnoses the AI-policy conversation as skewed toward national-security generalists, frontier-lab safety constituencies, and ML luminaries with little hands-on security practice, and prescribes seating more practitioners with operational backgrounds in the rooms where framings are set. Reads the ban against the 1990s crypto wars and the Metasploit / fuzzing / Kali Linux precedents, where the dual-use-benefits-defenders argument repeatedly prevailed, and allows that a future lockdown could be justified on evidence while holding that the current evidence points to openness. An opinion source.</p><p><strong>Tags:</strong> POL, DISC, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-14T12:00:00Z",
      "authors": [
        {
          "name": "Joshua Saxe"
        }
      ],
      "tags": [
        "POL",
        "DISC",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-ronacher-dangerous-technology-for-americans-only-2026-06-14",
      "url": "https://lucumr.pocoo.org/2026/6/13/americans-only/",
      "title": "Ronacher — Dangerous Technology For Americans Only",
      "content_html": "<p><em>Armin Ronacher</em></p><p><strong>Published:</strong> 2026-06-13</p><p>13 June 2026 essay by Armin Ronacher (creator of Flask; blogs at lucumr.pocoo.org) on the 12 June US export-control directive suspending foreign-national access to Anthropic’s Fable 5 and Mythos 5. Ronacher sets aside the schadenfreude over Anthropic’s own danger-framing being taken literally and argues the consequential signal is the boundary the government drew — the technology treated as so powerful that only Americans should hold it, with nationality itself, not buyer or use case, becoming the controlling line (the directive reaching foreign-national Anthropic employees inside and outside the US). He frames this as AI nationalism rather than safety, and as a warning to Europeans and any non-US citizen that the situation cannot be regulated away because it is a question of power Europe lacks, resting on US military and economic leverage. The body is a self-critical account of European weakness — fragmented markets pretending to be single, hard company formation and equity norms, capital and talent draining to the US, regulation mistaken for strategy — locating much of the blame within member states and entrenched incumbents rather than in Brussels. Argues a stronger Europe is a necessary but temporary defence rather than the destination; the destination is restored international cooperation, open source, and broad access to general-purpose capability instead of its concentration in a few corporate and state hands. An opinion source.</p><p><strong>Tags:</strong> SOV, POL, GOV, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-14T12:00:00Z",
      "authors": [
        {
          "name": "Armin Ronacher"
        }
      ],
      "tags": [
        "SOV",
        "POL",
        "GOV",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-gc3-ncsc-dsit-uk-when-ai-leaves-the-lab-testing-frontier-models-in-government-cy-2026-06-13",
      "url": "https://www.gov.uk/government/case-studies/when-ai-leaves-the-lab-testing-frontier-models-in-government-cyber-defence",
      "title": "GC3 / NCSC / DSIT (UK) — When AI Leaves the Lab: Testing Frontier Models in Government Cyber Defence",
      "content_html": "<p><em>Government Cyber Coordination Centre (GC3), with the National Cyber Security Centre (NCSC) and the Department for Science, Innovation and Technology (DSIT), UK</em></p><p><strong>Published:</strong> 2026-06-12</p><p>12 June 2026 UK government case study from the Government Cyber Coordination Centre (GC3), an NCSC / DSIT partnership, reporting a month of weekly hackathons that pointed frontier AI at public government code repositories to find and fix unidentified vulnerabilities. Teams built their own tooling; recurring patterns were a six-stage adversarial agent pipeline (triage, validator, auditor, tracer, judge, summary) with a human checking every line, deterministic scanners (Gitleaks, Trivy, Semgrep, Hadolint) feeding layered model stages, and reusable Claude Skills. Headline figures: 407 findings across nine organisations for roughly £13,000 in tokens — critical authentication-bypass, data-exposure and RCE weaknesses, all remediated with no evidence of exploitation, the notable one a GitHub Actions workflow a pull-request comment could trigger into RCE on the runner. The lessons echo the corpus&#x27;s system-over-model thread: architecture matters most, the model matters less than how it is used (per AISI), triage is essential, finding is not fixing. A planned second phase extends to closed-source estates. The applied-deployment counterpart to the AISI evaluation entries and the agentic-harness writeups (Broadcom, Mozilla, Microsoft MDASH, Cisco), and a UK companion to the GDS / DSIT open-code guidance.</p><p><strong>Tags:</strong> GOV, POL, OPS, DISC, SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-13T12:00:00Z",
      "authors": [
        {
          "name": "Government Cyber Coordination Centre (GC3), with the National Cyber Security Centre (NCSC) and the Department for Science, Innovation and Technology (DSIT), UK"
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "OPS",
        "DISC",
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-anthropic-statement-on-the-us-government-directive-to-suspend-access-to-fable-5--2026-06-13",
      "url": "https://www.anthropic.com/news/fable-mythos-access",
      "title": "Anthropic — Statement on the US government directive to suspend access to Fable 5 and Mythos 5",
      "content_html": "<p><em>Anthropic</em></p><p><strong>Published:</strong> 2026-06-12</p><p>12 June 2026 Anthropic statement reporting that the US government, citing national-security authorities, issued an export-control directive the same day to suspend all access to Fable 5 and Mythos 5 by any foreign national inside or outside the US — including Anthropic&#x27;s own foreign-national employees — forcing Anthropic to disable both models for all customers, with other models unaffected. Anthropic says the directive gave no specifics, but that its understanding is the government learned of a method of jailbreaking Fable 5 used to find a few previously known, minor vulnerabilities that other public models (it names OpenAI&#x27;s GPT-5.5) can find without any bypass. It restates Fable&#x27;s defence-in-depth posture (no universal jailbreak found; 30-day data retention to research jailbreaks), calls the only disclosed jailbreak narrow — asking the model to read a codebase and fix flaws — and, while complying, disagrees that this justifies recalling a model deployed to hundreds of millions, tying the objection to its Policy on the AI Exponential. The first instance in the corpus of the US federal government switching off a deployed commercial frontier model; companion to the Fable 5 / Mythos 5 launch, the 2 June White House Executive Order, and the Ottenheimer read. A vendor statement.</p><p><strong>Tags:</strong> POL, GOV, SOV, DISC, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-13T12:00:00Z",
      "authors": [
        {
          "name": "Anthropic"
        }
      ],
      "tags": [
        "POL",
        "GOV",
        "SOV",
        "DISC",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-ottenheimer-trump-abruptly-bans-foreigners-using-anthropic-s-top-models-2026-06-13",
      "url": "https://www.flyingpenguin.com/trump-abruptly-bans-foreigners-using-anthropics-top-models/",
      "title": "Ottenheimer — Trump Abruptly Bans Foreigners Using Anthropic's Top Models",
      "content_html": "<p><em>Davi Ottenheimer (flyingpenguin)</em></p><p><strong>Published:</strong> 2026-06-13</p><p>13 June 2026 flyingpenguin post by Davi Ottenheimer on the 12 June US Commerce Department directive suspending access to Anthropic&#x27;s Fable 5 and Mythos 5 (see the companion Anthropic statement). Ottenheimer reads it as a sovereignty warning shot — that a deployed commercial model can be switched off by US fiat at any moment, so organisations should treat dependence on centrally-distributed American technology as a standing risk — and faults Anthropic for safeguards so aggressive they amounted to a self-inflicted denial of service and for branding Mythos 5 its most capable cyber model while filing it in a lower, human-dependent risk tier.</p><p><strong>Tags:</strong> SOV, POL, GOV, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-13T12:00:00Z",
      "authors": [
        {
          "name": "Davi Ottenheimer (flyingpenguin)"
        }
      ],
      "tags": [
        "SOV",
        "POL",
        "GOV",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-merrill-patch-tuesday-exploit-tuesday-ndaybench-benchmarking-n-day-exploit-gener-2026-06-13",
      "url": "https://magic-box.dev/blog/patch-tuesday/",
      "title": "Merrill — Patch Tuesday, Exploit Tuesday (ndaybench: benchmarking n-day exploit generation)",
      "content_html": "<p><em>Josh Merrill (magic-box.dev; stackviolator / @joshtmerrill)</em></p><p><strong>Published:</strong> 2026-06-08</p><p>8 June 2026 personal-blog post by Josh Merrill on building ndaybench, an in-progress benchmark for LLM n-day exploit generation against Windows, written the day after Anthropic&#x27;s own n-days writeup (its models against 21 Windows kernel CVEs) and its note that no public benchmark was hard enough to capture Mythos Preview. Surveys the shared prior art — Dinkin and Kraft&#x27;s agent-council run against 1,873 Windows driver binaries (~$3 per target, 100+ unique LPE-grade bugs), Origin&#x27;s PatchWatch / Pocsmith patch-diffing pipeline (a full kernel LPE for ~$300 of tokens), and the 2023 IBM X-Force AFD writeup (24 hours patch-to-LPE) — noting each encodes the author&#x27;s manual workflow as agent steps, the same shape as ExploitBench (V8), ExploitGym (898 instances), and SCONE-bench. Identifies two hard parts: verification (clean for LPE via a randomised flag, but each bug class needs bespoke scaffolding) and ground truth (Microsoft publishes no vulnerable-function labels, so the only reliable label comes from building the exploit — making manual research labour, not compute, the binding constraint on dataset size). A compression table tracks time-to-first-PoC from ~24 hours (2023, expert labour) to ~31 minutes at ~$2,000 (2026 Q2, Anthropic n-days / Mythos Preview), while cautioning the in-the-wild n-day generator is not yet here. Closes with the offensive-tooling release debate (Metasploit / Cobalt Strike) and the case for public benchmarks. Companion to the ExploitBench, ExploitGym, Heelan industrialisation, and Anthropic Frontier Red Team entries.</p><p><strong>Tags:</strong> EXPL, DISC, PATCH, XCUT, HIST</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-13T12:00:00Z",
      "authors": [
        {
          "name": "Josh Merrill (magic-box.dev; stackviolator / @joshtmerrill)"
        }
      ],
      "tags": [
        "EXPL",
        "DISC",
        "PATCH",
        "XCUT",
        "HIST"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-amodei-policy-on-the-ai-exponential-with-the-advanced-ai-framework-2026-06-11",
      "url": "https://www.anthropic.com/policy-on-the-ai-exponential",
      "title": "Amodei — Policy on the AI Exponential (with the Advanced AI Framework)",
      "content_html": "<p><em>Dario Amodei (Anthropic)</em></p><p><strong>Published:</strong> 2026-06-01</p><p>June 2026 policy essay by Anthropic CEO Dario Amodei, published on both Anthropic&#x27;s site and his personal site, accompanied by the Advanced AI Framework as a standalone PDF. The throughline is that AI capability is advancing on an exponential while the policymaking process was built for a slower world; the essay takes the post-Mythos cyber evidence — frontier models finding critical software vulnerabilities at scale, including in every major operating system and browser — as proof that AI is now a technology of national and global strategic consequence rather than a mundane consumer product, and argues it is time to move beyond transparency to binding regulation. The companion Advanced AI Framework proposes mandatory third-party testing of frontier models above a compute threshold (&gt;10^25 FLOPs, developers above $500M AI-related revenue or $1B AI R&amp;D) across four catastrophic-risk categories (cyber, biological, loss of control, automated R&amp;D), with government authority to block or deter dangerous deployments under scoped safeguards, plus transparency, independent evaluation, and security requirements; it proposes an FAA-style model and a &#x27;regulatory markets&#x27; option for evaluators, and argues against federal preemption of state law unless a federal standard is at least as strong. The essay extends across five policy areas: regulation and public safety; macroeconomics and tax policy (measurement of job displacement, pro-employment incentives, and longer-term income support); accelerating downstream AI benefits with regulatory reform (FDA/EMA acceleration for AI-assisted biomedicine); the balance between state power and civil liberties (autonomous-weapons accountability, the bulk-collection / data-broker loophole, public rights to AI advice); and securing democratic leadership through a values-aligned coalition built on shared compute supply-chain controls, coordinated AI-risk regulation, and mutual cyberdefence. Frames the 2 June 2026 White House Executive Order as an incremental move toward the framework&#x27;s position and calls for further action. The frontier-developer-side policy articulation that the Mythos / Glasswing cyber-capability cluster and the US and EU government responses in the corpus are reacting to; a US-national-interest advocacy document, useful as a statement of the regulate-the-frontier position rather than as a neutral source.</p><p><strong>Tags:</strong> POL, GOV, SOV, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-11T12:00:00Z",
      "authors": [
        {
          "name": "Dario Amodei (Anthropic)"
        }
      ],
      "tags": [
        "POL",
        "GOV",
        "SOV",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-smoak-cisco-strengthening-the-foundation-a-predictable-customer-focused-response-2026-06-11",
      "url": "https://blogs.cisco.com/security/strengthening-the-foundation-a-predictable-customer-focused-response-to-ai-accelerated-vulnerability-discovery",
      "title": "Smoak (Cisco) — Strengthening the Foundation: A Predictable, Customer-Focused Response to AI-Accelerated Vulnerability Discovery",
      "content_html": "<p><em>Russ Smoak (VP, Information Security, Security Assurance &amp; Response, Cisco)</em></p><p><strong>Published:</strong> 2026-06-02</p><p>2 June 2026 Cisco Security blog post by Russ Smoak (VP, Information Security, Security Assurance &amp; Response) announcing a structural change to Cisco&#x27;s vulnerability disclosure and patch model in response to AI-accelerated discovery — the PSIRT-and-patch-cadence counterpart to the same-day Grieco (Cisco) post on Cisco&#x27;s AI defensive-scanning programme. From July 2026 Cisco moves to a scheduled, twice-monthly security release model (first and third Wednesdays) with seven days&#x27; advance notice of which technologies and platforms each release will cover, framed as an engineered response to a structural shift in the threat landscape rather than a reaction to any single incident, and to a disclosure-to-exploitation window that has effectively closed. Core network operating systems (IOS XE, IOS XR, NX-OS, Firepower/ASA, SD-WAN) are scheduled quarterly and never released on the same day; other products may ship more often. The most consequential change is to CVE assignment: security-hardened releases will carry &#x27;bundled&#x27; CVEs tied to CWE weakness categories (e.g. one CVE for multiple input-validation fixes under CWE-20, one for access-control fixes under CWE-284) rather than an individual CVE per bug, on the argument that assessing risk CVE-by-CVE and applying point mitigations is no longer fit for purpose and that the most effective protection is running a current hardened release rather than patching individual findings on older ones — with individual CVEs still assigned where a finding requires compensating controls, is known to be exploited, or otherwise demands defender action. Cisco&#x27;s agentic discovery framework (specialized agents for static code analysis, live system testing, configuration review, and exploit simulation, security engineers on-the-loop) runs portfolio-wide to remediate recurring architectural defect classes across products, and AI-discovered systemic hardening is explicitly prioritized ahead of new feature work in affected platforms. The post frames the change as where the infrastructure industry must move, positions predictability and batched releases as reducing rather than adding operational load, and points to Live Protect and Cisco IQ as tooling to bridge the discovery-to-patch gap. A vendor-PSIRT data point on how a major infrastructure vendor is restructuring disclosure and patch cadence for the post-Mythos discovery rate; companion to the Microsoft &#x27;In Scope by Default&#x27;, Google Bug Hunters, and Apple bounty entries on the disclosure-policy side and to the Broadcom and Grieco (Cisco) entries on the vendor-scanning side. Vendor caveat (Cisco markets the controller, Live Protect, Cisco IQ, and Services capabilities referenced).</p><p><strong>Tags:</strong> PATCH, DISCL, OPS, TRIAGE</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-11T12:00:00Z",
      "authors": [
        {
          "name": "Russ Smoak (VP, Information Security, Security Assurance & Response, Cisco)"
        }
      ],
      "tags": [
        "PATCH",
        "DISCL",
        "OPS",
        "TRIAGE"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-cisa-bod-26-04-prioritizing-security-updates-based-on-risk-2026-06-10",
      "url": "https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk",
      "title": "CISA — BOD 26-04: Prioritizing Security Updates Based on Risk",
      "content_html": "<p><em>Cybersecurity and Infrastructure Security Agency</em></p><p><strong>Published:</strong> 2026-06-10</p><p>10 June 2026 Binding Operational Directive that supersedes BOD 19-02 and BOD 22-01, requiring federal civilian agencies to prioritise remediation across four risk criteria — Asset Exposure, KEV status, Exploit Automation, and Post-Exploitation Technical Impact — and explicitly dropping mandatory CVSS use so agencies can defer low-risk vulnerabilities. CISA frames it (&quot;patch smarter, not harder&quot;) as a response to AI narrowing the patch-to-exploit window. The operational counterpart to the Reuters/Satter report on CISA weighing a three-day KEV deadline and to the 2 June White House Executive Order, building on the CISA KEV catalog and CISA SSVC entries.</p><p><strong>Tags:</strong> PATCH, TRIAGE, GOV, POL, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-10T12:00:00Z",
      "authors": [
        {
          "name": "Cybersecurity and Infrastructure Security Agency"
        }
      ],
      "tags": [
        "PATCH",
        "TRIAGE",
        "GOV",
        "POL",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-bressers-we-have-to-change-the-rules-of-security-2026-06-10",
      "url": "https://opensourcesecurity.io/2026/06-rules-of-security/",
      "title": "Bressers — We have to change the rules of security",
      "content_html": "<p><em>Josh Bressers (Open Source Security)</em></p><p><strong>Published:</strong> 2026-06-09</p><p>9 June 2026 blog post arguing that maintainers drowning in LLM-driven vulnerability reports should change their own rules rather than &quot;go faster&quot;: stop assigning CVE IDs to low- and moderate-severity issues (treat them as ordinary bugs, escalating only if someone finds a clever chain) and define aggressive attack-surface trust boundaries that put some bug classes out of scope. Grounds the licence to do so in the &quot;AS IS&quot; warranty disclaimer of open-source licences. The maintainer-rule-change companion to the curl/Stenberg &quot;High-Quality Chaos&quot; and &quot;The pressure&quot; arc, the Linux Foundation AI-slop fund, and the OpenSSF AI-SLOP best-practices effort.</p><p><strong>Tags:</strong> OPS, DISCL, SUPPLY, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-10T12:00:00Z",
      "authors": [
        {
          "name": "Josh Bressers (Open Source Security)"
        }
      ],
      "tags": [
        "OPS",
        "DISCL",
        "SUPPLY",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-stenberg-a-human-in-control-2026-06-10",
      "url": "https://daniel.haxx.se/blog/2026/06/10/a-human-in-control/",
      "title": "Stenberg — A human in control",
      "content_html": "<p><em>Daniel Stenberg</em></p><p><strong>Published:</strong> 2026-06-10</p><p>10 June 2026 post by the curl maintainer staking out a middle position between &quot;vibe coders&quot; who merge AI output unreviewed and blanket anti-AI refuseniks: the curl team uses AI-based tools — including PR-review bots that increasingly flag issues human reviewers miss — but never hands accountability to a machine. Humans stand for every line merged, and effective open-source communication must remain human-to-human even when the code is AI-assisted. Companion to the other Stenberg/curl entries (&quot;The pressure,&quot; &quot;High-Quality Chaos,&quot; &quot;Mythos finds a curl vulnerability&quot;).</p><p><strong>Tags:</strong> OPS, DISC</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-10T12:00:00Z",
      "authors": [
        {
          "name": "Daniel Stenberg"
        }
      ],
      "tags": [
        "OPS",
        "DISC"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-stenberg-the-pressure-2026-06-10",
      "url": "https://daniel.haxx.se/blog/2026/05/26/the-pressure/",
      "title": "Stenberg — The pressure",
      "content_html": "<p><em>Daniel Stenberg</em></p><p><strong>Published:</strong> 2026-05-26</p><p>26 May 2026 first-person post on the personal and team toll of the post-Mythos report flood: incoming curl security reports running 4–5× the 2024 rate and double 2025 (now more than one per day), higher quality and far longer, with twelve confirmed vulnerabilities mid-release-cycle — a project record putting curl on track for 30+ CVEs before mid-year. Notes that all recent curl vulnerabilities have been LOW or MEDIUM (the last HIGH was October 2023) and renews the call for commercial funding to distribute the load. The maintainer-burnout data point alongside &quot;High-Quality Chaos&quot; and &quot;Mythos finds a curl vulnerability.&quot;</p><p><strong>Tags:</strong> OPS, DISC, DISCL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-10T12:00:00Z",
      "authors": [
        {
          "name": "Daniel Stenberg"
        }
      ],
      "tags": [
        "OPS",
        "DISC",
        "DISCL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-anthropic-claude-fable-5-and-claude-mythos-5-2026-06-10",
      "url": "https://www.anthropic.com/news/claude-fable-5-mythos-5",
      "title": "Anthropic — Claude Fable 5 and Claude Mythos 5",
      "content_html": "<p><em>Anthropic</em></p><p><strong>Published:</strong> 2026-06-09</p><p>9 June 2026 launch of Claude Fable 5 — a Mythos-class model made generally available with classifier safeguards that fall back to Claude Opus 4.8 on cybersecurity, biology/chemistry, and distillation queries (triggering in under 5% of sessions) — and Claude Mythos 5, the same underlying model with cyber safeguards lifted for Project Glasswing partners as an upgrade to Mythos Preview and described as the strongest cyber model in the world. Priced at $10/$50 per million input/output tokens (under half the Mythos Preview price), with mandatory 30-day data retention for all Mythos-class traffic. Extends the Project Glasswing, Mythos Preview capability, and Cyber Verification Program entries.</p><p><strong>Tags:</strong> DISC, EXPL, POL, HIST</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-10T12:00:00Z",
      "authors": [
        {
          "name": "Anthropic"
        }
      ],
      "tags": [
        "DISC",
        "EXPL",
        "POL",
        "HIST"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-ottenheimer-executive-summary-for-claude-mythos-project-glasswing-june-2026-veri-2026-06-10",
      "url": "https://www.flyingpenguin.com/executive-summary-for-claude-mythos-project-glasswing-june-2026-verification-status/",
      "title": "Ottenheimer — Executive Summary for Claude Mythos / Project Glasswing: June 2026 Verification Status",
      "content_html": "<p><em>Davi Ottenheimer (flyingpenguin)</em></p><p><strong>Published:</strong> 2026-06-08</p><p>8 June 2026 board-brief synthesis of Ottenheimer&#x27;s sceptical Mythos series, recommending that procurement and risk decisions resting on the Mythos capability claim be deferred until Anthropic&#x27;s promised ~6 July report can be independently reviewed. Argues that of 23,019 reported findings only 1,752 were human- or firm-verified with 75 fixes shown, that the 90.6% accuracy figure covers only the ~8% human-checked, that the flagship FreeBSD CVE-2026-4747 was backlog recall rather than novel discovery, and that eight open-weight models reproduce the detection at commodity cost. Extends the author&#x27;s earlier journal-only FreeBSD post and reads against the Glasswing initial update, the Fable 5 / Mythos 5 launch, the Cisco (Grieco) and clearbluejar reproductions, and the Provos &quot;system over model&quot; findings.</p><p><strong>Tags:</strong> DISC, XCUT, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-10T12:00:00Z",
      "authors": [
        {
          "name": "Davi Ottenheimer (flyingpenguin)"
        }
      ],
      "tags": [
        "DISC",
        "XCUT",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-grieco-cisco-8-years-of-security-research-in-8-weeks-transforming-cybersecurity--2026-06-06",
      "url": "https://blogs.cisco.com/news/8-years-of-security-research-in-8-weeks-transforming-cybersecurity-with-ai",
      "title": "Grieco (Cisco) — 8 Years of Security Research in 8 Weeks: Transforming Cybersecurity with AI",
      "content_html": "<p><em>Anthony Grieco (SVP &amp; Chief Security &amp; Trust Officer, Cisco)</em></p><p><strong>Published:</strong> 2026-06-02</p><p>2 June 2026 Cisco Blogs Executive Platform post by SVP &amp; Chief Security &amp; Trust Officer Anthony Grieco reporting on a Cisco-internal AI defensive-scanning programme that scanned 1.8 billion lines of code across more than 25 coding languages in eight weeks — work the post characterises as equivalent to eight years of manual effort. Headline operational figure: a false-positive rate under 3% across the full corpus, achieved by pairing frontier LLMs (Claude Mythos Preview and GPT-5.5-Cyber named) with the open-sourced Cisco Foundry Security Spec harness — a model-agnostic orchestration framework tested across six frontier models and published as an extension of the GitHub Spec Kit. The argument is that the model is the accelerant and the harness is the engine: years of Advanced Security Initiatives Group domain knowledge (test beds, research notes, prioritisation logic) embedded into the harness shifted the historical static-analysis ratio of roughly one useful finding per 10,000 warnings into actionable-precision territory at codebase scale. Vendor caveat (Cisco markets the Foundry Security Spec as part of its security portfolio).</p><p><strong>Tags:</strong> DISC, OPS, POL, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-06T12:00:00Z",
      "authors": [
        {
          "name": "Anthony Grieco (SVP & Chief Security & Trust Officer, Cisco)"
        }
      ],
      "tags": [
        "DISC",
        "OPS",
        "POL",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-openai-a-shared-playbook-for-trustworthy-third-party-evaluations-2026-06-06",
      "url": "https://openai.com/index/trustworthy-third-party-evaluations-foundations/",
      "title": "OpenAI — A shared playbook for trustworthy third party evaluations",
      "content_html": "<p><em>OpenAI</em></p><p><strong>Published:</strong> 2026-05-29</p><p>29 May 2026 OpenAI post setting out methodological guidance for third-party evaluations of frontier-model capabilities and safeguards, intended to inform emerging national and international evaluation standards. Three claim-types are distinguished — capability elicitation, safeguard performance, and controlled comparison — each with a corresponding harness choice, and five known validity hazards (reward hacking, refusals, contamination, broken problems, sandbagging) that reports should explicitly check for. Two arguments are load-bearing: capability is resource-dependent rather than a fixed quantity (increasing the test-time budget from 10M to 100M tokens improved performance by up to 59% on one cyber range, with performance still climbing), so scores under a fixed budget should be reported as lower-bound estimates; and safeguard testing can understate attack severity when it fails to account for adversary resources, including custom harnesses that preserve and reuse bypass patterns across turns. Operational commitments: maximum-elicitation guidance for evaluators, Codex as a common baseline harness for OpenAI-model evaluations, reasoning traces made available to evaluators, and prioritised research on how harness choices change results. Vendor caveat (OpenAI&#x27;s framing is its own).</p><p><strong>Tags:</strong> DISC, POL, XCUT, GOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-06T12:00:00Z",
      "authors": [
        {
          "name": "OpenAI"
        }
      ],
      "tags": [
        "DISC",
        "POL",
        "XCUT",
        "GOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-clearbluejar-system-over-model-tested-reproducing-mythos-s-freebsd-find-on-local-2026-06-06",
      "url": "https://clearbluejar.github.io/posts/system-over-model-tested-mythos-freebsd-local-openweight/",
      "title": "clearbluejar — System Over Model, Tested: Reproducing Mythos's FreeBSD Find on Local Open-Weight Models",
      "content_html": "<p><em>clearbluejar</em></p><p><strong>Published:</strong> 2026-06-04</p><p>4 June 2026 personal-blog post by clearbluejar testing the &quot;system over model&quot; thesis further down the cost curve by reproducing the Mythos Preview FreeBSD CVE-2026-4747 discovery using two local open-weight models — openai/gpt-oss-20b and google/gemma-4-31b-it, both running on a single consumer GPU — through AISLE&#x27;s published nano-analyzer pipeline. The pipeline is the three-stage shape now common to AI vulnerability-scanning workflows: per-file context briefing, severity-rated candidate scan with worked example, and multi-round triage with separate-model arbiter and grep verification. Run at full sub-system scope (~50 files in sys/rpc/), both models appear to miss the bug on the first run; a re-run recovers the finding, with the headline problem being not capability but signal-to-noise — the pipeline graduates a pile of false positives and buries the real one. The substantive contribution is an additional reachability stage added to the harness that cuts false positives from ~30 to ~5 with the CVE finding still standing: the scaffolding does more of the work than the model, and is a lever practitioners can pull on their own model.</p><p><strong>Tags:</strong> DISC, EXPL, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-06T12:00:00Z",
      "authors": [
        {
          "name": "clearbluejar"
        }
      ],
      "tags": [
        "DISC",
        "EXPL",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-alexandre-yeswehack-scaling-bug-bounty-triage-in-the-ai-era-2026-06-06",
      "url": "https://www.yeswehack.com/security-best-practices/scaling-bug-bounty-triage-ai",
      "title": "Alexandre (YesWeHack) — Scaling Bug Bounty triage in the AI era",
      "content_html": "<p><em>Maria Alexandre (YesWeHack); with quoted commentary from Adrien Jeanneau (VP Security Analyst, YesWeHack)</em></p><p><strong>Published:</strong> 2026-05-19</p><p>19 May 2026 YesWeHack blog post describing the platform&#x27;s six-step structured triage workflow (metadata enrichment, compliance check, duplicate verification with AI scoring, full PoC reproduction, severity assessment with AI probability signals and CVSS-consistency checks, and triage recommendations) and its AI-augmented operating model — certified security engineers (OSCP, OSWE, CVSS-trained) handling the validation work, with AI auto-completing metadata, scoring for duplicates, and providing severity-prediction signals at the front of the funnel. Frames the post-Mythos triage problem in vendor-side operational terms: AI-enabled hunters submit faster than ever, basic triage handles scope checks but leaves customer teams re-testing reports and debating severity, and validation capacity lags unless the provider scales with the programme. Vendor caveat (YesWeHack sells bug-bounty programme and triage services).</p><p><strong>Tags:</strong> DISCL, OPS, XCUT, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-06T12:00:00Z",
      "authors": [
        {
          "name": "Maria Alexandre (YesWeHack); with quoted commentary from Adrien Jeanneau (VP Security Analyst, YesWeHack)"
        }
      ],
      "tags": [
        "DISCL",
        "OPS",
        "XCUT",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-house-homeland-security-subcommittee-hearing-the-ai-security-landscape-how-front-2026-06-04",
      "url": "https://homeland.house.gov/hearing/the-ai-security-landscape-how-frontier-models-agentic-ai-and-ai-coding-tools-are-reshaping-cybersecurity-and-critical-infrastructure-resilience/",
      "title": "House Homeland Security subcommittee hearing — The AI Security Landscape: How Frontier Models, Agentic AI, and AI Coding Tools Are Reshaping Cybersecurity and Critical Infrastructure Resilience",
      "content_html": "<p><em>US Congress, 119th Cong. (House Committee on Homeland Security&#x27;s Subcommittee on Cybersecurity and Infrastructure Protection, chaired by Ogles, Swalwell ranking; Garbarino full committee chair, Thompson ranking ex officio). Witnesses: Sandra Joyce (Vice President, Google Threat Intelligence, Google LLC); Chris Meserole (Executive Director, the Frontier Model Forum); Jack Cable (Chief Executive Officer and Co-Founder, Corridor Security Inc.); Dr. Matthew Guariglia (Senior Policy Analyst, Electronic Frontier Foundation).</em></p><p><strong>Published:</strong> 2026-06-04</p><p>4 June 2026 House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection hearing in 310 Cannon House Office Building (10:30 a.m. ET) examining how frontier models, agentic AI, and AI coding tools are reshaping cybersecurity and critical infrastructure resilience. Witness panel spans industry threat intelligence (Sandra Joyce, Google Threat Intelligence — author of the GTIG &quot;Defending Your Enterprise When AI Models Can Find Vulnerabilities Faster Than Ever&quot; line of work), the frontier-AI industry policy forum (Chris Meserole, Frontier Model Forum), an AI-security start-up (Jack Cable, Corridor Security; previously a senior technical adviser at CISA), and civil liberties (Matthew Guariglia, Electronic Frontier Foundation). Single-subcommittee follow-up to the 17 December 2025 joint hearing on the GTG-1002 disclosure, this time framed around the broader AI-security landscape rather than a single incident. Held the same week as Anthropic&#x27;s 2 June 2026 announcement expanding Project Glasswing to ~150 organisations across 15+ countries and the same-day White House Executive Order on Promoting Advanced Artificial Intelligence Innovation and Security; the House counterpart of the executive-branch and EU-parliamentary metabolisation of the post-Mythos capability cluster.</p><p><strong>Tags:</strong> GOV, POL, DISC, EXPL, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-04T12:00:00Z",
      "authors": [
        {
          "name": "US Congress, 119th Cong. (House Committee on Homeland Security's Subcommittee on Cybersecurity and Infrastructure Protection, chaired by Ogles, Swalwell ranking; Garbarino full committee chair, Thompson ranking ex officio). Witnesses: Sandra Joyce (Vice President, Google Threat Intelligence, Google LLC); Chris Meserole (Executive Director, the Frontier Model Forum); Jack Cable (Chief Executive Officer and Co-Founder, Corridor Security Inc.); Dr. Matthew Guariglia (Senior Policy Analyst, Electronic Frontier Foundation)."
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "DISC",
        "EXPL",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-anthropic-expanding-project-glasswing-2026-06-03",
      "url": "https://www.anthropic.com/news/expanding-project-glasswing",
      "title": "Anthropic — Expanding Project Glasswing",
      "content_html": "<p><em>Anthropic</em></p><p><strong>Published:</strong> 2026-06-02</p><p>2 June 2026 announcement extending Project Glasswing to approximately 150 new organizations across more than 15 countries, following the April launch with ~50 initial partners and the 22 May initial update reporting 10,000+ high-/critical-severity findings. The new cohort covers industries underrepresented in the initial group — power, water, healthcare, communications, and hardware — and includes many vendors and open-source maintainers whose codebases are relied upon by other organizations and governments; Anthropic states that for most partners a major attack on their codebase could affect more than 100 million people. Reiterates the twofold framing of Project Glasswing&#x27;s purpose (helping the software industry adapt by providing wide access to better models, tools, and common infrastructure; and steadily shifting support from finding vulnerabilities toward disclosing, fixing, and deploying patched software) and announces that the internal tools developed to help Glasswing partners find vulnerabilities more quickly will be released on request to trusted security teams, alongside the recently launched Claude Security product (built on public frontier models such as Claude Opus 4.8). Restates the 6–12-month horizon for other AI companies fielding Mythos-class models that may be released without safeguards, and notes intent to scale up the Cyber Verification Program for cyberdefense tasks. Companion to the April Glasswing launch announcement and the 22 May initial update; vendor announcement, figures are Anthropic&#x27;s own.</p><p><strong>Tags:</strong> DISC, POL, HIST, SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-03T12:00:00Z",
      "authors": [
        {
          "name": "Anthropic"
        }
      ],
      "tags": [
        "DISC",
        "POL",
        "HIST",
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-white-house-executive-order-promoting-advanced-artificial-intelligence-innovatio-2026-06-03",
      "url": "https://www.whitehouse.gov/presidential-actions/2026/06/promoting-advanced-artificial-intelligence-innovation-and-security/",
      "title": "White House — Executive Order: Promoting Advanced Artificial Intelligence Innovation and Security",
      "content_html": "<p><em>Donald J. Trump, President of the United States</em></p><p><strong>Published:</strong> 2026-06-02</p><p>2 June 2026 Executive Order on AI innovation and cybersecurity. Three operational components on 30-day deadlines: (i) the Committee on National Security Systems and the Secretary of War to prioritise cyber defence of National Security Systems and Department of War information systems respectively; (ii) DHS, through CISA — in consultation with OMB, the Assistant to the President for National Security Affairs, and the National Cyber Director — to release Binding Operational Directives and other guidance to expedite federal civilian cyber defence, establish or expand federal programmes that enhance AI-enabled defensive tools, and facilitate access to cybersecurity tools and services (including, where appropriate, &#x27;covered frontier models&#x27;) for agencies, state and local authorities, and operators of critical infrastructure such as rural hospitals, community banks, and local utilities; (iii) the Secretary of the Treasury, in consultation with ONCD, NSA, and CISA, to form an AI cybersecurity clearinghouse in voluntary collaboration with the AI industry and critical-infrastructure operators that coordinates and deconflicts scanning for software vulnerabilities, discovers and validates such vulnerabilities, and coordinates and prioritises remediation and patch distribution. Section 3 directs Treasury, NSA, CISA, ONCD, OSTP, and NIST, within 60 days, to develop a classified benchmarking process for designating AI models as &#x27;covered frontier models&#x27; (designation made by the Director of NSA in consultation with ONCD, the Assistant to the President for Science and Technology, CISA, and other War Department representatives) and to design a voluntary framework under which developers may engage the federal government on covered-frontier-model designation, provide the government with access to such models for up to 30 days before broader trusted-partner release (subject to confidentiality, cybersecurity, insider-risk, and IP protections), and collaborate on the selection of trusted partners for early access. Section 3(c) explicitly forecloses any construction of the order to authorise &#x27;a mandatory governmental licensing, preclearance, or permitting requirement for the development, publication, release, or distribution of new AI models, including frontier models.&#x27; Section 4 directs the Attorney General to prioritise enforcement of 18 U.S.C. §§ 1028, 1030, 1343 and other applicable federal criminal laws against AI-enabled illegal computer access, including via AI agents. The clearest US-federal-executive-branch metabolisation in the corpus of the Mythos / Glasswing capability cluster, building on the Hassan-Ernst Senate letter (December 2025), the ONCD industry consultation (Mak et al., Politico, 30 April 2026), the CISA KEV-deadline review (Satter, Reuters, 1 May 2026), and the Latta et al. House letter (13 May 2026); released the same day as Anthropic&#x27;s announcement expanding Project Glasswing to ~150 organisations across 15+ countries.</p><p><strong>Tags:</strong> POL, GOV, DISC, PATCH, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-06-03T12:00:00Z",
      "authors": [
        {
          "name": "Donald J. Trump, President of the United States"
        }
      ],
      "tags": [
        "POL",
        "GOV",
        "DISC",
        "PATCH",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-dsit-aisi-uk-uk-and-australia-pact-on-fast-moving-ai-security-risks-2026-05-31",
      "url": "https://www.gov.uk/government/news/uk-and-australia-pact-on-fast-moving-ai-security-risks",
      "title": "DSIT / AISI (UK) — UK and Australia pact on fast-moving AI security risks",
      "content_html": "<p><em>UK Department for Science, Innovation and Technology, AI Security Institute, and Kanishka Narayan MP (UK AI Minister); Australian Assistant Minister for Science, Technology and the Digital Economy Dr Andrew Charlton</em></p><p><strong>Published:</strong> 2026-05-25</p><p>25 May 2026 UK DSIT / AISI press release announcing a Memorandum of Understanding between the UK AI Security Institute and the Australian AI Safety Institute, signed in Canberra by UK AI Minister Kanishka Narayan and Australia&#x27;s Assistant Minister for Science, Technology and the Digital Economy Dr Andrew Charlton. Under the MoU the two institutes commit to sharing information on frontier AI capabilities (including how systems could be used in cyber-attacks and how they can strengthen defences), collaborating on best practice in AI evaluation, sharing research findings, and opening staff exchanges between the institutes. The release ties the agreement explicitly to the post-Mythos cyber-capability trajectory, citing new AISI research showing that advanced AI systems are rapidly improving their ability to carry out complex cyber-attacks with opportunities for both attackers and defenders, and frames the partnership as bringing the long-standing UK-Australia security cooperation into the AI era. Notes that AISI&#x27;s bilateral work sits within the broader International Network for Advanced AI Measurement, Evaluation and Science. The bilateral-institutional counterpart on the UK side to the ASD/ACSC update on the Australian side, and the UK-Australia anchor in the wider cluster of national AI-security-institute responses to the post-Mythos environment.</p><p><strong>Tags:</strong> GOV, POL, SOV, DISC</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-31T12:00:00Z",
      "authors": [
        {
          "name": "UK Department for Science, Innovation and Technology, AI Security Institute, and Kanishka Narayan MP (UK AI Minister); Australian Assistant Minister for Science, Technology and the Digital Economy Dr Andrew Charlton"
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "SOV",
        "DISC"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-three-buddy-problem-x-ekoparty-miami-perri-adams-on-proof-engines-llms-and-the-n-2026-05-29",
      "url": "https://docs.google.com/document/d/1UgWAYuS7RMQd3eSCcWIxNB6wYyVluuPIlLNZpbPxQDg/edit?pli=1&tab=t.0#heading=h.uat707byod1j",
      "title": "Three Buddy Problem x Ekoparty Miami — Perri Adams on Proof Engines, LLMs, and the New Era of Verifiable Code",
      "content_html": "<p><em>Perri Adams (founder and CEO, Inflection Points; fellow, Dartmouth Institute for Security Technology Studies; former DARPA program manager who created the AI Cyber Challenge), with Juan Andres Guerrero-Saade and Ryan Naraine (Security Conversations)</em></p><p><strong>Published:</strong> 2026-05-26</p><p>Three Buddy Problem live episode recorded at Ekoparty Miami with Perri Adams (former DARPA programme manager who created the AI Cyber Challenge; now founder and CEO of Inflection Points and a fellow at Dartmouth&#x27;s Institute for Security Technology Studies). The conversation reframes proof engines and formal methods as load-bearing infrastructure for AI-assisted code: LLMs make verifiers and proof engines essential rather than niche, vulnerability research is operating well ahead of threat intelligence, and security checks belong baked into code-generation tools such as Claude Code and Codex. Covers the design of a multi-million-dollar challenge that is permitted to fail (AIxCC), the Mythos &quot;too dangerous to release&quot; debate, and the observation that every LLM-discovered bug is a public bug by default. Hosts: Juan Andres Guerrero-Saade and Ryan Naraine.</p><p><strong>Tags:</strong> DISC, POL, XCUT, HIST</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-29T12:00:00Z",
      "authors": [
        {
          "name": "Perri Adams (founder and CEO, Inflection Points; fellow, Dartmouth Institute for Security Technology Studies; former DARPA program manager who created the AI Cyber Challenge), with Juan Andres Guerrero-Saade and Ryan Naraine (Security Conversations)"
        }
      ],
      "tags": [
        "DISC",
        "POL",
        "XCUT",
        "HIST"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-department-of-commerce-oig-evaluation-of-nist-s-management-of-the-national-vulne-2026-05-29",
      "url": "https://www.oig.doc.gov/reports/?entry=70787",
      "title": "Department of Commerce OIG — Evaluation of NIST's Management of the National Vulnerability Database (Report OIG-26-020-I)",
      "content_html": "<p><em>U.S. Department of Commerce, Office of Inspector General, Office of Audit and Evaluation; signed by Assistant Inspector General for Audit and Evaluation Arthur L. Scott Jr.; addressed to Acting Under Secretary for Standards and Technology and Acting Director of NIST Craig S. Burkhardt</em></p><p><strong>Published:</strong> 2026-05-26</p><p>26 May 2026 Department of Commerce OIG evaluation report (OIG-26-020-I) on NIST&#x27;s management of the NVD over October 2023 to December 2025. OIG&#x27;s summary finding: NIST does not have sustainable processes to manage NVD submissions and will be unable to clear the backlog of unprocessed vulnerabilities or prevent future processing delays without significant changes. Four issues identified: NIST&#x27;s lack of strategic planning and decisive action have allowed the backlog of unprocessed vulnerabilities to continue growing; NIST must improve the efficiency of enrichment processes to ensure sustainability, with OIG estimating that NIST could put approximately $800,000 to better use over the next two years by minimizing its calculation of severity scores; NIST and CISA are operating two vulnerability enrichment programs with significant overlap, which has led to duplicated efforts and wasted approximately $200,000 since May 2024; and NIST&#x27;s insufficient communication has frustrated stakeholders and decreased confidence in the NVD. NIST considers the NVD a key piece of U.S. cybersecurity infrastructure, but its actions to resolve and prevent processing backlogs do not reflect that characterization; until the backlog is resolved and processes are made sustainable, the NVD will not achieve its mission, and public trust in the NVD will continue to erode. Six recommendations; NIST concurred with all six. Federal-IG-side companion to the 15 April 2026 NIST policy update.</p><p><strong>Tags:</strong> TRIAGE, GOV, SOV, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-29T12:00:00Z",
      "authors": [
        {
          "name": "U.S. Department of Commerce, Office of Inspector General, Office of Audit and Evaluation; signed by Assistant Inspector General for Audit and Evaluation Arthur L. Scott Jr.; addressed to Acting Under Secretary for Standards and Technology and Acting Director of NIST Craig S. Burkhardt"
        }
      ],
      "tags": [
        "TRIAGE",
        "GOV",
        "SOV",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-pesoli-errico-cavallaro-demystifying-the-mythos-or-disrupting-bugonomics-from-ze-2026-05-26",
      "url": "https://arxiv.org/abs/2605.24632v1",
      "title": "Pesoli, Errico & Cavallaro — Demystifying the Mythos or Disrupting Bugonomics? From Zero-Day Asymmetry to Defender Remediation Throughput",
      "content_html": "<p><em>Alfredo Pesoli (Bynario), Herman Errico (Vanta), Lorenzo Cavallaro (University College London / Bynario)</em></p><p><strong>Published:</strong> 2026-05-23</p><p>Recent demonstrations of large language models producing candidate and confirmed vulnerabilities in production software have renewed the narrative that AI will reshape offensive and defensive security. Headlines emphasize capability; they rarely interrogate costs and incentives. This paper examines LLM-driven vulnerability discovery through a bugonomics lens: the operational economics of producing, proving, prioritizing, and fixing security-relevant defects. Historically, the most visible high-end bugonomics was offense-priced because production-grade zero-days and exploit chains were expensive specialist outputs for governments, brokers, and offensive vendors. Defender-side bugonomics already existed in Project Zero-style research, vulnerability reward programs, and vendor remediation work; LLM-assisted systems change its scale and distribution. They make candidate generation, code comprehension, harness construction, test-case generation, proof-of-impact drafting, and report preparation cheaper for defenders operating at codebase scale. Exploits and proofs of concept remain important, but in defender workflows they primarily prove impact, guide prioritization, and justify remediation. The resulting bottleneck is not only finding more bugs; it is absorbing, validating, triaging, patching, and shipping a larger stream of both useful findings and low-quality reports. Using public data from Anthropic&#x27;s Mythos Preview and Mozilla Firefox collaborations, together with public exploit-market price anchors, vulnerability reward programs, and incident baselines, we argue that the near-term shift is not simply “more zero-days.” It is a move from zero-day asymmetry toward broader defender remediation throughput: low-signal candidates become cheaper, evidence-rich remediation packages become more important, and scarce capacity shifts toward maintainer review and release work. The effect is especially acute in open source, where LLM-assisted discovery can increase report volume at machine speed while maintainer-side discovery, validation, triage, funding, and release capacity do not scale automatically with it.</p><p><strong>Tags:</strong> XCUT, DISC, POL, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-26T12:00:00Z",
      "authors": [
        {
          "name": "Alfredo Pesoli (Bynario), Herman Errico (Vanta), Lorenzo Cavallaro (University College London / Bynario)"
        }
      ],
      "tags": [
        "XCUT",
        "DISC",
        "POL",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-provos-the-day-after-the-zero-days-2026-05-26",
      "url": "https://www.provos.org/p/day-after-the-zero-days/",
      "title": "Provos — The Day After the Zero-Days",
      "content_html": "<p><em>Niels Provos</em></p><p><strong>Published:</strong> 2026-05-20</p><p>20 May 2026 follow-up to Provos&#x27;s &quot;Finding Zero-Days with Any Model&quot; (separate entry), delivered at the Cloud Security Alliance AI Summit. Provos — committer of the OpenBSD TCP SACK code in November 1998 that carried the signed-integer / NULL-dereference bug Mythos surfaced 27 years later on 7 April 2026 — opens with that personal data point to argue that careful human review does not reliably catch this class of defect, and that AI-driven discovery is now an orchestration problem rather than a frontier-model problem: his open-source IronCurtain finite-state-machine harness drove autonomous discovery against Opus 4.7, Sonnet 4.6, and Z.AI&#x27;s open-weight GLM 5.1 at tens-to-low-hundreds of dollars per audit, so the right baseline assumption is attacker-defender parity on capability. The core argument is that patch-cadence defence is failing on two fronts — discovery now scales with API credit while patch consumption does not, and vulnerability management is reactive by design — so the response is not to find or patch bugs faster but to deploy machine-enforced security invariants that take whole attack classes off the critical path: hardware 2FA against credential phishing, default-deny egress control (illustrated with log4j), positive execution / binary allowlisting, hardware memory tagging (ARM MTE, Apple Memory Integrity Enforcement, CHERI) against heap-class memory-safety bugs, and Context-Aware Data Access against insider and support-tool risk (illustrated with the July 2020 Twitter admin-tool compromise). Provos reports a companion breach-disclosure analysis on securityblueprints.io finding that three consistently-applied invariants would have impeded on the order of 65% of incidents, and argues that AI in the loop has collapsed the talent-and-budget barrier that previously kept these decade-old controls confined to a handful of large technology companies.</p><p><strong>Tags:</strong> DISC, PATCH, OPS, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-26T12:00:00Z",
      "authors": [
        {
          "name": "Niels Provos"
        }
      ],
      "tags": [
        "DISC",
        "PATCH",
        "OPS",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-asd-acsc-australia-frontier-ai-models-and-their-impact-on-cyber-security-updated-2026-05-25",
      "url": "https://www.cyber.gov.au/about-us/view-all-content/news/frontier-models-and-their-impact-on-cyber-security-update",
      "title": "ASD / ACSC (Australia) — Frontier AI models and their impact on cyber security (updated)",
      "content_html": "<p><em>Australian Signals Directorate (ASD) / Australian Cyber Security Centre (ACSC)</em></p><p><strong>Published:</strong> 2026-05-08</p><p>ASD&#x27;s canonical-channel guidance on the cyber security implications of increasingly capable frontier AI models. First published 9 April 2026 (two days after the 7 April Anthropic Mythos Preview announcement) and subsequently revised; the live page at the URL above carries a &quot;Last updated: 08 May 2026&quot; stamp, and the date here reflects that update. The update folds in evidence directly relevant to the paper&#x27;s diffusion argument: that many of the vulnerability-discovery techniques demonstrated by Claude Mythos can already be reproduced using inexpensive open-weight models, so the assumption that hostile actors lag frontier capability by many months is no longer safe, while existing defensive controls properly implemented remain effective friction. Cites the Mozilla 271-Firefox-fixes figure as defensive upside and the AISI inference-scaling finding (no performance plateau). The ACS Information Age coverage records ASD calling Mythos &quot;an illustrative example of what frontier AI technology could mean for the cybersecurity community,&quot; advising organisations to &quot;implement a strong cybersecurity baseline&quot; while admitting &quot;no mitigation strategy can provide complete protection,&quot; and pointing to Project Glasswing as an example of the cybersecurity benefit AI can bring; ASD did not say whether it had sought access to Mythos. The strongest APAC national-cyber-agency match to the EU/UK CSIRT cluster, alongside Singapore&#x27;s CSA. Companion to the ASIC open letter (8 May 2026, financial-regulator register) on the Australian side.</p><p><strong>Tags:</strong> GOV, POL, OPS, DISC</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-25T12:00:00Z",
      "authors": [
        {
          "name": "Australian Signals Directorate (ASD) / Australian Cyber Security Centre (ACSC)"
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "OPS",
        "DISC"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-mddi-csa-singapore-response-to-pq-on-ai-enabled-cybersecurity-risks-parliament-5-2026-05-25",
      "url": "https://www.csa.gov.sg/news-events/speeches/mddi-s-response-to-pq-on-ai-enabled-cybersecurity-risks/",
      "title": "MDDI / CSA (Singapore) — Response to PQ on AI-enabled Cybersecurity Risks (Parliament, 5 May 2026)",
      "content_html": "<p><em>Ministry of Digital Development and Information (MDDI) / Cyber Security Agency of Singapore (CSA); response delivered in Parliament by Senior Minister of State Tan Kiat How</em></p><p><strong>Published:</strong> 2026-05-05</p><p>5 May 2026 MDDI reply to Parliamentary Questions for Oral Answer at the Singapore Parliament sitting, published on the canonical CSA channel (reposted from the MDDI newsroom at https://www.mddi.gov.sg/newsroom/mddi-s-response-to-pq-on-ai-enabled-cybersecurity-risks/). Mythos is named in the question itself (Mr Edward Chia), and the reply answers four named MPs. Three threads load-bearing for the paper. First, access asymmetry: &quot;The Government does not have access to Mythos&quot; — released only to a limited set of partners under controlled preview, with no local bank known to have access — and &quot;we do not assume that we will always have early access to every frontier model,&quot; so without direct access Singapore assesses risk from published evaluations, threat intelligence, and engagement with the major AI labs. Second, the progression-not-paradigm framing: advances enabled by Mythos are &quot;part of a continuum rather than a step change,&quot; with GPT-5.5 already showing comparable capabilities and more widely available, and open-source models likely to reach similar capabilities within months. Third, the &quot;get the basics right, with urgency&quot; prescription at board/CEO level across five areas (revisit risk assessment for the narrowing discovery-to-exploitation window; asset visibility; patch faster and monitor continuously; govern your own AI use per CSA&#x27;s Securing Agentic AI addendum; use AI in defence). Notes CSA will issue a letter to CII owners&#x27; boards that same day (the David Koh Commissioner&#x27;s Letter, attached to the page as a PDF annex) and that MAS has convened major financial-institution CEOs. A high-quality APAC entry — named national agency, canonical channel, dated, Mythos named in source — parallel to the NCSC-IE Browne Oireachtas statement on the parliamentary-record side.</p><p><strong>Tags:</strong> GOV, POL, OPS, SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-25T12:00:00Z",
      "authors": [
        {
          "name": "Ministry of Digital Development and Information (MDDI) / Cyber Security Agency of Singapore (CSA); response delivered in Parliament by Senior Minister of State Tan Kiat How"
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "OPS",
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-anthropic-frontier-red-team-coordinated-vulnerability-disclosure-dashboard-2026-05-25",
      "url": "https://red.anthropic.com/2026/cvd/",
      "title": "Anthropic Frontier Red Team — Coordinated vulnerability disclosure dashboard",
      "content_html": "<p><em>Anthropic Frontier Red Team</em></p><p><strong>Published:</strong> 2026-05-22</p><p>Live dashboard tracking Anthropic&#x27;s coordinated vulnerability disclosure (CVD) programme, in which an early snapshot of Claude Mythos Preview is used to find vulnerabilities in open-source software, with six external security research firms (or Anthropic itself) triaging and validating findings before human-reviewed critical- or high-severity reports are disclosed to maintainers. The snapshot read for this entry (22 May 2026) records 1,596 vulnerabilities disclosed across 281 open-source projects, of which 97 had been patched and 88 had received a CVE or GitHub Security Advisory (GHSA); some maintainers shipped a fix without publishing an advisory. The funnel above disclosure: 23,019 candidate findings, 1,900 reviewed by external firms, 1,726 confirmed valid (a 90.8% true-positive rate, which the dashboard explicitly cautions is only one proxy for impact since it includes already-reported and won&#x27;t-fix bugs), 467 reported to maintainers via the triage path plus 1,129 disclosed direct to maintainers at their request (which may contain false positives). Human triage is described as the rate-limiting step, so disclosed counts are a subset of total Mythos Preview findings. The page publishes a SHA-3-512 hash-commitment ledger (1,611 entries) proving the existence and commitment date of each finding inside its disclosure window without revealing content, alongside a machine-readable payload and a republished manifest hash for verification of every figure. Public CVE records at the time of reading included nginx (heap-buffer-overflow and a critical unauthenticated WebDAV file write), jq, MapServer, temporalio/temporal, a cluster of wolfSSL crypto and certificate-validation flaws, and nomad; public GHSAs included libyang, CraftCMS, mastodon, gitoxide, junrar, freerdp, Ghost, ImageMagick, and minio. A severity-agreement matrix (n=463) compares Claude&#x27;s pre-maintainer severity assessments against the external firms&#x27; assessments: 58.7% exact agreement and 94.4% within one band, with Claude tending to rate higher because maintainer-specific severity context is unavailable at run time. The operational complement to the Mythos Preview capability writeup and the Glasswing programme updates: where those document discovery capability, this dashboard documents the disclosure-and-patching bottleneck the same capability creates.</p><p><strong>Tags:</strong> DISC, DISCL, POL, HIST</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-25T12:00:00Z",
      "authors": [
        {
          "name": "Anthropic Frontier Red Team"
        }
      ],
      "tags": [
        "DISC",
        "DISCL",
        "POL",
        "HIST"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-uk-aisi-how-fast-is-autonomous-ai-cyber-capability-advancing-2026-05-25",
      "url": "https://www.aisi.gov.uk/blog/how-fast-is-autonomous-ai-cyber-capability-advancing",
      "title": "UK AISI — How fast is autonomous AI cyber capability advancing?",
      "content_html": "<p><em>UK AI Security Institute</em></p><p><strong>Published:</strong> 2026-05-13</p><p>13 May 2026 AISI blog post measuring the rate at which frontier models&#x27; autonomous cyber capability is advancing, using a time-horizon benchmark on AISI&#x27;s narrow cyber suite (identify-and-exploit tasks scored against expert completion-time baselines, with success measured at an 80% reliability threshold under a deliberately conservative 2.5M-token-per-task cap to keep results comparable over time). The headline finding: the 80%-reliability cyber time horizon had been doubling every 4.7 months since reasoning models emerged in late 2024 — itself an acceleration from AISI&#x27;s November 2025 estimate of 8 months — and Claude Mythos Preview and GPT-5.5 then substantially exceeded that trend, leaving it unclear whether they represent an isolated break or a new, faster trajectory. AISI reports on a newer Mythos Preview checkpoint than in its earlier pre-deployment writeup: the newer checkpoint completed both AISI cyber ranges, solving &quot;The Last Ones&quot; (a 32-step simulated corporate-network attack) in 6 of 10 attempts and the previously unsolved &quot;Cooling Tower&quot; in 3 of 10 — the first time any model has completed the second range; GPT-5.5 solved &quot;The Last Ones&quot; 3 of 10. With the 2.5M-token cap removed, success rates are high enough that time horizons become impossible to calculate, and the longest tasks (12 hours; only six tasks at 8 hours or more) place the latest models at the limit of what the suite can measure. The doubling rate is cross-validated against METR&#x27;s software-engineering time-horizon work (a consistent ~4.2-month doubling since late 2024, accelerating slightly to ~4 months when Mythos Preview is included). AISI states the standard caveats — imperfect human baselines, small model samples, and the gap between self-contained tasks and defended real-world systems — while concluding that the direction and pace of change are robust across models and methods, and that the window to build defensive resilience is now. The quantitative trend-line companion to AISI&#x27;s per-model Mythos Preview and GPT-5.5 evaluations, and the empirical anchor for the &quot;capability is advancing on the order of months, not years&quot; framing.</p><p><strong>Tags:</strong> DISC, POL, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-25T12:00:00Z",
      "authors": [
        {
          "name": "UK AI Security Institute"
        }
      ],
      "tags": [
        "DISC",
        "POL",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-anthropic-project-glasswing-an-initial-update-2026-05-23",
      "url": "https://www.anthropic.com/research/glasswing-initial-update",
      "title": "Anthropic — Project Glasswing: An initial update",
      "content_html": "<p><em>Anthropic</em></p><p><strong>Published:</strong> 2026-05-22</p><p>22 May 2026 one-month progress report on Project Glasswing. Anthropic and roughly fifty partners report having used Mythos Preview to find more than ten thousand high- or critical-severity vulnerabilities across systemically important software, and state that the binding constraint has shifted from finding vulnerabilities to verifying, disclosing, and patching them — a high- or critical-severity finding takes about two weeks to patch on average, and some maintainers asked Anthropic to slow the rate of disclosure. Across more than a thousand open-source projects, an estimated 6,202 high- or critical-severity vulnerabilities were surfaced out of 23,019 total; of 1,752 assessed by independent firms, 90.6% were confirmed valid true positives and 62.4% at high or critical severity. Also announces Claude Security in public beta. Vendor progress report; figures are Anthropic&#x27;s own.</p><p><strong>Tags:</strong> DISC, POL, HIST</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-23T12:00:00Z",
      "authors": [
        {
          "name": "Anthropic"
        }
      ],
      "tags": [
        "DISC",
        "POL",
        "HIST"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-anthropic-2028-two-scenarios-for-global-ai-leadership-2026-05-23",
      "url": "https://www.anthropic.com/research/2028-ai-leadership",
      "title": "Anthropic — 2028: Two scenarios for global AI leadership",
      "content_html": "<p><em>Anthropic</em></p><p><strong>Published:</strong> 2026-05-14</p><p>14 May 2026 Anthropic policy essay on US–China AI competition, arguing that access to advanced compute is the decisive input for frontier AI and that export controls plus measures against distillation attacks have given democracies a lead that could be locked in at 12–24 months by 2028. Frames the competition across four fronts (intelligence, domestic adoption, global distribution, resilience) and presents two 2028 scenarios: one in which the US and allies hold a commanding compute and capability lead, and one in which PRC labs reach near-frontier parity. Cites Mythos Preview as a capability-acceleration signal, noting a PRC analyst&#x27;s characterisation of the moment, and treats open-weight release of dual-use-capable models as a misuse risk because safeguards can be removed. A US-national-interest advocacy document; useful as a statement of the compute-centric export-control position rather than as a neutral source.</p><p><strong>Tags:</strong> POL, SOV, GOV, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-23T12:00:00Z",
      "authors": [
        {
          "name": "Anthropic"
        }
      ],
      "tags": [
        "POL",
        "SOV",
        "GOV",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-european-parliament-eu-cybersecurity-and-preparedness-in-view-of-advanced-ai-sys-2026-05-22",
      "url": "https://www.europarl.europa.eu/plenary/en/debate-details.html?date=20260519&detailBy=date",
      "title": "European Parliament — EU cybersecurity and preparedness in view of advanced AI systems (plenary debate)",
      "content_html": "<p><em>European Parliament, plenary sitting of 19 May 2026 (Strasbourg). Council and Commission statements: Marilena Raouna (President-in-Office of the Council); Henna Virkkunen (Executive Vice-President of the Commission). Political-group speakers included Michał Wawrykiewicz (EPP), Ana Catarina Mendes (S&amp;D), Jaroslava Pokorná Jermanová (PfE), Stefano Cavedagna (ECR), Bart Groothuis (Renew), Markéta Gregorová (Greens/EFA), Marc Botenga (The Left), and Milan Uhrík (ESN), followed by catch-the-eye and a long list of individual MEPs. Chaired by Vice-Presidents Christel Schaldemose and Katarina Barley.</em></p><p><strong>Published:</strong> 2026-05-19</p><p>19 May 2026 European Parliament plenary debate (09:00–11:25, Strasbourg) on EU cybersecurity and preparedness in view of advanced AI systems, held on Council and Commission statements. The official record (verbatim report, speaker-by-speaker video, and downloadable speech texts) is the European Parliament plenary debate-details page for the sitting day. This is the plenary-level counterpart to the 6 May 2026 IMCO Committee discussion: the post-Mythos AI-and-cybersecurity question reaching the full chamber, with the Council and the Commission (Executive Vice-President Virkkunen) opening and every political group responding.</p><p><strong>Tags:</strong> GOV, POL, SOV, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-22T12:00:00Z",
      "authors": [
        {
          "name": "European Parliament, plenary sitting of 19 May 2026 (Strasbourg). Council and Commission statements: Marilena Raouna (President-in-Office of the Council); Henna Virkkunen (Executive Vice-President of the Commission). Political-group speakers included Michał Wawrykiewicz (EPP), Ana Catarina Mendes (S&D), Jaroslava Pokorná Jermanová (PfE), Stefano Cavedagna (ECR), Bart Groothuis (Renew), Markéta Gregorová (Greens/EFA), Marc Botenga (The Left), and Milan Uhrík (ESN), followed by catch-the-eye and a long list of individual MEPs. Chaired by Vice-Presidents Christel Schaldemose and Katarina Barley."
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "SOV",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-lee-and-brumley-exploitbench-a-capability-ladder-benchmark-for-llm-cybersecurity-2026-05-21",
      "url": "https://arxiv.org/abs/2605.14153",
      "title": "Lee and Brumley — ExploitBench: A Capability Ladder Benchmark for LLM Cybersecurity Agents",
      "content_html": "<p><em>Seunghyun Lee (Carnegie Mellon University), David Brumley (Carnegie Mellon University and Bugcrowd)</em></p><p><strong>Published:</strong> 2026-05-13</p><p>Exploitation is not a binary event. It is a ladder of acquiring progressive capabilities, from executing a single buggy line of code to taking full control of the target. However, existing LLM security benchmarks treat a crash as exploitation success. That single binary outcome collapses the hard parts of exploitation: the transition from triggering a bug to constructing reusable primitives and control. We present ExploitBench, a capability-graded benchmark that decomposes exploitation into 16 measurable flags, from coverage and crash through sandbox primitives, arbitrary read/write, control-flow hijack, and arbitrary code execution. Each capability is verified by a deterministic oracle that uses a per-run randomized challenge-response for primitives, differential execution against ground-truth binaries to measure progress, and a signal-handler proof for code execution. We instantiate ExploitBench on 41 V8 bugs because V8 is both widely deployed and exploitation-hardened. We report three arms: &lt;model,env&gt; as the primary measurement of model-environment capability, &lt;model,env, adaptive coaching&gt; as a secondary arm that adds adaptive coaching to test whether targeted feedback shifts outcomes, and &lt;model,env,harness&gt; as an ablation that swaps in the model&#x27;s native CLI to check whether vendor-side optimizations increase exploitation capabilities. Our results show a sharp capability split between publicly deployed frontier models and the private frontier. Across the 8 publicly deployed models tested, reaching the vulnerable code and triggering a crash is routine, but arbitrary code execution is not. The private model shows arbitrary code execution on approximately half. Overall, results suggest that exploit construction against hardened targets is an emerging frontier capability.</p><p><strong>Tags:</strong> EXPL, DISC, XCUT, HIST</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-21T12:00:00Z",
      "authors": [
        {
          "name": "Seunghyun Lee (Carnegie Mellon University), David Brumley (Carnegie Mellon University and Bugcrowd)"
        }
      ],
      "tags": [
        "EXPL",
        "DISC",
        "XCUT",
        "HIST"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-bourzikas-cloudflare-project-glasswing-what-mythos-showed-us-2026-05-19",
      "url": "https://blog.cloudflare.com/cyber-frontier-models/",
      "title": "Bourzikas (Cloudflare) — Project Glasswing: what Mythos showed us",
      "content_html": "<p><em>Grant Bourzikas (Chief Security Officer, Cloudflare); with named contributors Albert Pedersen, Craig Strubhart, Dan Jones, Irtefa Fairuz, Martin Schwarzl, and Rohit Chenna Reddy</em></p><p><strong>Published:</strong> 2026-05-18</p><p>18 May 2026 Cloudflare blog post by Chief Security Officer Grant Bourzikas reporting the results of pointing Mythos Preview at more than fifty of Cloudflare&#x27;s own repositories under Project Glasswing, with the Glasswing-provided model lacking the additional safeguards present in generally available models such as Opus 4.7 or GPT-5.5. Two capabilities distinguish Mythos Preview from earlier frontier models run through the same harness: exploit-chain construction (combining small primitives — use-after-free into arbitrary read/write, control-flow hijack, ROP — into a working proof in a way that &#x27;looks like the work of a senior researcher rather than the output of an automated scanner&#x27;) and proof generation (writing, compiling, and running PoC code in a scratch environment, revising the hypothesis when the run fails). On signal-to-noise: &#x27;A good human researcher tells you what they found and how confident they are. Models don&#x27;t. Ask a model to find bugs, and it will find them, whether the code has any or not&#x27;; Mythos is a clear improvement because findings arrive with PoC code rather than hedged &#x27;possibly/potentially.&#x27; Inconsistent refusals documented with a transcript: an HTTP/2 frame-handling research request in fl2 was refused as offensive action against live infrastructure, and the same task framed differently was accepted, with semantically equivalent tasks producing opposite outcomes. This is written into an explicit policy ask: organic guardrails are real but not consistent enough to serve as a complete safety boundary, and any capable cyber frontier model made generally available in the future must include additional safeguards on top of this baseline behaviour. The eight-stage harness (Recon, Hunt with ~50 parallel hunter agents each fanning out to subagents with tools that compile and run PoC code, Validate by an independent disprove-the-finding agent, Gapfill, Dedupe, Trace as the cross-repo reachability check called &#x27;the stage that matters most,&#x27; Feedback, schema-validated Report) operationalises four lessons: narrow scope beats wandering; adversarial review by a second agent catches what one agent reviewing its own work misses; splitting &#x27;is this buggy&#x27; from &#x27;can an attacker reach it&#x27; produces better reasoning; parallel narrow tasks beat one exhaustive agent. Bourzikas cautions against the two-hour-SLA-from-CVE-to-production-patch instinct — Cloudflare watched its own model-written patches go out that fixed the original bug while quietly breaking something else — and argues the durable response is architectural (defences in front of the application, segmentation so a flaw in one part cannot reach others, simultaneous global rollout), tying the dual-use acknowledgement to Cloudflare&#x27;s commercial positioning.</p><p><strong>Tags:</strong> DISC, EXPL, OPS, POL, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-19T12:00:00Z",
      "authors": [
        {
          "name": "Grant Bourzikas (Chief Security Officer, Cloudflare); with named contributors Albert Pedersen, Craig Strubhart, Dan Jones, Irtefa Fairuz, Martin Schwarzl, and Rohit Chenna Reddy"
        }
      ],
      "tags": [
        "DISC",
        "EXPL",
        "OPS",
        "POL",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-kim-microsoft-defense-at-ai-speed-microsoft-s-new-multi-model-agentic-security-s-2026-05-18",
      "url": "https://www.microsoft.com/en-us/security/blog/2026/05/12/defense-at-ai-speed-microsofts-new-multi-model-agentic-security-system-tops-leading-industry-benchmark/",
      "title": "Kim (Microsoft) — Defense at AI speed: Microsoft’s new multi-model agentic security system tops leading industry benchmark",
      "content_html": "<p><em>Taesoo Kim (VP, Agentic Security, Microsoft; previously Team Atlanta lead at DARPA AIxCC)</em></p><p><strong>Published:</strong> 2026-05-12</p><p>12 May 2026 Microsoft Security blog post announcing MDASH, a multi-model agentic scanning harness built by Microsoft’s Autonomous Code Security team (staffed in part by Team Atlanta veterans of DARPA AIxCC) in collaboration with MORSE and WARP. The pipeline (prepare / scan / validate / dedup / prove) orchestrates 100+ specialised auditor, debater and prover agents across an ensemble of frontier and distilled models, with extensibility plugins for component-specific invariants. Headline results: 16 CVEs in the 12 May Patch Tuesday cohort across the Windows networking and authentication stack, including four Critical RCEs (tcpip.sys SSRR UAF, ikeext.dll IKEv2 double-free to LocalSystem, netlogon.dll CLDAP stack overflow, dnsapi.dll heap OOB); 21/21 planted bugs found with zero false positives on a private driver; 96% recall on five years of clfs.sys MSRC cases, 100% on tcpip.sys; and 88.45% on the public CyberGym benchmark, top of the leaderboard by roughly five points. Core thesis: ‘the harness does the work, the model is one input’ — discovery requires composition no single prompt can achieve, validation is the difference between a finding and a fix, and the system absorbs model improvements without rewrites. Companion to the Anthropic Glasswing, Broadcom, and Mozilla agentic-harness writeups; the strongest vendor-internal AI-defensive-scanning data point in the post-Mythos corpus.</p><p><strong>Tags:</strong> DISC, OPS, POL, XCUT, EXPL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-18T12:00:00Z",
      "authors": [
        {
          "name": "Taesoo Kim (VP, Agentic Security, Microsoft; previously Team Atlanta lead at DARPA AIxCC)"
        }
      ],
      "tags": [
        "DISC",
        "OPS",
        "POL",
        "XCUT",
        "EXPL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-cac-cncert-2026-2026-ai-empowered-cybersecurity-application-testing-announcement-2026-05-18",
      "url": "https://www.cac.gov.cn/2026-05/18/c_1780846421726446.htm",
      "title": "CAC / CNCERT — 2026年人工智能技术赋能网络安全应用测试公告 (2026 AI-Empowered Cybersecurity Application Testing Announcement)",
      "content_html": "<p><em>Cyberspace Administration of China (CAC) / National Computer Network Emergency Response Technical Team / Coordination Center of China (CNCERT). Sixteen co-guiding bodies including CAC Cybersecurity Coordination Bureau, MIIT Cybersecurity Administration Bureau, Public Security Bureau Science and Technology Information Bureau, People&#x27;s Bank of China Science and Technology Department, General Administration of Customs, National Radio and Television Administration, National Energy Administration, and CAAC. Co-organisers include the Chinese Academy of Sciences Institute of Information Engineering, the National Information Technology Security Research Center, and Shandong Broadcasting; technical-support unit is Huawei Technologies.</em></p><p><strong>Published:</strong> 2026-05-18</p><p>18 May 2026 CAC / CNCERT public notice launching the 2026 AI-Empowered Cybersecurity Application Testing Activity — a state-organised evaluation programme positioned, in its opening framing, to ‘promote the empowering application of AI technology in the cybersecurity field, identify high-value cybersecurity business scenarios, select outstanding AI technology products, raise the cybersecurity protection level of important industry sectors, advance cybersecurity science and technology innovation, and deepen AI-empowered cybersecurity governance.’ Eight test scenarios are specified, of which two are directly load-bearing for the AI-and-vulnerability-discovery debate: AI-driven attack cyber defence, and intelligent vulnerability discovery in network systems and source code. The remaining six cover network-traffic threat detection, security-log denoising, LLM safety guardrail testing, AIGC image detection, AI-agent malicious-behaviour detection, and IPTV account anomaly detection. The activity runs in two stages — an online qualifying round from 7 June to 6 July with the top six teams per scenario advancing to in-person testing in Beijing from 18 July to 15 August — with results announced in September during the National Cybersecurity Awareness Week. Successful teams are supported for placement on mainstream Chinese AI app marketplaces, incubation of outstanding large models in domestic open-source communities, and recognition under cybersecurity-talent and sectoral-innovation programmes. The co-guiding ministries span finance, energy, transport, customs, broadcasting, and public security, with Huawei as the technical-support unit — placing the scheme squarely within China&#x27;s national-security and industrial-policy apparatus rather than in a research-competition register. Companion to the Atlantic Council Sleight of Hand report and the Cary RMSV framing as the Chinese-state-side counterpart to the post-Mythos US and EU policy clusters.</p><p><strong>Tags:</strong> GOV, POL, DISC, SOV, EXPL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-18T12:00:00Z",
      "authors": [
        {
          "name": "Cyberspace Administration of China (CAC) / National Computer Network Emergency Response Technical Team / Coordination Center of China (CNCERT). Sixteen co-guiding bodies including CAC Cybersecurity Coordination Bureau, MIIT Cybersecurity Administration Bureau, Public Security Bureau Science and Technology Information Bureau, People's Bank of China Science and Technology Department, General Administration of Customs, National Radio and Television Administration, National Energy Administration, and CAAC. Co-organisers include the Chinese Academy of Sciences Institute of Information Engineering, the National Information Technology Security Research Center, and Shandong Broadcasting; technical-support unit is Huawei Technologies."
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "DISC",
        "SOV",
        "EXPL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-mcmillan-anthropic-s-mythos-helped-find-bugs-in-apple-s-macos-wall-street-journa-2026-05-17",
      "url": "https://www.msn.com/en-us/money/other/anthropic-s-mythos-helped-find-bugs-in-apple-s-desktop-operating-system/ar-AA23bSTA",
      "title": "McMillan — Anthropic's Mythos helped find bugs in Apple's MacOS (*Wall Street Journal*)",
      "content_html": "<p><em>Robert McMillan (*Wall Street Journal*); external review and quoted assessment from Michał Zalewski (formerly Google)</em></p><p><strong>Published:</strong> 2026-05-14</p><p>14 May 2026 Wall Street Journal exclusive by Robert McMillan reporting that researchers at Calif, the Palo Alto-based firm in Anthropic&#x27;s Project Glasswing programme, used techniques discovered while testing Mythos Preview in April to build a working privilege-escalation exploit chain bypassing Apple&#x27;s Memory Integrity Enforcement (MIE) on the M5 chip. Building the exploit code took five days — the cost-collapse data point on a hardened target. Calif CEO Thai Duong told the WSJ the attack &quot;couldn&#x27;t have been pulled off by Mythos alone and leveraged the very human cybersecurity expertise of some of Calif&#x27;s hackers,&quot; with Mythos stronger at reproducing and recombining documented attack patterns than at inventing entirely new techniques — the human-expertise caveat that keeps the finding inside the v33 falsification framing rather than triggering it. External validation from Michał Zalewski (formerly Google), who reviewed the research without participating; Apple is reviewing the 55-page report Calif delivered in Cupertino. The WSJ piece also carries the most explicit US-federal-oversight signal in the corpus: the White House is contemplating an executive order granting government oversight of the most-advanced models — companion to the Latta et al. House letter (13 May) and Reuters/Satter on CISA deadline cuts (1 May).</p><p><strong>Tags:</strong> DISC, EXPL, XCUT, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-17T12:00:00Z",
      "authors": [
        {
          "name": "Robert McMillan (*Wall Street Journal*); external review and quoted assessment from Michał Zalewski (formerly Google)"
        }
      ],
      "tags": [
        "DISC",
        "EXPL",
        "XCUT",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-github-blog-brown-raising-the-bar-quality-shared-responsibility-and-the-future-o-2026-05-17",
      "url": "https://github.blog/security/raising-the-bar-quality-shared-responsibility-and-the-future-of-githubs-bug-bounty-program/",
      "title": "GitHub blog (Brown) — Raising the bar: Quality, shared responsibility, and the future of GitHub's bug bounty program",
      "content_html": "<p><em>Jarom Brown (Senior Product Security Engineer, Bug Bounty, GitHub)</em></p><p><strong>Published:</strong> 2026-05-15</p><p>15 May 2026 GitHub Security blog post by Jarom Brown (Senior Product Security Engineer, Bug Bounty) announcing changes to the GitHub bug-bounty programme in response to AI-era submission volume. Frames the move as raising the bar on submission quality rather than restricting AI use: GitHub explicitly welcomes AI-assisted research provided the human researcher validates the output before submitting, with a working proof of concept and demonstrated security impact required for a complete report. Two structural changes accompany the quality bar: a clearer articulation of GitHub&#x27;s shared-responsibility security model (cloning a repository is an act of trust; prompt injection via user-chosen content does not represent a bypass of GitHub&#x27;s security controls); and a shift to recognising low-impact valid submissions with GitHub swag rather than bounty payouts, with bounty resources concentrated on high-impact findings.</p><p><strong>Tags:</strong> DISCL, OPS, POL, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-17T12:00:00Z",
      "authors": [
        {
          "name": "Jarom Brown (Senior Product Security Engineer, Bug Bounty, GitHub)"
        }
      ],
      "tags": [
        "DISCL",
        "OPS",
        "POL",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-gds-dsit-uk-ai-open-code-and-vulnerability-risk-in-the-public-sector-2026-05-17",
      "url": "https://www.gov.uk/guidance/ai-open-code-and-vulnerability-risk-in-the-public-sector",
      "title": "GDS / DSIT (UK) — AI, open code and vulnerability risk in the public sector",
      "content_html": "<p><em>Government Digital Service and Department for Science, Innovation and Technology (UK)</em></p><p><strong>Published:</strong> 2026-05-14</p><p>14 May 2026 official UK government guidance jointly issued by the Government Digital Service and the Department for Science, Innovation and Technology in response to technology leaders asking whether AI-accelerated vulnerability discovery means public sector departments should stop publishing source code in the open by default. The guidance answers no: openness should remain the default, with closure used sparingly as a deliberate exception backed by a short threat model that states the attacker, what publication adds, and the realistic path to harm. The headline argument is that the primary driver of exploitation risk is the presence of weaknesses (unpatched vulnerabilities, insecure implementation, unsafe configuration or deployment) and the inability to remediate quickly, not the visibility of source code — and that publishing source code does not create those weaknesses, although it can modestly reduce attacker uncertainty (an effect that may increase with AI assistance), especially where maintenance is weak and fixes are slow. Sets out four recommendations (meet the minimum standard for publicly-accessible systems; keep open by default; make exceptions explicit and reviewable; strengthen remediation capability) and a minimum operational bar for publishing a repository (named owner and maintenance plan; security contact and intake route; no secrets or sensitive operational detail; secure-by-design baseline; automated hygiene; patching SLAs; safe posture for unmaintained code). Explicitly warns against &quot;private by default&quot; drift as a substitute for under-resourced maintenance, and against using AI as a broad justification for closure on the precedent grounds that it would undermine cross-government coherence on reuse and standards.</p><p><strong>Tags:</strong> GOV, POL, OPS, SOV, SUPPLY</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-17T12:00:00Z",
      "authors": [
        {
          "name": "Government Digital Service and Department for Science, Innovation and Technology (UK)"
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "OPS",
        "SOV",
        "SUPPLY"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-vulncheck-garrity-the-first-cve-wave-signs-that-ai-assisted-vulnerability-discov-2026-05-17",
      "url": "https://www.vulncheck.com/blog/ai-assisted-vulnerability-discovery",
      "title": "VulnCheck (Garrity) — The First CVE Wave: Signs That AI-Assisted Vulnerability Discovery Is Reshaping Disclosure Volumes",
      "content_html": "<p><em>Patrick Garrity (VulnCheck); with quoted commentary from Madison Oliver Ficorilli (GitHub), Naveen Sunkavally (Horizon3), and Rich Campagna (SVP, Palo Alto Networks)</em></p><p><strong>Published:</strong> 2026-05-14</p><p>14 May 2026 VulnCheck blog post by Patrick Garrity providing a CNA-level quantification of the post-Mythos CVE disclosure surge, two Patch Tuesdays after the 7 April 2026 Glasswing announcement. Headline year-to-date increases across the top CVE Numbering Authorities: Chrome +563.2%, Mozilla +156.9%, VMware +180.9%, Apache +170.3%, HPE +132.3%, F5 +113.8%, with GitHub at +476.07% spread across many reporters and projects rather than concentrated in one source (per Madison Oliver Ficorilli at GitHub: &quot;No single reporter accounts for more than ~3% of volume, and no single project accounts for more than ~7%. This isn&#x27;t one person or one tool, it&#x27;s a systemic shift in how vulnerability reporting is happening across the ecosystem.&quot;). Per-vendor commentary: Mozilla explicit Glasswing participation since February; Chrome 563% increase &quot;likely some combination of Mythos and Google&#x27;s own AI models&quot;; Microsoft direct quote that &quot;AI vulnerability findings can scale&quot;; Apache 170%+ with the ActiveMQ CVE-2026-34197 (now KEV-listed) discovered by Naveen Sunkavally (Horizon3) using Claude — &quot;This was 80% Claude with 20% gift-wrapping by a human&quot;; Palo Alto +37% per Rich Campagna explicit acknowledgement of Mythos, Opus 4.7, and GPT-5.5-Cyber use under Trusted Access for Cyber; curl excluded from the chart but referenced via Stenberg&#x27;s &quot;1 of 5 valid&quot; Mythos finding. Garrity flags the open question of whether the surge is sustained or a temporary spike as frontier models are applied to different code bases. Vendor caveat (VulnCheck sells vulnerability intelligence).</p><p><strong>Tags:</strong> DISC, TRIAGE, EXPL, OPS, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-17T12:00:00Z",
      "authors": [
        {
          "name": "Patrick Garrity (VulnCheck); with quoted commentary from Madison Oliver Ficorilli (GitHub), Naveen Sunkavally (Horizon3), and Rich Campagna (SVP, Palo Alto Networks)"
        }
      ],
      "tags": [
        "DISC",
        "TRIAGE",
        "EXPL",
        "OPS",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-aggarwal-and-singh-hackerone-finding-fast-fixing-slow-the-crisis-of-asymmetric-r-2026-05-17",
      "url": "https://www.hackerone.com/blog/ai-vulnerability-discovery-remediation-gap",
      "title": "Aggarwal and Singh (HackerOne) — Finding Fast, Fixing Slow: The Crisis of Asymmetric Remediation",
      "content_html": "<p><em>Nidhi Aggarwal (Chief Product Officer, HackerOne), Sandeep Singh (VP, Product Strategy, HackerOne)</em></p><p><strong>Published:</strong> 2026-04-17</p><p>17 April 2026 HackerOne blog post applying Geer&#x27;s capture-recapture / Lincoln Index framing to vulnerability density: argues that prior sparse-looking discovery rates were an artefact of limited reach rather than a finite vulnerability population, and that AI-era discovery (AIxCC moving from 37% identification and 25% patching at DEF CON 32 to 86% and 68% at DEF CON 33; Opus 4.6 against Firefox; Mythos Preview&#x27;s 32-step corporate-network simulation) exposes a dense underlying landscape. Identifies remediation as the binding constraint: discovery has jumped by an order of magnitude while most organisations still patch one vulnerability at a time, so backlogs compound. Prescribes organisational redesign to collapse handoffs between discovery and fix, feedback loops that treat vulnerability clusters as design defects rather than individual bugs, and high-fidelity validation focused on exploitable risk rather than theoretical findings. Vendor caveat (HackerOne sells bug-bounty and triage services).</p><p><strong>Tags:</strong> PATCH, OPS, DISC, TRIAGE, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-17T12:00:00Z",
      "authors": [
        {
          "name": "Nidhi Aggarwal (Chief Product Officer, HackerOne), Sandeep Singh (VP, Product Strategy, HackerOne)"
        }
      ],
      "tags": [
        "PATCH",
        "OPS",
        "DISC",
        "TRIAGE",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-wang-schiller-li-et-al-exploitgym-can-ai-agents-turn-security-vulnerabilities-in-2026-05-16",
      "url": "https://arxiv.org/abs/2605.11086",
      "title": "Wang, Schiller, Li et al. — ExploitGym: Can AI Agents Turn Security Vulnerabilities into Real Attacks?",
      "content_html": "<p><em>Yifeng Wang, Eric Schiller, Yuxuan Li, Sesha Narayana, Milad Nasr, Nicholas Carlini, Xiangyu Qi, Eric Wallace, Elie Bursztein, Luca Invernizzi, Kurt Thomas, Yan Shoshitaishvili, Jiawei Guo, Xinjie He, Thorsten Holz, Dawn Song. Across UC Berkeley, MPI-SP, UC Santa Barbara, Arizona State University, with industry collaborators at Anthropic, OpenAI, and Google.</em></p><p><strong>Published:</strong> 2026-05-11</p><p>11 May 2026 arXiv preprint introducing ExploitGym, the first large-scale benchmark of AI-agent exploitation capability on real CVEs. 898 instances across three domains: 520 userspace C/C++ from OSS-Fuzz via CyberGym and OSV; 185 V8 from ClusterFuzz and Chromium issue-tracker; 193 Linux kernel from kernelCTF and syzbot. Each task starts from a proof-of-vulnerability input and asks the agent to extend it into a working exploit that captures a privileged flag, with an agent-as-a-judge verifying the exploit used the intended vulnerability. Two-hour-timeout mitigation-off results: Claude Mythos Preview 157 (107/38/12); GPT-5.5 120 (71/27/22); GPT-5.4 54; all other models under 15. With standard mitigations enabled (ASLR, stack canaries / PIE, V8 heap sandbox, KASLR, user-namespace restrictions), all models combined still solve 37 userspace, 20 V8, and 12 kernel tasks; the paper documents standard bypass techniques applied iteratively rather than discovered de novo. Mythos&#x27;s six-hour time-success curve climbs from 127 to 204 without plateau. Companion to AISI&#x27;s TLO inference-scaling finding on a benchmark constructed independently around real CVEs rather than CTF-style tasks; the first public benchmark on which non-trivial kernel-exploitation results separate frontier from non-frontier configurations.</p><p><strong>Tags:</strong> EXPL, DISC, XCUT, HIST</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-16T12:00:00Z",
      "authors": [
        {
          "name": "Yifeng Wang, Eric Schiller, Yuxuan Li, Sesha Narayana, Milad Nasr, Nicholas Carlini, Xiangyu Qi, Eric Wallace, Elie Bursztein, Luca Invernizzi, Kurt Thomas, Yan Shoshitaishvili, Jiawei Guo, Xinjie He, Thorsten Holz, Dawn Song. Across UC Berkeley, MPI-SP, UC Santa Barbara, Arizona State University, with industry collaborators at Anthropic, OpenAI, and Google."
        }
      ],
      "tags": [
        "EXPL",
        "DISC",
        "XCUT",
        "HIST"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-latta-matsui-obernolte-lieu-et-al-letter-to-national-cyber-director-cairncross-o-2026-05-15",
      "url": "https://latta.house.gov/news/documentsingle.aspx?DocumentID=406786",
      "title": "Latta, Matsui, Obernolte, Lieu et al. — Letter to National Cyber Director Cairncross on AI-discovered vulnerability coordination",
      "content_html": "<p><em>Robert E. Latta (R-OH-5), Doris Matsui (D-CA-7), Jay Obernolte (R-CA-23), Ted W. Lieu (D-CA-36), and 31 other Members of Congress (35 signatories total). CC: Lutnick (Commerce), Mullin (Homeland Security), Bessent (Treasury), Kratsios (OSTP), Gabbard (DNI), Hegseth (War), Wiles (White House Chief of Staff), Hassett (NEC), Vought (OMB).</em></p><p><strong>Published:</strong> 2026-05-14</p><p>Bipartisan House letter dated 13 May 2026 (announced via Latta press release 14 May 2026) to ONCD Director Sean Cairncross requesting a federal-industry coordination process for AI-discovered vulnerabilities, grounded in Anthropic&#x27;s 7 April 2026 Mythos Preview announcement and the &gt;99% unpatched figure. Proposes ONCD as convener with DHS/CISA as lead agency for vulnerability coordination, Commerce/NIST plus CAISI on AI capability evaluation and trusted-access frameworks, and OMB/OFCIO on federal implementation. Seven recommendations: (1) plan to coordinate high volumes of vulnerability disclosures; (2) assess existing efforts to identify critical software dependencies, with a protected approach to avoid publishing a target map for adversaries; (3) find and fix before adversaries, with early/free/reduced-cost frontier-AI access for open-source maintainers and nonprofits, and assistance to critical-infrastructure operators in deploying and verifying patches; (4) framework for sensitive AI-generated dual-use findings including the question of whether the Vulnerabilities Equities Process needs to be adapted for an influx of AI-discovered vulnerabilities, and extending to CBRN-relevant findings; (5) voluntary framework for AI labs to provide early access to vetted defenders; (6) process for monitoring sudden frontier capability jumps, including the token cost per useful vulnerability, exploit, or patch, and contingency planning for model-weight theft and adversarial distillation; (7) identify barriers requiring congressional action, including possible updates to the Cybersecurity Information Sharing Act of 2015 and the question of whether existing legal authorities are sufficient where exploitation risk is imminent, ordinary patching is not feasible, and involuntary patching may be necessary. Procedural asks: staff-level briefing within 30 days, written response within 45 days. Signatory composition concentrates the relevant House leadership: Latta (E&amp;C Energy Subcommittee Chair, Communications &amp; Technology), Matsui (Communications &amp; Technology ranking), Obernolte (House Science Chair, former House AI Task Force co-chair), Lieu (former House AI Task Force co-chair), Moolenaar (CCP Select Committee Chair), Khanna (CCP Select Committee Ranking), Krishnamoorthi (former CCP Select Committee Ranking), Foster (only PhD physicist in Congress, founding chair of Financial Services AI Task Force), plus roughly a third of the Energy &amp; Commerce Committee. House-only; companion to the December 2025 Hassan-Ernst Senate letter to the same recipient.</p><p><strong>Tags:</strong> POL, GOV, DISCL, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-15T12:00:00Z",
      "authors": [
        {
          "name": "Robert E. Latta (R-OH-5), Doris Matsui (D-CA-7), Jay Obernolte (R-CA-23), Ted W. Lieu (D-CA-36), and 31 other Members of Congress (35 signatories total). CC: Lutnick (Commerce), Mullin (Homeland Security), Bessent (Treasury), Kratsios (OSTP), Gabbard (DNI), Hegseth (War), Wiles (White House Chief of Staff), Hassett (NEC), Vought (OMB)."
        }
      ],
      "tags": [
        "POL",
        "GOV",
        "DISCL",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-klarich-palo-alto-networks-defender-s-guide-to-the-frontier-ai-impact-on-cyberse-2026-05-14",
      "url": "https://www.paloaltonetworks.com/blog/2026/05/defenders-guide-frontier-ai-impact-cybersecurity-may-2026-update/",
      "title": "Klarich (Palo Alto Networks) — Defender's Guide to the Frontier AI Impact on Cybersecurity: May 2026 Update",
      "content_html": "<p><em>Lee Klarich (Chief Product Officer, Palo Alto Networks)</em></p><p><strong>Published:</strong> 2026-05-13</p><p>13 May 2026 Palo Alto Networks blog post by Lee Klarich following up the April 2026 Defender&#x27;s Guide. Reports continued testing of Mythos, Opus 4.7, and GPT-5.5-Cyber under Project Glasswing and the Trusted Access for Cyber program. Headline datapoint: May 2026 Patch Wednesday covers 26 CVEs across 130+ products versus the usual fewer-than-5, mostly from frontier-AI scans of Palo Alto&#x27;s own code. Estimates a 3–5-month window before AI-driven exploits become the norm; four-step defender programme. Vendor caveat.</p><p><strong>Tags:</strong> DISC, EXPL, OPS, POL, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-14T12:00:00Z",
      "authors": [
        {
          "name": "Lee Klarich (Chief Product Officer, Palo Alto Networks)"
        }
      ],
      "tags": [
        "DISC",
        "EXPL",
        "OPS",
        "POL",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-broadcom-what-we-learned-testing-frontier-ai-security-models-against-our-own-cod-2026-05-14",
      "url": "https://news.broadcom.com/security/frontier-ai-security-models-code-testing-results",
      "title": "Broadcom — What We Learned Testing Frontier AI Security Models Against Our Own Code",
      "content_html": "<p><em>Broadcom Infrastructure Software Group</em></p><p><strong>Published:</strong> 2026-04-23</p><p>23 April 2026 Broadcom Infrastructure Software Group post reporting on weeks of testing frontier AI models against Broadcom&#x27;s own production code. First-pass findings were real but largely non-exploitable; reframing the models as direction-following security engineers rather than scanners — supplying per-component threat models, both source code and a live environment for self-validation, mandatory proof-of-concept exploit code and proposed fix for every claimed vulnerability, and explicit adversarial rejection of unproven findings — changed the results substantially, producing an order-of-magnitude increase in discoveries and surfacing combinatorial issues unlikely to be found by humans alone. Highlights the chaining of two or three lower-severity issues into a single higher-severity exploit path as the capability that breaks triage-based vulnerability management, and frames the defender&#x27;s advantage as shifting from triage precision to patching velocity. Sets out three phases ahead (initial vendor-led patch wave under way; broader wave reaching long-tail software over 6–18 months; steady state with persistently higher known-vulnerability volume and compressed disclosure-to-exploitation interval) and prescribes for enterprises: move to latest vendor versions, automate the patching pipeline, treat mean-time-to-remediation as a core operational metric, and invest in the discipline (context, tooling, direction, adversarial validation) required to use AI on the defender&#x27;s side.</p><p><strong>Tags:</strong> DISC, PATCH, OPS, POL, EXPL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-14T12:00:00Z",
      "authors": [
        {
          "name": "Broadcom Infrastructure Software Group"
        }
      ],
      "tags": [
        "DISC",
        "PATCH",
        "OPS",
        "POL",
        "EXPL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-dullien-halvar-flake-thomas-dullien-zu-anthropics-mythos-software-war-nie-auf-pe-2026-05-13",
      "url": "https://www.faz.net/premium/digitalwirtschaft/thomas-dullien-zu-anthropics-mythos-software-war-nie-auf-perfekte-sicherheit-ausgelegt-das-raecht-sich-accg-200822228.html",
      "title": "Dullien (Halvar Flake) — Thomas Dullien zu Anthropics Mythos: \"Software war nie auf perfekte Sicherheit ausgelegt – das rächt sich\" [Thomas Dullien on Anthropic's Mythos: \"Software was never designed for perfect security — that's coming back to haunt us\"] (FAZ interview)",
      "content_html": "<p><em>Thomas Dullien (Halvar Flake); Frankfurter Allgemeine Zeitung interview</em></p><p><strong>Published:</strong> 2026-05-13</p><p>13 May 2026 FAZ interview with Thomas Dullien (Halvar Flake) on Anthropic&#x27;s Mythos, published in the Digitalwirtschaft section of the Frankfurter Allgemeine Zeitung as a premium paywalled piece. Title (German): &quot;Thomas Dullien zu Anthropics Mythos: &#x27;Software war nie auf perfekte Sicherheit ausgelegt – das rächt sich.&#x27;&quot; English translation: &quot;Thomas Dullien on Anthropic&#x27;s Mythos: &#x27;Software was never designed for perfect security — that&#x27;s coming back to haunt us.&#x27;&quot;</p><p><strong>Tags:</strong> DISC, XCUT, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-13T12:00:00Z",
      "authors": [
        {
          "name": "Thomas Dullien (Halvar Flake); Frankfurter Allgemeine Zeitung interview"
        }
      ],
      "tags": [
        "DISC",
        "XCUT",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-the-work-averse-cyberattacker-model-theory-and-evidence-from-two-million-attack--2026-05-12",
      "url": "https://onlinelibrary.wiley.com/doi/full/10.1111/risa.13732",
      "title": "The Work-Averse Cyberattacker Model: Theory and Evidence from Two Million Attack Signatures",
      "content_html": "<p><em>Luca Allodi, Fabio Massacci, Julian Williams</em></p><p><strong>Published:</strong> 2022-08-01</p><p>Peer-reviewed journal version (Risk Analysis 42(8):1623–1642, August 2022; first published online 7 May 2021; DOI: 10.1111/risa.13732; open access) of the work originally presented at WEIS 2017. Empirical and theoretical paper based on a dataset of approximately two million attack signatures across multiple software versions.</p><p><strong>Tags:</strong> EXPL, XCUT, PATCH</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-12T12:00:00Z",
      "authors": [
        {
          "name": "Luca Allodi, Fabio Massacci, Julian Williams"
        }
      ],
      "tags": [
        "EXPL",
        "XCUT",
        "PATCH"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-imco-committee-hearing-european-parliament-safety-of-ai-systems-posing-serious-s-2026-05-12",
      "url": "https://codeberg.org/tzafaar/Buffers_overflow_into_policy/src/branch/main/other/IMCO-hearing-2026-05-06-with-speakers.md",
      "title": "IMCO Committee hearing (European Parliament) — Safety of AI systems posing serious security risks, including Anthropic's Mythos",
      "content_html": "<p><em>European Parliament, Committee on Internal Market and Consumer Protection (IMCO). Speakers and committee discussion catalogued in supplemental document at the URL below.</em></p><p><strong>Published:</strong> 2026-05-06</p><p>6 May 2026 IMCO Committee discussion in the European Parliament on the safety of AI systems posing serious security risks, including Anthropic&#x27;s Mythos, focused on how the Cyber Security Act and AI Act apply in practice. Speaker list and discussion notes catalogued in the supplemental file at the Codeberg URL.</p><p><strong>Tags:</strong> GOV, POL, SOV, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-12T12:00:00Z",
      "authors": [
        {
          "name": "European Parliament, Committee on Internal Market and Consumer Protection (IMCO). Speakers and committee discussion catalogued in supplemental document at the URL below."
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "SOV",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-struppek-gleave-pelrine-et-al-far-ai-prefill-attacks-against-frontier-models-2026-05-12",
      "url": "https://arxiv.org/pdf/2602.14689",
      "title": "Struppek, Gleave, Pelrine et al. (FAR.AI) — Prefill Attacks Against Frontier Models",
      "content_html": "<p><em>Lukas Struppek, Adam Gleave, Kellin Pelrine et al. (FAR.AI)</em></p><p><strong>Published:</strong> 2026-02-01</p><p>February 2026 FAR.AI arXiv preprint on prefill attacks against frontier models. Records that rapid progress in the open-weight ecosystem has narrowed the capability gap between open-weight and proprietary frontier models. Companion paper to FAR.AI&#x27;s independent safety evaluation of Kimi K2.5.</p><p><strong>Tags:</strong> DISC, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-12T12:00:00Z",
      "authors": [
        {
          "name": "Lukas Struppek, Adam Gleave, Kellin Pelrine et al. (FAR.AI)"
        }
      ],
      "tags": [
        "DISC",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-n-day-bench-contamination-resistant-llm-variant-discovery-benchmark-2026-05-12",
      "url": "https://news.ycombinator.com/item?id=47758347",
      "title": "N-Day-Bench — Contamination-resistant LLM variant-discovery benchmark",
      "content_html": "<p><em>N-Day-Bench project (Hacker News submission)</em></p><p><strong>Published:</strong> 2026-04-01</p><p>April 2026 benchmark for measuring LLM variant-discovery capability. Three-agent setup (Curator, Finder, Judge); the Finder receives sink hints but never sees the patch. Monthly dataset refresh keeps the test set ahead of training-data contamination.</p><p><strong>Tags:</strong> DISC, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-12T12:00:00Z",
      "authors": [
        {
          "name": "N-Day-Bench project (Hacker News submission)"
        }
      ],
      "tags": [
        "DISC",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-he-wang-nguyen-et-al-4-5-million-suspected-fake-stars-in-github-2026-05-12",
      "url": "https://arxiv.org/abs/2412.13459",
      "title": "He, Wang, Nguyen et al. — 4.5 Million Suspected Fake Stars in GitHub",
      "content_html": "<p><em>Hao He, Haoqin Yang, Bogdan Vasilescu, Christian Kästner et al.</em></p><p><strong>Published:</strong> 2024-12-17</p><p>December 2024 arXiv paper identifying approximately 4.5 million suspected fake stars on GitHub between 2019 and 2024, with the rate climbing sharply over the period. Documents metric corruption in one of the most commonly used open-source popularity signals.</p><p><strong>Tags:</strong> SUPPLY, OPS, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-12T12:00:00Z",
      "authors": [
        {
          "name": "Hao He, Haoqin Yang, Bogdan Vasilescu, Christian Kästner et al."
        }
      ],
      "tags": [
        "SUPPLY",
        "OPS",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-mercer-watson-the-rapid-rise-of-generative-ai-assessing-risks-to-safety-and-secu-2026-05-12",
      "url": "https://cetas.turing.ac.uk/publications/rapid-rise-generative-ai",
      "title": "Mercer & Watson — The Rapid Rise of Generative AI: Assessing Risks to Safety and Security (CETaS Briefing Paper)",
      "content_html": "<p><em>Sam Mercer, Sam Watson (Centre for Emerging Technology and Security at the Alan Turing Institute)</em></p><p><strong>Published:</strong> 2024-06-01</p><p>June 2024 CETaS Briefing Paper on generative AI risks to safety and security. UK-academic-policy assessment from the Alan Turing Institute predating the post-Mythos cycle.</p><p><strong>Tags:</strong> DISC, XCUT, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-12T12:00:00Z",
      "authors": [
        {
          "name": "Sam Mercer, Sam Watson (Centre for Emerging Technology and Security at the Alan Turing Institute)"
        }
      ],
      "tags": [
        "DISC",
        "XCUT",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-epoch-ai-capability-lag-between-proprietary-and-open-weight-frontier-models-2026-05-12",
      "url": "https://epoch.ai/data-insights/open-weights-vs-closed-weights-models",
      "title": "Epoch AI — Capability lag between proprietary and open-weight frontier models",
      "content_html": "<p><em>Epoch AI</em></p><p><strong>Published:</strong> 2026-04-01</p><p>Epoch AI analysis of the capability lag between proprietary and open-weight frontier models. Estimates the average lag at approximately 3 months, with variation up to 5–22 months depending on the benchmark.</p><p><strong>Tags:</strong> DISC, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-12T12:00:00Z",
      "authors": [
        {
          "name": "Epoch AI"
        }
      ],
      "tags": [
        "DISC",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-stanford-autonomous-ai-penetration-testing-agent-arxiv-2512-09882-2026-05-12",
      "url": "https://arxiv.org/abs/2512.09882",
      "title": "Stanford — Autonomous AI Penetration Testing Agent (arXiv:2512.09882)",
      "content_html": "<p><em>Stanford authors (arXiv:2512.09882)</em></p><p><strong>Published:</strong> 2025-12-01</p><p>December 2025 Stanford arXiv preprint describing an autonomous AI penetration-testing agent. Reports performance at or above the level of most highly skilled professional security testers, outperforming nine out of ten participants in a live network test with an 82% valid vulnerability discovery rate at a fraction of the cost.</p><p><strong>Tags:</strong> DISC, EXPL, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-12T12:00:00Z",
      "authors": [
        {
          "name": "Stanford authors (arXiv:2512.09882)"
        }
      ],
      "tags": [
        "DISC",
        "EXPL",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-llmda-llm-driven-detection-of-patched-but-undisclosed-vulnerabilities-2026-05-12",
      "url": "https://arxiv.org/abs/2312.01241",
      "title": "LLMDA — LLM-driven detection of patched-but-undisclosed vulnerabilities",
      "content_html": "<p><em>LLMDA project (academic foundation, citation form to be verified)</em></p><p><strong>Published:</strong> 2026-06-30</p><p>Academic foundation for LLM-driven detection of patched-but-undisclosed vulnerabilities (negative-days). Cited as the academic counterpart to operational patch-monitoring workflows. Formal citation form to be verified.</p><p><strong>Tags:</strong> DISC, PATCH, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-12T12:00:00Z",
      "authors": [
        {
          "name": "LLMDA project (academic foundation, citation form to be verified)"
        }
      ],
      "tags": [
        "DISC",
        "PATCH",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-nesbitt-the-mismeasure-of-open-source-2026-05-12",
      "url": "https://nesbitt.io/2026/05/09/the-mismeasure-of-open-source.html",
      "title": "Nesbitt — The Mismeasure of Open Source",
      "content_html": "<p><em>Andrew Nesbitt</em></p><p><strong>Published:</strong> 2026-05-09</p><p>9 May 2026 post cataloguing six failure modes in the metrics used to score open-source projects for criticality, risk, or funding need: missing reads silently written as zero; streetlight effect (metrics chosen for API availability rather than relevance); cross-ecosystem unit incommensurability; GitHub treated as the visible universe; identity / naming inconsistencies across packaging; and invisible funding arrangements. The six errors correlate on the same project profile, so quiet system libraries with one maintainer and no dashboard footprint get undercounted across every signal simultaneously.</p><p><strong>Tags:</strong> SUPPLY, GOV, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-12T12:00:00Z",
      "authors": [
        {
          "name": "Andrew Nesbitt"
        }
      ],
      "tags": [
        "SUPPLY",
        "GOV",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-lambros-rockcyber-musings-your-defender-ai-is-your-next-crown-jewel-threat-model-2026-05-11",
      "url": "https://www.rockcybermusings.com/p/defender-ai-crown-jewel-mythos-gpt-cyber",
      "title": "Lambros (RockCyber Musings) — Your Defender AI Is Your Next Crown Jewel. Threat-Model It Now.",
      "content_html": "<p><em>Rock Lambros (RockCyber Musings)</em></p><p><strong>Published:</strong> 2026-04-01</p><p>April 2026 practitioner post providing the cleanest quantitative parity numbers in the post-Mythos open-weight evidence base.</p><p><strong>Tags:</strong> DISC, XCUT, SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-11T12:00:00Z",
      "authors": [
        {
          "name": "Rock Lambros (RockCyber Musings)"
        }
      ],
      "tags": [
        "DISC",
        "XCUT",
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-stenberg-mythos-finds-a-curl-vulnerability-2026-05-11",
      "url": "https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-vulnerability/",
      "title": "Stenberg — Mythos finds a curl vulnerability",
      "content_html": "<p><em>Daniel Stenberg</em></p><p><strong>Published:</strong> 2026-05-11</p><p>11 May 2026 first-person post by the curl maintainer reporting the results of the first Mythos source-code analysis scan of curl, run through Project Glasswing via the Linux Foundation&#x27;s Alpha-Omega programme.</p><p><strong>Tags:</strong> DISC, OPS, XCUT, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-11T12:00:00Z",
      "authors": [
        {
          "name": "Daniel Stenberg"
        }
      ],
      "tags": [
        "DISC",
        "OPS",
        "XCUT",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-ncsc-uk-aisi-why-cyber-defenders-need-to-be-ready-for-frontier-ai-joint-blog-2026-05-10",
      "url": "https://www.ncsc.gov.uk/blogs/why-cyber-defenders-need-to-be-ready-for-frontier-ai",
      "title": "NCSC-UK + AISI — Why cyber defenders need to be ready for frontier AI (joint blog)",
      "content_html": "<p><em>UK National Cyber Security Centre and UK AI Security Institute (joint)</em></p><p><strong>Published:</strong> 2026-03-30</p><p>30 March 2026 joint NCSC-UK / AISI blog post laying out the pre-Mythos institutional framing: frontier AI is changing the economics of offensive cyber operations and defenders should be preparing now rather than waiting for a specific capability shock.</p><p><strong>Tags:</strong> GOV, POL, DISC</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-10T12:00:00Z",
      "authors": [
        {
          "name": "UK National Cyber Security Centre and UK AI Security Institute (joint)"
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "DISC"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-uk-aisi-harnessing-frontier-ai-for-cyber-defence-2026-05-10",
      "url": "https://www.aisi.gov.uk/blog/harnessing-frontier-ai-for-cyber-defence",
      "title": "UK AISI — Harnessing frontier AI for cyber defence",
      "content_html": "<p><em>UK AI Security Institute</em></p><p><strong>Published:</strong> 2026-03-31</p><p>31 March 2026 AISI blog post — the defensive-side companion to the previous day&#x27;s joint NCSC-UK / AISI piece.</p><p><strong>Tags:</strong> GOV, POL, DISC, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-10T12:00:00Z",
      "authors": [
        {
          "name": "UK AI Security Institute"
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "DISC",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-nki-hungary-anthropic-announced-claude-mythos-cybersecurity-ai-breakthrough-2026-05-10",
      "url": "https://nki.gov.hu/it-biztonsag/hirek/az-anthropic-bejelentette-a-claude-mythost-kiberbiztonsagi-ai-attores/",
      "title": "NKI (Hungary) — Anthropic announced Claude Mythos: Cybersecurity AI breakthrough",
      "content_html": "<p><em>Nemzeti Kibervédelmi Intézet (NKI), Hungary</em></p><p><strong>Published:</strong> 2026-04-09</p><p>9 April 2026 announcement-style write-up by Hungary&#x27;s National Cyber Defense Institute (NKI) on the Mythos launch, presented as a cybersecurity AI breakthrough.</p><p><strong>Tags:</strong> GOV, DISC</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-10T12:00:00Z",
      "authors": [
        {
          "name": "Nemzeti Kibervédelmi Intézet (NKI), Hungary"
        }
      ],
      "tags": [
        "GOV",
        "DISC"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-nki-hungary-claude-mythos-has-identified-a-significant-number-of-firefox-vulnera-2026-05-10",
      "url": "https://nki.gov.hu/it-biztonsag/hirek/a-claude-mythos-jelentos-szamu-firefox-sebezhetoseget-azonositott/",
      "title": "NKI (Hungary) — Claude Mythos has identified a significant number of Firefox vulnerabilities",
      "content_html": "<p><em>Nemzeti Kibervédelmi Intézet (NKI), Hungary</em></p><p><strong>Published:</strong> 2026-04-24</p><p>Approximately 24 April 2026 NKI follow-up specifically on the Mozilla Firefox findings disclosed jointly with Anthropic on 23 April.</p><p><strong>Tags:</strong> GOV, DISC, PATCH</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-10T12:00:00Z",
      "authors": [
        {
          "name": "Nemzeti Kibervédelmi Intézet (NKI), Hungary"
        }
      ],
      "tags": [
        "GOV",
        "DISC",
        "PATCH"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-bsi-germany-statement-by-president-claudia-plattner-on-claude-mythos-dpa-zdfheut-2026-05-10",
      "url": "https://www.zdfheute.de/politik/deutschland/ki-anthropic-claude-mythos-schwachstellen-software-bsi-100.html",
      "title": "BSI (Germany) — Statement by President Claudia Plattner on Claude Mythos (dpa / ZDFheute)",
      "content_html": "<p><em>Claudia Plattner, President of the Bundesamt für Sicherheit in der Informationstechnik (BSI); via dpa, reported by ZDFheute</em></p><p><strong>Published:</strong> 2026-04-10</p><p>10 April 2026 dpa interview-based ZDFheute report carrying the first public statement from BSI President Claudia Plattner on Claude Mythos.</p><p><strong>Tags:</strong> GOV, POL, DISC</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-10T12:00:00Z",
      "authors": [
        {
          "name": "Claudia Plattner, President of the Bundesamt für Sicherheit in der Informationstechnik (BSI); via dpa, reported by ZDFheute"
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "DISC"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-bsi-germany-ki-modelle-revolutionieren-den-umgang-mit-sicherheitsl-cken-plattner-2026-05-10",
      "url": "https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Blog/KI-Modelle_neue_Zeitrechnung_260508.html",
      "title": "BSI (Germany) — KI-Modelle revolutionieren den Umgang mit Sicherheitslücken (Plattner Cybernation-Blog)",
      "content_html": "<p><em>Claudia Plattner, President of the BSI</em></p><p><strong>Published:</strong> 2026-05-08</p><p>8 May 2026 Cybernation-Blog post by BSI President Claudia Plattner — the formal BSI policy-position piece following the 10 April dpa interview.</p><p><strong>Tags:</strong> GOV, POL, SOV, DISC, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-10T12:00:00Z",
      "authors": [
        {
          "name": "Claudia Plattner, President of the BSI"
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "SOV",
        "DISC",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-ncsc-ie-ireland-statement-on-anthropic-s-mythos-preview-model-for-defensive-cybe-2026-05-10",
      "url": "https://www.gov.ie/en/department-of-justice-home-affairs-and-migration/press-releases/national-cyber-security-centre-ncsc-statement-on-anthropics-mythos-preview-model-for-defensive-cyber-security-purposes/",
      "title": "NCSC-IE (Ireland) — Statement on Anthropic's Mythos Preview model for defensive cyber security purposes",
      "content_html": "<p><em>National Cyber Security Centre, Department of Justice, Home Affairs and Migration (Ireland)</em></p><p><strong>Published:</strong> 2026-04-13</p><p>13 April 2026 official Irish NCSC press-release-style statement positioning Mythos Preview specifically as a defensive cyber security tool.</p><p><strong>Tags:</strong> GOV, POL, OPS, DISC</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-10T12:00:00Z",
      "authors": [
        {
          "name": "National Cyber Security Centre, Department of Justice, Home Affairs and Migration (Ireland)"
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "OPS",
        "DISC"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-ncsc-ie-ireland-director-richard-browne-opening-statement-to-the-oireachtas-join-2026-05-10",
      "url": "https://data.oireachtas.ie/ie/oireachtas/committee/dail/34/joint_committee_on_artificial_intelligence/submissions/2026/2026-04-14_opening-statement-richard-browne-director-national-cyber-security-centre_en.pdf",
      "title": "NCSC-IE (Ireland) — Director Richard Browne, opening statement to the Oireachtas Joint Committee on AI",
      "content_html": "<p><em>Richard Browne, Director, National Cyber Security Centre (Ireland)</em></p><p><strong>Published:</strong> 2026-04-14</p><p>14 April 2026 opening statement by NCSC-IE Director Richard Browne to the Oireachtas Joint Committee on Artificial Intelligence — Irish parliamentary-record evidence on the Mythos response, one day after the NCSC-IE press statement.</p><p><strong>Tags:</strong> GOV, POL, DISC</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-10T12:00:00Z",
      "authors": [
        {
          "name": "Richard Browne, Director, National Cyber Security Centre (Ireland)"
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "DISC"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-ncsc-nl-netherlands-anthropic-s-frontier-model-mythos-requires-immediate-action-2026-05-10",
      "url": "https://www.ncsc.nl/nieuws/anthropics-frontiermodel-mythos-vraagt-om-directe-actie",
      "title": "NCSC-NL (Netherlands) — Anthropic's frontier model Mythos requires immediate action",
      "content_html": "<p><em>Nationaal Cyber Security Centrum (NCSC-NL), Netherlands</em></p><p><strong>Published:</strong> 2026-04-15</p><p>15 April 2026 official NCSC-NL statement framing Mythos as requiring immediate operational action. Useful as an operationally-urgent EU national-CSIRT data point in the post-Mythos institutional-response cluster.</p><p><strong>Tags:</strong> GOV, POL, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-10T12:00:00Z",
      "authors": [
        {
          "name": "Nationaal Cyber Security Centrum (NCSC-NL), Netherlands"
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-cncs-portugal-statement-by-coordinator-lino-santos-on-claude-mythos-eco-2026-05-10",
      "url": "https://eco.sapo.pt/2026/04/17/centro-de-ciberseguranca-pede-rapidez-a-corrigir-sistemas-devido-ao-claude-mythos/",
      "title": "CNCS (Portugal) — Statement by coordinator Lino Santos on Claude Mythos (ECO)",
      "content_html": "<p><em>Lino Santos, Coordinator of the Centro Nacional de Cibersegurança (CNCS), Portugal; written response to ECO</em></p><p><strong>Published:</strong> 2026-04-17</p><p>17 April 2026 ECO report carrying CNCS coordinator Lino Santos&#x27;s written response on Claude Mythos.</p><p><strong>Tags:</strong> GOV, POL, PATCH, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-10T12:00:00Z",
      "authors": [
        {
          "name": "Lino Santos, Coordinator of the Centro Nacional de Cibersegurança (CNCS), Portugal; written response to ECO"
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "PATCH",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-cert-at-austrian-interior-ministry-statement-by-otmar-lendl-on-claude-mythos-orf-2026-05-10",
      "url": "https://orf.at/stories/3427178/",
      "title": "CERT.at + Austrian Interior Ministry — Statement by Otmar Lendl on Claude Mythos (ORF.at)",
      "content_html": "<p><em>Otmar Lendl, CERT.at; with parallel statement from the Austrian Bundesministerium für Inneres; via ORF.at interview</em></p><p><strong>Published:</strong> 2026-04-17</p><p>17 April 2026 ORF.at interview with CERT.at expert Otmar Lendl on Claude Mythos, with a parallel statement from the Austrian Bundesministerium für Inneres (Interior Ministry).</p><p><strong>Tags:</strong> GOV, POL, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-10T12:00:00Z",
      "authors": [
        {
          "name": "Otmar Lendl, CERT.at; with parallel statement from the Austrian Bundesministerium für Inneres; via ORF.at interview"
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-ccb-cert-be-belgium-ai-increases-pressure-on-corporate-cybersecurity-2026-05-10",
      "url": "https://ccb.belgium.be/news/ai-increases-pressure-corporate-cybersecurity",
      "title": "CCB / CERT.be (Belgium) — AI increases pressure on corporate cybersecurity",
      "content_html": "<p><em>Centre for Cybersecurity Belgium (CCB) / CERT.be</em></p><p><strong>Published:</strong> 2026-04-20</p><p>20 April 2026 CCB / CERT.be statement framing the Mythos moment in terms of pressure on corporate cybersecurity rather than as a discrete capability event.</p><p><strong>Tags:</strong> GOV, POL, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-10T12:00:00Z",
      "authors": [
        {
          "name": "Centre for Cybersecurity Belgium (CCB) / CERT.be"
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-dkcert-denmark-unauthorised-access-to-anthropic-s-most-dangerous-cyber-ai-2026-05-10",
      "url": "https://cert.dk/news/2026-04-23/Uautoriseret-adgang-til-Anthropics-farligste-cyber-AI",
      "title": "DKCERT (Denmark) — Unauthorised access to Anthropic's most dangerous cyber-AI",
      "content_html": "<p><em>DKCERT (Danish academic CERT, hosted at DTU)</em></p><p><strong>Published:</strong> 2026-04-23</p><p>23 April 2026 DKCERT statement.</p><p><strong>Tags:</strong> GOV, DISC, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-10T12:00:00Z",
      "authors": [
        {
          "name": "DKCERT (Danish academic CERT, hosted at DTU)"
        }
      ],
      "tags": [
        "GOV",
        "DISC",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-ria-ncsc-ee-estonia-overview-of-anthropic-s-new-model-claude-mythos-preview-2026-05-10",
      "url": "https://www.ria.ee/blogi/ulevaade-anthropicu-uuest-mudelist-claude-mythos-preview",
      "title": "RIA / NCSC-EE (Estonia) — Overview of Anthropic's new model Claude Mythos Preview",
      "content_html": "<p><em>Riigi Infosüsteemi Amet (RIA) / NCSC-EE, Estonia</em></p><p><strong>Published:</strong> 2026-04-23</p><p>23 April 2026 RIA / NCSC-EE blog post providing an overview-style write-up of Mythos Preview for the Estonian national-cybersecurity audience.</p><p><strong>Tags:</strong> GOV, DISC</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-10T12:00:00Z",
      "authors": [
        {
          "name": "Riigi Infosüsteemi Amet (RIA) / NCSC-EE, Estonia"
        }
      ],
      "tags": [
        "GOV",
        "DISC"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-ncsc-se-sweden-collaboration-with-ai-sweden-2026-05-10",
      "url": "https://www.ncsc.se/sv/aktuellt/samverkan-med-ai-sweden/",
      "title": "NCSC-SE (Sweden) — Collaboration with AI Sweden",
      "content_html": "<p><em>Nationellt Cybersäkerhetscenter (NCSC-SE)</em></p><p><strong>Published:</strong> 2026-04-24</p><p>24 April 2026 NCSC-SE announcement of a collaboration with AI Sweden on the security implications of advanced AI models.</p><p><strong>Tags:</strong> GOV, POL, SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-10T12:00:00Z",
      "authors": [
        {
          "name": "Nationellt Cybersäkerhetscenter (NCSC-SE)"
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-cert-se-sweden-weekly-bulletin-week-17-2026-05-10",
      "url": "https://www.cert.se/2026/04/cert-se-veckobrev-v17.html",
      "title": "CERT-SE (Sweden) — Weekly bulletin, week 17",
      "content_html": "<p><em>CERT-SE</em></p><p><strong>Published:</strong> 2026-04-24</p><p>24 April 2026 CERT-SE weekly bulletin (week 17).</p><p><strong>Tags:</strong> GOV, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-10T12:00:00Z",
      "authors": [
        {
          "name": "CERT-SE"
        }
      ],
      "tags": [
        "GOV",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-ursiv-slovenia-statement-on-claude-mythos-sta-forbes-slovenija-2026-05-10",
      "url": "https://forbes.n1info.si/posel/kaj-svetuje-urad-za-informacijsko-varnost-glede-zmogljivega-mythosa/",
      "title": "URSIV (Slovenia) — Statement on Claude Mythos (STA / Forbes Slovenija)",
      "content_html": "<p><em>Urad Republike Slovenije za informacijsko varnost (URSIV); via STA, reported by Forbes Slovenija and Delo</em></p><p><strong>Published:</strong> 2026-04-25</p><p>25 April 2026 statement by URSIV (Slovenian Office for Information Security) on Claude Mythos, distributed via STA and reported by Forbes Slovenija and Delo.</p><p><strong>Tags:</strong> GOV, POL, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-10T12:00:00Z",
      "authors": [
        {
          "name": "Urad Republike Slovenije za informacijsko varnost (URSIV); via STA, reported by Forbes Slovenija and Delo"
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-ncsc-fi-traficom-finland-statement-by-operations-manager-matias-mesi-on-claude-m-2026-05-10",
      "url": "https://yle.fi/a/74-20222468",
      "title": "NCSC-FI / Traficom (Finland) — Statement by Operations Manager Matias Mesiä on Claude Mythos (Yle)",
      "content_html": "<p><em>Matias Mesiä, Operations Manager, NCSC-FI / Traficom Kyberturvallisuuskeskus; via Yle interview</em></p><p><strong>Published:</strong> 2026-04-27</p><p>27 April 2026 Yle interview with NCSC-FI Operations Manager Matias Mesiä on Claude Mythos.</p><p><strong>Tags:</strong> GOV, POL, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-10T12:00:00Z",
      "authors": [
        {
          "name": "Matias Mesiä, Operations Manager, NCSC-FI / Traficom Kyberturvallisuuskeskus; via Yle interview"
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-dsit-cabinet-office-uk-ai-cyber-threats-open-letter-to-business-leaders-kendall--2026-05-10",
      "url": "https://www.gov.uk/government/publications/ai-cyber-threats-open-letter-to-business-leaders/ai-cyber-threats-open-letter-to-business-leaders-html",
      "title": "DSIT / Cabinet Office (UK) — AI cyber threats: open letter to business leaders (Kendall, Jarvis)",
      "content_html": "<p><em>Liz Kendall (Secretary of State for Science, Innovation and Technology) and Dan Jarvis (Minister of State for Security)</em></p><p><strong>Published:</strong> 2026-04-15</p><p>15 April 2026 ministerial open letter to UK business leaders on AI cyber threats, jointly signed by the Secretary of State for Science, Innovation and Technology (Kendall) and the Minister of State for Security (Jarvis).</p><p><strong>Tags:</strong> GOV, POL, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-10T12:00:00Z",
      "authors": [
        {
          "name": "Liz Kendall (Secretary of State for Science, Innovation and Technology) and Dan Jarvis (Minister of State for Security)"
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-ncsc-uk-preparing-for-severe-cyber-threat-why-leaders-must-act-now-ellison-2026-05-10",
      "url": "https://www.ncsc.gov.uk/blogs/preparing-for-severe-cyber-threat-why-leaders-must-act-now",
      "title": "NCSC-UK — Preparing for severe cyber threat: why leaders must act now (Ellison)",
      "content_html": "<p><em>Jonathon Ellison, NCSC-UK</em></p><p><strong>Published:</strong> 2026-04-20</p><p>20 April 2026 NCSC-UK blog post by Jonathon Ellison framing the post-Mythos environment as a severe cyber threat requiring leader-level action now.</p><p><strong>Tags:</strong> GOV, POL, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-10T12:00:00Z",
      "authors": [
        {
          "name": "Jonathon Ellison, NCSC-UK"
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-ncsc-uk-supporting-ai-adoption-for-uk-cyber-defence-2026-05-10",
      "url": "https://www.ncsc.gov.uk/blogs/supporting-ai-adoption-for-uk-cyber-defence",
      "title": "NCSC-UK — Supporting AI adoption for UK cyber defence",
      "content_html": "<p><em>UK National Cyber Security Centre (NCSC)</em></p><p><strong>Published:</strong> 2026-04-23</p><p>23 April 2026 NCSC-UK blog post articulating the defensive-deployment counterpart to the Ellison &quot;severe cyber threat&quot; piece three days earlier.</p><p><strong>Tags:</strong> GOV, POL, OPS, DISC</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-10T12:00:00Z",
      "authors": [
        {
          "name": "UK National Cyber Security Centre (NCSC)"
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "OPS",
        "DISC"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-cyberinsecurity-the-cost-of-monopoly-2026-05-07",
      "url": "https://cryptome.org/cyberinsecurity.htm",
      "title": "CyberInsecurity: The Cost of Monopoly",
      "content_html": "<p><em>Daniel Geer, Rebecca Bace, Peter Gutmann, Perry Metzger, John S. Quarterman, Charles Pfleeger, Bruce Schneier</em></p><p><strong>Published:</strong> 2003-09-01</p><p>Foundational policy paper arguing that Microsoft&#x27;s operating-system dominance constituted a software monoculture in which a single vulnerability class could propagate across the entire installed base simultaneously.</p><p><strong>Tags:</strong> XCUT, SUPPLY, SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Daniel Geer, Rebecca Bace, Peter Gutmann, Perry Metzger, John S. Quarterman, Charles Pfleeger, Bruce Schneier"
        }
      ],
      "tags": [
        "XCUT",
        "SUPPLY",
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-is-finding-security-holes-a-good-idea-2026-05-07",
      "url": "https://doi.org/10.1109/MSP.2005.17",
      "title": "Is Finding Security Holes a Good Idea?",
      "content_html": "<p><em>Eric Rescorla</em></p><p><strong>Published:</strong> 2005-06-30</p><p>Rescorla&#x27;s empirical observation that bug-finding rates appeared roughly constant over time was, with hindsight, consistent with the &quot;dense&quot; side of the later vulnerability-density debate; a constant rate is what one would expect from sampling a large reservoir rather than draining a small one.</p><p><strong>Tags:</strong> XCUT, DISC, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Eric Rescorla"
        }
      ],
      "tags": [
        "XCUT",
        "DISC",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-milk-or-wine-does-software-security-improve-with-age-2026-05-07",
      "url": "https://www.usenix.org/conference/15th-usenix-security-symposium/milk-or-wine-does-software-security-improve-age",
      "title": "Milk or Wine: Does Software Security Improve with Age?",
      "content_html": "<p><em>Andy Ozment, Stuart E. Schechter</em></p><p><strong>Published:</strong> 2006-06-30</p><p>Empirical study of OpenBSD versions 2.3 through 3.7 that tested whether software security improves as code matures.</p><p><strong>Tags:</strong> XCUT, DISC, PATCH, HIST</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Andy Ozment, Stuart E. Schechter"
        }
      ],
      "tags": [
        "XCUT",
        "DISC",
        "PATCH",
        "HIST"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-on-bug-disclosure-and-contact-with-vendors-2026-05-07",
      "url": "http://addxorrol.blogspot.com/2006/06/on-bug-disclosure-and-contact-with.html",
      "title": "On bug disclosure and contact with vendors",
      "content_html": "<p><em>Halvar Flake (Thomas Dullien)</em></p><p><strong>Published:</strong> 2006-06-01</p><p>Early personal post on the friction of the disclosure process from a researcher&#x27;s perspective: the effort of writing reports, the back-and-forth with vendors who do not understand the issue, and the subtle ways in which the asymmetry of effort between finder and vendor shapes the eventual disclosure outcome.</p><p><strong>Tags:</strong> DISCL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Halvar Flake (Thomas Dullien)"
        }
      ],
      "tags": [
        "DISCL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-automatic-patch-based-exploit-generation-is-possible-techniques-and-implications-2026-05-07",
      "url": "https://bitblaze.cs.berkeley.edu/papers/apeg.pdf",
      "title": "Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications",
      "content_html": "<p><em>David Brumley, Pongsin Poosankam, Dawn Song, Jiang Zheng</em></p><p><strong>Published:</strong> 2008-06-30</p><p>Foundational IEEE S&amp;P 2008 paper from the BitBlaze project at UC Berkeley demonstrating that automatic patch-based exploit generation is technically feasible.</p><p><strong>Tags:</strong> EXPL, PATCH, HIST</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "David Brumley, Pongsin Poosankam, Dawn Song, Jiang Zheng"
        }
      ],
      "tags": [
        "EXPL",
        "PATCH",
        "HIST"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-optimal-policy-for-software-vulnerability-disclosure-2026-05-07",
      "url": "https://doi.org/10.1287/mnsc.1070.0771",
      "title": "Optimal Policy for Software Vulnerability Disclosure",
      "content_html": "<p><em>Ashish Arora, Rahul Telang, Hao Xu</em></p><p><strong>Published:</strong> 2008-06-30</p><p>Formal economic model that derives a welfare-maximising vulnerability disclosure deadline as a function of three parameters: vendor patching cost, user-side patch-deployment rate, and attacker-side exploitation cost.</p><p><strong>Tags:</strong> DISCL, XCUT, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Ashish Arora, Rahul Telang, Hao Xu"
        }
      ],
      "tags": [
        "DISCL",
        "XCUT",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-szekeres-payer-wei-and-song-sok-eternal-war-in-memory-2026-05-07",
      "url": "https://hexhive.epfl.ch/publications/files/14SP.pdf",
      "title": "Szekeres, Payer, Wei and Song — SoK: Eternal War in Memory",
      "content_html": "<p><em>László Szekeres, Mathias Payer, Tao Wei, Dawn Song</em></p><p><strong>Published:</strong> 2013-06-30</p><p>Foundational SoK paper that builds an attack-step model of memory-corruption exploitation and maps each deployed and proposed mitigation onto the specific attack steps it blocks.</p><p><strong>Tags:</strong> EXPL, PATCH, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "László Szekeres, Mathias Payer, Tao Wei, Dawn Song"
        }
      ],
      "tags": [
        "EXPL",
        "PATCH",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-comparing-vulnerability-severity-and-exploits-using-case-control-studies-2026-05-07",
      "url": "https://doi.org/10.1145/2630069",
      "title": "Comparing Vulnerability Severity and Exploits Using Case-Control Studies",
      "content_html": "<p><em>Luca Allodi, Fabio Massacci</em></p><p><strong>Published:</strong> 2014-06-30</p><p>Empirical case-control study that compared patched vulnerability populations prioritised by CVSS score, by proof-of-concept existence, and by black-market exploit presence.</p><p><strong>Tags:</strong> TRIAGE, EXPL, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Luca Allodi, Fabio Massacci"
        }
      ],
      "tags": [
        "TRIAGE",
        "EXPL",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-cybersecurity-as-realpolitik-black-hat-usa-keynote-2026-05-07",
      "url": "https://geer.tinho.net/geer.blackhat.6viii14.txt",
      "title": "Cybersecurity as Realpolitik (Black Hat USA keynote)",
      "content_html": "<p><em>Daniel Geer</em></p><p><strong>Published:</strong> 2014-06-30</p><p>Keynote address at Black Hat USA 2014 in which Geer posed the sparse/dense vulnerability question in the context of a striking policy proposal: that the US government should corner the vulnerability market by purchasing all available exploits at premium prices and publicly disclosing them.</p><p><strong>Tags:</strong> POL, XCUT, DISC</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Daniel Geer"
        }
      ],
      "tags": [
        "POL",
        "XCUT",
        "DISC"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-the-wolves-of-vuln-street-the-1st-system-dynamics-model-of-the-0day-market-2026-05-07",
      "url": "https://cams.mit.edu/wp-content/uploads/2017/12/The-Wolves-of-Vuln-Street-The-1st-System-Dynamics-Model-of-the-0day-Market.pdf",
      "title": "The Wolves of Vuln Street: The 1st System Dynamics Model of the 0day Market",
      "content_html": "<p><em>Katie Moussouris, Michael Siegel (with James Houghton, Ryan Ellis, James Greene)</em></p><p><strong>Published:</strong> 2015-06-30</p><p>RSA Conference USA 2015 presentation introducing the first system-dynamics model of the zero-day market.</p><p><strong>Tags:</strong> XCUT, POL, DISC</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Katie Moussouris, Michael Siegel (with James Houghton, Ryan Ellis, James Greene)"
        }
      ],
      "tags": [
        "XCUT",
        "POL",
        "DISC"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-house-oversight-homeland-security-joint-hearing-wassenaar-cybersecurity-and-expo-2026-05-07",
      "url": "https://www.govinfo.gov/content/pkg/CHRG-114hhrg23401/html/CHRG-114hhrg23401.htm",
      "title": "House Oversight & Homeland Security joint hearing — Wassenaar: Cybersecurity and Export Controls",
      "content_html": "<p><em>US Congress, 114th Cong. 2nd Sess. (House Oversight &amp; Government Reform Subcommittee on Information Technology, chaired by Hurd; House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection &amp; Security Technologies, chaired by Ratcliffe). Witnesses: Vann H. Van Diepen (State); Hon. Kevin J. Wolf (Commerce/BIS); Phyllis Schneck (NPPD/DHS); Cheri Flynn McGuire (Symantec); Iain Mulholland (VMware); Cristin Flynn Goodwin (Microsoft); Dean C. Garfield (ITI Council); Ann K. Ganzer (head of US delegation to Wassenaar).</em></p><p><strong>Published:</strong> 2016-01-12</p><p>12 January 2016 joint subcommittee hearing convened to examine the December 2013 Wassenaar Arrangement amendment adding &quot;intrusion software&quot; to the dual-use control list, BIS&#x27;s withdrawn 20 May 2015 proposed implementing rule, and the path forward.</p><p><strong>Tags:</strong> GOV, POL, XCUT, SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "US Congress, 114th Cong. 2nd Sess. (House Oversight & Government Reform Subcommittee on Information Technology, chaired by Hurd; House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection & Security Technologies, chaired by Ratcliffe). Witnesses: Vann H. Van Diepen (State); Hon. Kevin J. Wolf (Commerce/BIS); Phyllis Schneck (NPPD/DHS); Cheri Flynn McGuire (Symantec); Iain Mulholland (VMware); Cristin Flynn Goodwin (Microsoft); Dean C. Garfield (ITI Council); Ann K. Ganzer (head of US delegation to Wassenaar)."
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "XCUT",
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-a-large-scale-empirical-study-of-security-patches-2026-05-07",
      "url": "https://doi.org/10.1145/3133956.3134072",
      "title": "A Large-Scale Empirical Study of Security Patches",
      "content_html": "<p><em>Frank Li, Vern Paxson</em></p><p><strong>Published:</strong> 2017-06-30</p><p>Large-scale empirical study examining over 4,000 bug fixes for more than 3,000 vulnerabilities across 682 open-source projects.</p><p><strong>Tags:</strong> PATCH, DISCL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Frank Li, Vern Paxson"
        }
      ],
      "tags": [
        "PATCH",
        "DISCL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-burow-carr-nash-larsen-franz-brunthaler-and-payer-control-flow-integrity-precisi-2026-05-07",
      "url": "https://arxiv.org/abs/1602.04056",
      "title": "Burow, Carr, Nash, Larsen, Franz, Brunthaler and Payer — Control-Flow Integrity: Precision, Security, and Performance",
      "content_html": "<p><em>Nathan Burow, Scott A. Carr, Joseph Nash, Per Larsen, Michael Franz, Stefan Brunthaler, Mathias Payer</em></p><p><strong>Published:</strong> 2017-06-30</p><p>Unified comparison of CFI mechanisms across qualitative security guarantees, quantitative security evaluation, and empirical performance — the standard reference for what CFI does and does not provide.</p><p><strong>Tags:</strong> EXPL, PATCH, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Nathan Burow, Scott A. Carr, Joseph Nash, Per Larsen, Michael Franz, Stefan Brunthaler, Mathias Payer"
        }
      ],
      "tags": [
        "EXPL",
        "PATCH",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-dullien-halvar-flake-weird-machines-exploitability-and-provable-unexploitability-2026-05-07",
      "url": "https://ieeexplore.ieee.org/document/8226852",
      "title": "Dullien (Halvar Flake) — Weird machines, exploitability, and provable unexploitability",
      "content_html": "<p><em>Thomas Dullien (Halvar Flake)</em></p><p><strong>Published:</strong> 2017-12-01</p><p>Dullien describes this on his academic page as the closest thing to his &quot;magnum opus.&quot; Builds on a longer lineage: the term &quot;weird machine&quot; was coined by Sergey Bratus, developed in Dullien&#x27;s 2011 Infiltrate talk *Exploitation and State Machines*, and given historical context by Bratus et al. &quot;From Buffer Overflows to &#x27;Weird Machines&#x27;.&quot; The paper&#x27;s argument: a program defines an *intended* finite-state machine — the set of states and transitions the programmer designed; a vulnerability creates additional, unintended states reachable through memory corruption; these unintended states form a *weird machine* embedded inside the intended one.</p><p><strong>Tags:</strong> EXPL, PATCH, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Thomas Dullien (Halvar Flake)"
        }
      ],
      "tags": [
        "EXPL",
        "PATCH",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-economic-factors-of-vulnerability-trade-and-exploitation-2026-05-07",
      "url": "https://arxiv.org/abs/1708.04866",
      "title": "Economic Factors of Vulnerability Trade and Exploitation",
      "content_html": "<p><em>Luca Allodi</em></p><p><strong>Published:</strong> 2017-08-01</p><p>Empirical study based on prices observed on a Russian-language cybercrime market over multiple years.</p><p><strong>Tags:</strong> EXPL, XCUT, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Luca Allodi"
        }
      ],
      "tags": [
        "EXPL",
        "XCUT",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-taking-stock-estimating-vulnerability-rediscovery-2026-05-07",
      "url": "https://doi.org/10.2139/ssrn.2928758",
      "title": "Taking Stock: Estimating Vulnerability Rediscovery",
      "content_html": "<p><em>Trey Herr, Bruce Schneier, Christopher Morris</em></p><p><strong>Published:</strong> 2017-06-30</p><p>Empirical study using an open-source dataset of over four thousand vulnerabilities across browsers, Android, and other categories to estimate how often independent researchers rediscover the same vulnerability.</p><p><strong>Tags:</strong> DISC, XCUT, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Trey Herr, Bruce Schneier, Christopher Morris"
        }
      ],
      "tags": [
        "DISC",
        "XCUT",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-fixing-a-hole-the-labor-market-for-bugs-2026-05-07",
      "url": "https://doi.org/10.7551/mitpress/11636.003.0006",
      "title": "Fixing a Hole: The Labor Market for Bugs",
      "content_html": "<p><em>Ryan Ellis, Keman Huang, Michael Siegel, Katie Moussouris, James Houghton</em></p><p><strong>Published:</strong> 2018-06-30</p><p>Peer-reviewed extension of the authors&#x27; earlier RSA-conference &quot;Wolves of Vuln Street&quot; presentation that formalises the system-dynamics model of offensive and defensive vulnerability labour.</p><p><strong>Tags:</strong> XCUT, POL, DISC</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Ryan Ellis, Keman Huang, Michael Siegel, Katie Moussouris, James Houghton"
        }
      ],
      "tags": [
        "XCUT",
        "POL",
        "DISC"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-towards-improving-cvss-sei-technical-report-2026-05-07",
      "url": "https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=538368",
      "title": "Towards Improving CVSS (SEI Technical Report)",
      "content_html": "<p><em>Jonathan Spring, Eric Hatleback, Allen Householder, Art Manion, Deana Shick</em></p><p><strong>Published:</strong> 2018-06-30</p><p>SEI technical report documenting CVSS scoring errors of ±1.5 to 2.5 points across realistic scoring exercises.</p><p><strong>Tags:</strong> TRIAGE</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Jonathan Spring, Eric Hatleback, Allen Householder, Art Manion, Deana Shick"
        }
      ],
      "tags": [
        "TRIAGE"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-rashomon-of-disclosure-2026-05-07",
      "url": "http://addxorrol.blogspot.com/2019/08/rashomon-of-disclosure.html",
      "title": "Rashomon of disclosure",
      "content_html": "<p><em>Halvar Flake (Thomas Dullien)</em></p><p><strong>Published:</strong> 2019-08-01</p><p>Blog post arguing that disclosure is inherently a multi-perspective problem with no clean answers. Dullien&#x27;s broader argument is that every stakeholder group — vendors, brokers, researchers, defenders, government — has structural incentives to self-delude about the right policy, and that confident single-answer frameworks are usually the product of one of those incentives.</p><p><strong>Tags:</strong> DISCL, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Halvar Flake (Thomas Dullien)"
        }
      ],
      "tags": [
        "DISCL",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-wolfssl-wolfssl-announces-integration-with-curl-daniel-stenberg-joins-wolfssl-2026-05-07",
      "url": "https://www.helpnetsecurity.com/2019/02/07/daniel-stemberg-joins-wolfssl/",
      "title": "wolfSSL — wolfSSL Announces Integration with cURL (Daniel Stenberg joins wolfSSL)",
      "content_html": "<p><em>wolfSSL (PRWeb / Help Net Security coverage)</em></p><p><strong>Published:</strong> 2019-02-01</p><p>February 2019 PRWeb employment announcement (covered by Help Net Security) marking Daniel Stenberg&#x27;s hire by wolfSSL to work full-time on curl, with wolfSSL providing tiered commercial curl support contracts at the original 2019 launch prices ($2K, $6K, $23K, $50K per year).</p><p><strong>Tags:</strong> OPS, GOV, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "wolfSSL (PRWeb / Help Net Security coverage)"
        }
      ],
      "tags": [
        "OPS",
        "GOV",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-before-you-ship-a-security-mitigation-2026-05-07",
      "url": "http://addxorrol.blogspot.com/2020/03/before-you-ship-security-mitigation.html",
      "title": "Before you ship a security mitigation...",
      "content_html": "<p><em>Halvar Flake (Thomas Dullien)</em></p><p><strong>Published:</strong> 2020-03-01</p><p>Blog post arguing that security mitigations are often shipped with handwavy justifications (&quot;raises the bar,&quot; &quot;makes it harder&quot;) and proposing concrete rules: design documents with falsifiable claims about what attacks the mitigation prevents; red-team testing with experienced exploit developers for a sustained period (Dullien suggests four to eight weeks); and quantified goals such as &quot;make exploitation of bugs like CVE-X take more than N months.&quot; The post is short but unusually rigorous for a practitioner essay on mitigation engineering, and it articulates a standard for what defensive engineering should look like that the rest of the industry has not generally adopted.</p><p><strong>Tags:</strong> PATCH, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Halvar Flake (Thomas Dullien)"
        }
      ],
      "tags": [
        "PATCH",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-fuzzing-on-the-exponential-cost-of-vulnerability-discovery-2026-05-07",
      "url": "https://doi.org/10.1145/3368089.3409729",
      "title": "Fuzzing: On the Exponential Cost of Vulnerability Discovery",
      "content_html": "<p><em>Marcel Böhme, Brandon Falk</em></p><p><strong>Published:</strong> 2020-06-30</p><p>Empirical study establishing that the expected cost of finding the nth previously unknown vulnerability through fuzzing grows exponentially with n. The implication is that simply running more fuzzing — or, by extension, more LLM scanning — against a given target produces rapidly diminishing marginal returns.</p><p><strong>Tags:</strong> DISC, XCUT, HIST</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Marcel Böhme, Brandon Falk"
        }
      ],
      "tags": [
        "DISC",
        "XCUT",
        "HIST"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-prioritizing-vulnerability-response-a-stakeholder-specific-vulnerability-categor-2026-05-07",
      "url": "https://certcc.github.io/SSVC/",
      "title": "Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization (SSVC)",
      "content_html": "<p><em>Jonathan Spring, Eric Hatleback, Allen Householder, Art Manion, Deana Shick</em></p><p><strong>Published:</strong> 2020-06-30</p><p>Foundational paper introducing Stakeholder-Specific Vulnerability Categorization, a decision-tree framework that produces qualitative outputs (defer, scheduled, out-of-band, immediate) calibrated to stakeholder roles (deployer, supplier, coordinator).</p><p><strong>Tags:</strong> TRIAGE, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Jonathan Spring, Eric Hatleback, Allen Householder, Art Manion, Deana Shick"
        }
      ],
      "tags": [
        "TRIAGE",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-exploit-prediction-scoring-system-epss-2026-05-07",
      "url": "https://dl.acm.org/doi/10.1145/3436242",
      "title": "Exploit Prediction Scoring System (EPSS)",
      "content_html": "<p><em>Jay Jacobs et al.</em></p><p><strong>Published:</strong> 2021-06-30</p><p>Original Digital Threats academic paper introducing the Exploit Prediction Scoring System, a machine-learning model that estimates the probability that a given CVE will be exploited in the wild within a defined forward-looking window.</p><p><strong>Tags:</strong> TRIAGE, EXPL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Jay Jacobs et al."
        }
      ],
      "tags": [
        "TRIAGE",
        "EXPL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-0-day-in-the-wild-exploitation-in-2022-so-far-2026-05-07",
      "url": "https://projectzero.google/2022/06/2022-0-day-in-wild-exploitationso-far.html",
      "title": "0-day In-the-Wild Exploitation in 2022…so far",
      "content_html": "<p><em>Maddie Stone (Google Project Zero)</em></p><p><strong>Published:</strong> 2022-06-01</p><p>Project Zero blog post documenting that of 18 zero-days exploited in the first half of 2022, at least 9 (50%) were variants of previously patched vulnerabilities, and four were variants of 2021 zero-days, indicating attackers returned to the same underlying weakness within twelve months.</p><p><strong>Tags:</strong> EXPL, PATCH, DISC</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Maddie Stone (Google Project Zero)"
        }
      ],
      "tags": [
        "EXPL",
        "PATCH",
        "DISC"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-an-autopsy-on-a-zombie-in-the-wild-0-day-2026-05-07",
      "url": "https://projectzero.google/2022/06/an-autopsy-on-zombie-in-wild-0-day.html",
      "title": "An Autopsy on a Zombie In-the-Wild 0-day",
      "content_html": "<p><em>Maddie Stone (Google Project Zero)</em></p><p><strong>Published:</strong> 2022-06-01</p><p>Companion Project Zero piece to Stone&#x27;s 2022 zero-day analysis, documenting the case of CVE-2022-22620: a vulnerability fixed in Safari in 2013, reintroduced during a 2016 refactoring, and remaining exploitable in the wild until 2022.</p><p><strong>Tags:</strong> PATCH, DISC</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Maddie Stone (Google Project Zero)"
        }
      ],
      "tags": [
        "PATCH",
        "DISC"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-hoffmann-nagle-and-zhou-census-ii-of-free-and-open-source-software-application-l-2026-05-07",
      "url": "https://www.linuxfoundation.org/research/census-ii-of-free-and-open-source-software-application-libraries",
      "title": "Hoffmann, Nagle and Zhou — Census II of Free and Open Source Software: Application Libraries",
      "content_html": "<p><em>Hoffmann, Nagle, Zhou (Harvard Laboratory for Innovation Science / Linux Foundation / Open Source Security Foundation)</em></p><p><strong>Published:</strong> 2022-06-30</p><p>2022 Harvard / Linux Foundation / LISH study mining Snyk, Synopsys and FOSSA enterprise codebase data to count actual deployment of open-source application libraries inside commercial products, addressing the gap between registry download counts and production embedding that simpler methodologies cannot see.</p><p><strong>Tags:</strong> SUPPLY, GOV, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Hoffmann, Nagle, Zhou (Harvard Laboratory for Innovation Science / Linux Foundation / Open Source Security Foundation)"
        }
      ],
      "tags": [
        "SUPPLY",
        "GOV",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-mind-the-gap-2026-05-07",
      "url": "https://projectzero.google/2022/11/mind-the-gap.html",
      "title": "Mind the Gap",
      "content_html": "<p><em>Ian Beer (Google Project Zero)</em></p><p><strong>Published:</strong> 2022-11-01</p><p>Project Zero blog post analysing the patch gap between upstream vendor fix and downstream deployment, using the ARM Mali GPU as the case study.</p><p><strong>Tags:</strong> PATCH, SUPPLY</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Ian Beer (Google Project Zero)"
        }
      ],
      "tags": [
        "PATCH",
        "SUPPLY"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-the-more-you-know-the-more-you-know-you-don-t-know-2026-05-07",
      "url": "https://projectzero.google/2022/04/the-more-you-know-more-you-know-you.html",
      "title": "The More You Know, The More You Know You Don't Know",
      "content_html": "<p><em>Maddie Stone (Google Project Zero)</em></p><p><strong>Published:</strong> 2022-04-01</p><p>Project Zero&#x27;s 2021 year-in-review documenting 58 in-the-wild zero-days detected in 2021, a record at the time.</p><p><strong>Tags:</strong> EXPL, DISC</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Maddie Stone (Google Project Zero)"
        }
      ],
      "tags": [
        "EXPL",
        "DISC"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-stenberg-funded-curl-improvements-2026-05-07",
      "url": "https://daniel.haxx.se/blog/2022/10/19/funded-curl-improvements/",
      "title": "Stenberg — Funded curl improvements",
      "content_html": "<p><em>Daniel Stenberg</em></p><p><strong>Published:</strong> 2022-10-01</p><p>October 2022 post by the curl maintainer announcing a Sovereign Tech Fund grant to support curl improvements.</p><p><strong>Tags:</strong> OPS, GOV, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Daniel Stenberg"
        }
      ],
      "tags": [
        "OPS",
        "GOV",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-vulnerability-forecasting-theory-and-practice-2026-05-07",
      "url": "https://doi.org/10.1145/3492328",
      "title": "Vulnerability Forecasting: Theory and Practice",
      "content_html": "<p><em>Éireann Leverett, Matilda Rhode, Adam Wedgbury</em></p><p><strong>Published:</strong> 2022-12-01</p><p>Academic paper that applies time-series methods (ARIMA, exponential smoothing, and others) to historical CVE publication data from NVD and MITRE, demonstrating that different forecasting algorithms perform well at different lookahead horizons.</p><p><strong>Tags:</strong> TRIAGE, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Éireann Leverett, Matilda Rhode, Adam Wedgbury"
        }
      ],
      "tags": [
        "TRIAGE",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-cisa-open-source-software-security-roadmap-2026-05-07",
      "url": "https://www.cisa.gov/resources-tools/resources/cisa-open-source-software-security-roadmap",
      "title": "CISA — Open Source Software Security Roadmap",
      "content_html": "<p><em>US Cybersecurity and Infrastructure Security Agency</em></p><p><strong>Published:</strong> 2023-09-01</p><p>September 2023 CISA roadmap setting out four goals for federal engagement with open-source software security: establish CISA&#x27;s role in OSS security, drive visibility into OSS usage and risks, reduce risks to the federal government, and harden the broader OSS ecosystem.</p><p><strong>Tags:</strong> SUPPLY, GOV, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "US Cybersecurity and Infrastructure Security Agency"
        }
      ],
      "tags": [
        "SUPPLY",
        "GOV",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-eu-cra-what-does-it-mean-for-open-source-series-2026-05-07",
      "url": "https://berthub.eu/articles/posts/eu-cra-what-does-it-mean-for-open-source/",
      "title": "EU CRA: What does it mean for open source? (series)",
      "content_html": "<p><em>Bert Hubert</em></p><p><strong>Published:</strong> 2023-06-30</p><p>Blog series from late 2023 analysing the impact of the then-draft EU Cyber Resilience Act on the open-source ecosystem.</p><p><strong>Tags:</strong> GOV, SUPPLY</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Bert Hubert"
        }
      ],
      "tags": [
        "GOV",
        "SUPPLY"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-sustain-podcast-episode-185-daniel-stenberg-on-the-curl-project-2026-05-07",
      "url": "https://podcast.sustainoss.org/185",
      "title": "Sustain podcast Episode 185 — Daniel Stenberg on the cURL project",
      "content_html": "<p><em>Sustain podcast (host Richard Littauer)</em></p><p><strong>Published:</strong> 2023-06-16</p><p>16 June 2023 Sustain podcast episode in which Daniel Stenberg discusses the curl project&#x27;s funding model, including his own framing of the donations-vs-contracts economics (&quot;extracting significant value solely from donations is challenging&quot;) and the role of undisclosed anonymous corporate contributions alongside the wolfSSL commercial-support contracts.</p><p><strong>Tags:</strong> OPS, GOV, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Sustain podcast (host Richard Littauer)"
        }
      ],
      "tags": [
        "OPS",
        "GOV",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-big-sleep-sqlite-disclosure-2026-05-07",
      "url": "https://projectzero.google/2024/10/from-naptime-to-big-sleep.html",
      "title": "Big Sleep (SQLite disclosure)",
      "content_html": "<p><em>Google Project Zero and Google DeepMind</em></p><p><strong>Published:</strong> 2024-11-01</p><p>Project Zero&#x27;s November 2024 announcement that the Big Sleep programme — built on Naptime and on DeepMind&#x27;s frontier model capabilities — had identified an exploitable stack-buffer underflow in SQLite ahead of any release containing the bug, framed as the first known case of an AI agent finding a previously unknown exploitable memory-safety bug in widely used software.</p><p><strong>Tags:</strong> DISC, HIST</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Google Project Zero and Google DeepMind"
        }
      ],
      "tags": [
        "DISC",
        "HIST"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-naptime-evaluating-offensive-security-capabilities-of-large-language-models-2026-05-07",
      "url": "https://projectzero.google/2024/06/project-naptime.html",
      "title": "Naptime: Evaluating Offensive Security Capabilities of Large Language Models",
      "content_html": "<p><em>Sergei Glazunov, Mark Brand (Google Project Zero)</em></p><p><strong>Published:</strong> 2024-11-01</p><p>Project Zero blog post introducing the Naptime framework for principled LLM-based vulnerability research.</p><p><strong>Tags:</strong> DISC, HIST</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Sergei Glazunov, Mark Brand (Google Project Zero)"
        }
      ],
      "tags": [
        "DISC",
        "HIST"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-the-record-vulnerability-laws-create-bug-bounties-with-chinese-characteristics-d-2026-05-07",
      "url": "https://therecord.media/china-vulnerability-disclosure-military-government-dakota-cary",
      "title": "The Record — Vulnerability laws create 'bug bounties with Chinese characteristics' (Dakota Cary interview)",
      "content_html": "<p><em>The Record</em></p><p><strong>Published:</strong> 2024-01-01</p><p>January 2024 interview with Dakota Cary characterising the operational effect of China&#x27;s RMSV regulations as &quot;bug bounties with Chinese characteristics&quot; — a structured pipeline through which discovered vulnerabilities serve national-security uses before reaching international defenders.</p><p><strong>Tags:</strong> GOV, EXPL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "The Record"
        }
      ],
      "tags": [
        "GOV",
        "EXPL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-snell-lee-xu-and-kumar-scaling-llm-test-time-compute-optimally-can-be-more-effec-2026-05-07",
      "url": "https://arxiv.org/abs/2408.03314",
      "title": "Snell, Lee, Xu and Kumar — Scaling LLM Test-Time Compute Optimally Can Be More Effective than Scaling Model Parameters",
      "content_html": "<p><em>Charlie Snell, Jaehoon Lee, Kelvin Xu, Aviral Kumar</em></p><p><strong>Published:</strong> 2024-06-30</p><p>ICLR 2025 oral-presentation paper that establishes the theoretical framework underpinning the test-time compute paradigm now exploited by OpenAI o1, DeepSeek-R1, and the broader inference-scaling literature.</p><p><strong>Tags:</strong> XCUT, DISC, HIST</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Charlie Snell, Jaehoon Lee, Kelvin Xu, Aviral Kumar"
        }
      ],
      "tags": [
        "XCUT",
        "DISC",
        "HIST"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-von-der-leyen-europe-s-choice-political-guidelines-for-the-european-commission-2-2026-05-07",
      "url": "https://commission.europa.eu/document/download/e6cd4328-673c-4e7a-8683-f63ffb2cf648_en",
      "title": "Von der Leyen — Europe's Choice: Political Guidelines for the European Commission 2024–2029",
      "content_html": "<p><em>Ursula von der Leyen</em></p><p><strong>Published:</strong> 2024-07-01</p><p>July 2024 Political Guidelines for the European Commission 2024–2029, setting out the sovereignty pledges that subsequent Commission policy implements.</p><p><strong>Tags:</strong> SOV, GOV, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Ursula von der Leyen"
        }
      ],
      "tags": [
        "SOV",
        "GOV",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-a-coherent-european-non-us-cloud-strategy-2026-05-07",
      "url": "https://berthub.eu/articles/posts/a-coherent-non-us-cloud-strategy/",
      "title": "A coherent European/non-US cloud strategy",
      "content_html": "<p><em>Bert Hubert</em></p><p><strong>Published:</strong> 2025-05-01</p><p>Hubert&#x27;s May 2025 piece outlining a modular European cloud strategy that aligns with the EuroStack proposal.</p><p><strong>Tags:</strong> SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Bert Hubert"
        }
      ],
      "tags": [
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-aituglo-cassim-the-state-of-bug-bounty-in-2026-2026-05-07",
      "url": "https://aituglo.com/state-of-bug-bounty-in-2026/",
      "title": "Aituglo (Cassim) — The State of Bug Bounty in 2026",
      "content_html": "<p><em>Yassine Aituglo (Cassim)</em></p><p><strong>Published:</strong> 2025-06-30</p><p>Industry-survey-style analysis of the bug-bounty ecosystem in 2026, focused on the documented shift among large organisations toward reducing reliance on external bounty programmes in favour of internal AI-based scanning.</p><p><strong>Tags:</strong> DISC, OPS, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Yassine Aituglo (Cassim)"
        }
      ],
      "tags": [
        "DISC",
        "OPS",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-atlantic-council-sleight-of-hand-how-china-weaponizes-software-vulnerabilities-2026-05-07",
      "url": "https://www.atlanticcouncil.org/in-depth-research-reports/report/sleight-of-hand-how-china-weaponizes-software-vulnerability/",
      "title": "Atlantic Council — Sleight of Hand: How China Weaponizes Software Vulnerabilities",
      "content_html": "<p><em>Atlantic Council research team (with Dakota Cary as lead analyst)</em></p><p><strong>Published:</strong> 2025-03-01</p><p>March 2025 Atlantic Council report analysing China&#x27;s Regulations on the Management of Network Product Security Vulnerabilities (RMSV), which require domestic software vulnerability reporting to the Ministry of Industry and Information Technology within 48 hours and prohibit publication or transfer abroad before vendor patching.</p><p><strong>Tags:</strong> GOV, EXPL, SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Atlantic Council research team (with Dakota Cary as lead analyst)"
        }
      ],
      "tags": [
        "GOV",
        "EXPL",
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-biczok-romanosky-and-liu-realigning-incentives-to-build-better-software-2026-05-07",
      "url": "http://kmlabcw.iis.u-tokyo.ac.jp/weis/2025/doc/proceedings/WEIS2025_paper_29.pdf",
      "title": "Biczok, Romanosky and Liu — Realigning Incentives to Build Better Software",
      "content_html": "<p><em>Gergely Biczók, Sasha Romanosky (RAND), Tianhao Liu</em></p><p><strong>Published:</strong> 2025-06-30</p><p>WEIS 2025 paper analysing vendor-accountability mechanisms and the alignment of economic incentives with software security outcomes.</p><p><strong>Tags:</strong> GOV, XCUT, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Gergely Biczók, Sasha Romanosky (RAND), Tianhao Liu"
        }
      ],
      "tags": [
        "GOV",
        "XCUT",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-cert-cc-protecting-ai-from-the-outside-in-the-case-for-coordinated-vulnerability-2026-05-07",
      "url": "https://www.sei.cmu.edu/blog/protecting-ai-from-the-outside-in-the-case-for-coordinated-vulnerability-disclosure/",
      "title": "CERT/CC — Protecting AI from the Outside In: The Case for Coordinated Vulnerability Disclosure",
      "content_html": "<p><em>CERT Coordination Center, Software Engineering Institute, Carnegie Mellon University</em></p><p><strong>Published:</strong> 2025-02-01</p><p>February 2025 CERT/CC blog post arguing that coordinated vulnerability disclosure norms developed for traditional software are the appropriate starting point for handling vulnerabilities in AI systems, with adaptations rather than replacement.</p><p><strong>Tags:</strong> DISCL, GOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "CERT Coordination Center, Software Engineering Institute, Carnegie Mellon University"
        }
      ],
      "tags": [
        "DISCL",
        "GOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-circl-global-cve-allocation-system-gcve-2026-05-07",
      "url": "https://gcve.eu/about/",
      "title": "CIRCL — Global CVE Allocation System (GCVE)",
      "content_html": "<p><em>Computer Incident Response Center Luxembourg (CIRCL)</em></p><p><strong>Published:</strong> 2025-06-30</p><p>CIRCL&#x27;s Global CVE Allocation System, launched in January 2026, providing a decentralised approach to vulnerability identifier allocation in which independent GCVE Numbering Authorities (GNAs) can assign identifiers without centralised approval.</p><p><strong>Tags:</strong> TRIAGE, SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Computer Incident Response Center Luxembourg (CIRCL)"
        }
      ],
      "tags": [
        "TRIAGE",
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-cisa-kev-catalog-2026-05-07",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
      "title": "CISA — KEV Catalog",
      "content_html": "<p><em>Cybersecurity and Infrastructure Security Agency</em></p><p><strong>Published:</strong> 2025-06-30</p><p>CISA&#x27;s Known Exploited Vulnerabilities catalogue, which lists vulnerabilities for which there is reliable evidence of exploitation in the wild and which carry a Binding Operational Directive remediation deadline for federal civilian agencies.</p><p><strong>Tags:</strong> TRIAGE, EXPL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Cybersecurity and Infrastructure Security Agency"
        }
      ],
      "tags": [
        "TRIAGE",
        "EXPL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-cisa-sbom-resources-2026-05-07",
      "url": "https://www.cisa.gov/sbom",
      "title": "CISA — SBOM resources",
      "content_html": "<p><em>Cybersecurity and Infrastructure Security Agency</em></p><p><strong>Published:</strong> 2025-06-30</p><p>CISA&#x27;s resource hub for Software Bill of Materials, which has become the reference operational artefact for the supply-chain-transparency debate.</p><p><strong>Tags:</strong> SUPPLY, GOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Cybersecurity and Infrastructure Security Agency"
        }
      ],
      "tags": [
        "SUPPLY",
        "GOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-cisa-ssvc-stakeholder-specific-vulnerability-categorization-2026-05-07",
      "url": "https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc",
      "title": "CISA — SSVC (Stakeholder-Specific Vulnerability Categorization)",
      "content_html": "<p><em>Cybersecurity and Infrastructure Security Agency</em></p><p><strong>Published:</strong> 2025-06-30</p><p>CISA&#x27;s operational documentation for the SSVC framework adopted as the agency&#x27;s primary vulnerability-prioritisation system.</p><p><strong>Tags:</strong> TRIAGE, OPS, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Cybersecurity and Infrastructure Security Agency"
        }
      ],
      "tags": [
        "TRIAGE",
        "OPS",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-conflicting-scores-confusing-signals-an-empirical-study-of-vulnerability-scoring-2026-05-07",
      "url": "https://arxiv.org/abs/2508.13644",
      "title": "Conflicting Scores, Confusing Signals: An Empirical Study of Vulnerability Scoring Systems",
      "content_html": "<p><em>(not individually listed in INT)</em></p><p><strong>Published:</strong> 2025-08-01</p><p>Empirical study of vulnerability-scoring systems based on a 600-CVE dataset covering April–July 2024 Patch Tuesday releases.</p><p><strong>Tags:</strong> TRIAGE, EXPL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "(not individually listed in INT)"
        }
      ],
      "tags": [
        "TRIAGE",
        "EXPL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-cve-bench-a-benchmark-for-ai-agents-ability-to-exploit-real-world-web-applicatio-2026-05-07",
      "url": "https://arxiv.org/abs/2503.17332",
      "title": "CVE-Bench: A Benchmark for AI Agents' Ability to Exploit Real-World Web Application Vulnerabilities",
      "content_html": "<p><em>Yuxuan Zhu et al.</em></p><p><strong>Published:</strong> 2025-03-01</p><p>Benchmark paper measuring AI agent capability to exploit real-world web application vulnerabilities with publicly known patches.</p><p><strong>Tags:</strong> EXPL, DISC, HIST</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Yuxuan Zhu et al."
        }
      ],
      "tags": [
        "EXPL",
        "DISC",
        "HIST"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-darpa-aixcc-final-results-def-con-33-2026-05-07",
      "url": "https://aicyberchallenge.com/finals-winners-announcement/",
      "title": "DARPA AIxCC final results (DEF CON 33)",
      "content_html": "<p><em>DARPA</em></p><p><strong>Published:</strong> 2025-08-01</p><p>Final results of the DARPA Artificial Intelligence Cyber Challenge presented at DEF CON 33. All winning Cyber Reasoning Systems were open-sourced after the competition, an unusually open posture from a DARPA-run challenge and a signal about the intended diffusion of capability.</p><p><strong>Tags:</strong> DISC, PATCH, HIST, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "DARPA"
        }
      ],
      "tags": [
        "DISC",
        "PATCH",
        "HIST",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-enisa-consult-the-european-vulnerability-database-launch-announcement-2026-05-07",
      "url": "https://www.enisa.europa.eu/news/consult-the-european-vulnerability-database-to-enhance-your-digital-security",
      "title": "ENISA — Consult the European Vulnerability Database (launch announcement)",
      "content_html": "<p><em>ENISA</em></p><p><strong>Published:</strong> 2025-05-01</p><p>ENISA&#x27;s launch announcement for the EUVD service in May 2025, providing the official framing of the database&#x27;s purpose, scope, and integration with the broader CVD obligation under NIS2.</p><p><strong>Tags:</strong> TRIAGE, SOV, GOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "ENISA"
        }
      ],
      "tags": [
        "TRIAGE",
        "SOV",
        "GOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-enisa-european-vulnerability-database-euvd-2026-05-07",
      "url": "https://euvd.enisa.europa.eu/",
      "title": "ENISA — European Vulnerability Database (EUVD)",
      "content_html": "<p><em>European Union Agency for Cybersecurity (ENISA)</em></p><p><strong>Published:</strong> 2025-05-01</p><p>ENISA&#x27;s European Vulnerability Database, launched in May 2025 under the NIS2 Directive. EUVD is an EU-operated alternative to NVD that cross-references CVEs while issuing its own EUVD identifiers and aggregating data from EU CSIRTs, vendors, and other databases.</p><p><strong>Tags:</strong> TRIAGE, SOV, GOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "European Union Agency for Cybersecurity (ENISA)"
        }
      ],
      "tags": [
        "TRIAGE",
        "SOV",
        "GOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-enisa-stepping-up-our-role-in-vulnerability-management-enisa-becomes-cve-root-2026-05-07",
      "url": "https://www.enisa.europa.eu/news/stepping-up-our-role-in-vulnerability-management-enisa-becomes-cve-root",
      "title": "ENISA — Stepping up our role in Vulnerability Management: ENISA Becomes CVE Root",
      "content_html": "<p><em>ENISA</em></p><p><strong>Published:</strong> 2025-06-30</p><p>ENISA announcement (2025) of its elevation to CVE Program Root status, building on its position as a CVE Numbering Authority since January 2024.</p><p><strong>Tags:</strong> TRIAGE, SOV, GOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "ENISA"
        }
      ],
      "tags": [
        "TRIAGE",
        "SOV",
        "GOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-epss-specification-first-2026-05-07",
      "url": "https://www.first.org/epss/",
      "title": "EPSS Specification (FIRST)",
      "content_html": "<p><em>FIRST EPSS Special Interest Group</em></p><p><strong>Published:</strong> 2025-03-01</p><p>Operational documentation for the Exploit Prediction Scoring System maintained by FIRST. EPSS reached version 4 in March 2025, continuing to refine its ML-based exploitation-probability scores.</p><p><strong>Tags:</strong> TRIAGE, EXPL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "FIRST EPSS Special Interest Group"
        }
      ],
      "tags": [
        "TRIAGE",
        "EXPL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-european-commission-cyber-resilience-act-2026-05-07",
      "url": "https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act",
      "title": "European Commission — Cyber Resilience Act",
      "content_html": "<p><em>European Commission</em></p><p><strong>Published:</strong> 2025-06-30</p><p>Official European Commission landing page for the Cyber Resilience Act. The CRA enters its mandatory reporting phase in September 2026 and constitutes the most comprehensive product-security legislation in force globally.</p><p><strong>Tags:</strong> GOV, SUPPLY</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "European Commission"
        }
      ],
      "tags": [
        "GOV",
        "SUPPLY"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-hello-europe-joe-biden-is-gone-2026-05-07",
      "url": "https://berthub.eu/articles/posts/hello-europe-joe-biden-is-gone/",
      "title": "Hello Europe, Joe Biden is gone",
      "content_html": "<p><em>Bert Hubert</em></p><p><strong>Published:</strong> 2025-11-01</p><p>November 2025 blog post arguing that the change in US administration removes assumptions European governments and infrastructure operators had quietly built into their dependence on US institutions and platforms.</p><p><strong>Tags:</strong> SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Bert Hubert"
        }
      ],
      "tags": [
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-house-homeland-security-joint-subcommittee-hearing-the-quantum-ai-and-cloud-land-2026-05-07",
      "url": "https://homeland.house.gov/hearing/the-quantum-ai-and-cloud-landscape-examining-opportunities-vulnerabilities-and-the-future-of-cybersecurity/",
      "title": "House Homeland Security joint subcommittee hearing — The Quantum, AI, and Cloud Landscape: Examining Opportunities, Vulnerabilities, and the Future of Cybersecurity",
      "content_html": "<p><em>US Congress, 119th Cong. (House Committee on Homeland Security&#x27;s Subcommittee on Cybersecurity and Infrastructure Protection, chaired by Ogles, Swalwell ranking; Subcommittee on Oversight, Investigations, and Accountability, chaired by Brecheen, Thanedar ranking; Garbarino full committee chair, Thompson ranking ex officio). Witnesses: Logan Graham PhD (Frontier Red Team, Anthropic PBC); Royal Hansen (Google LLC); Eddy Zervigon (Quantum Xchange); Michael Coates (Seven Hill Ventures; former Twitter CISO; former Mozilla security lead).</em></p><p><strong>Published:</strong> 2025-12-17</p><p>17 December 2025 joint hearing convened to examine the November 2025 Anthropic disclosure of GTG-1002, a CCP-sponsored cyber espionage campaign that misused Claude Code and Model Context Protocol tools to autonomously execute substantial portions of attacks against approximately 30 entities.</p><p><strong>Tags:</strong> DISC, EXPL, POL, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "US Congress, 119th Cong. (House Committee on Homeland Security's Subcommittee on Cybersecurity and Infrastructure Protection, chaired by Ogles, Swalwell ranking; Subcommittee on Oversight, Investigations, and Accountability, chaired by Brecheen, Thanedar ranking; Garbarino full committee chair, Thompson ranking ex officio). Witnesses: Logan Graham PhD (Frontier Red Team, Anthropic PBC); Royal Hansen (Google LLC); Eddy Zervigon (Quantum Xchange); Michael Coates (Seven Hill Ventures; former Twitter CISO; former Mozilla security lead)."
        }
      ],
      "tags": [
        "DISC",
        "EXPL",
        "POL",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-how-i-used-o3-to-find-cve-2025-37899-a-remote-zeroday-vulnerability-in-the-linux-2026-05-07",
      "url": "https://sean.heelan.io/2025/05/22/how-i-used-o3-to-find-cve-2025-37899-a-remote-zeroday-vulnerability-in-the-linux-kernels-smb-implementation/",
      "title": "How I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel's SMB implementation",
      "content_html": "<p><em>Sean Heelan</em></p><p><strong>Published:</strong> 2025-05-01</p><p>Blog post documenting the discovery of CVE-2025-37899, a remote zero-day in the Linux kernel&#x27;s SMB (ksmbd) implementation, found using OpenAI&#x27;s o3 model with a parallel-sampling methodology.</p><p><strong>Tags:</strong> DISC, HIST</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Sean Heelan"
        }
      ],
      "tags": [
        "DISC",
        "HIST"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-hubert-it-is-no-longer-safe-to-move-our-governments-and-societies-to-us-clouds-2026-05-07",
      "url": "https://berthub.eu/articles/posts/you-can-no-longer-base-your-government-and-society-on-us-clouds/",
      "title": "Hubert — It is no longer safe to move our governments and societies to US clouds",
      "content_html": "<p><em>Bert Hubert</em></p><p><strong>Published:</strong> 2025-02-01</p><p>February 2025 piece (referenced in 2026 INT preparation alongside the more recent Hubert posts) framing the broader sovereignty argument that the later 2026 posts develop in operational detail.</p><p><strong>Tags:</strong> SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Bert Hubert"
        }
      ],
      "tags": [
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-hubert-the-ai-collapse-pre-mortem-2026-05-07",
      "url": "https://berthub.eu/articles/posts/an-ai-premortem/",
      "title": "Hubert — The AI-collapse pre-mortem",
      "content_html": "<p><em>Bert Hubert</em></p><p><strong>Published:</strong> 2025-10-01</p><p>October 2025 piece offering a balanced assessment of AI capability versus AI bubble dynamics.</p><p><strong>Tags:</strong> XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Bert Hubert"
        }
      ],
      "tags": [
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-hubert-the-european-cloud-situation-at-the-end-of-2025-2026-05-07",
      "url": "https://berthub.eu/articles/posts/the-european-cloud-2025/",
      "title": "Hubert — The European Cloud Situation at the end of 2025",
      "content_html": "<p><em>Bert Hubert</em></p><p><strong>Published:</strong> 2025-12-01</p><p>December 2025 comprehensive review of why buyers, sellers, and governments have collectively failed to act on stated European-cloud-sovereignty policy.</p><p><strong>Tags:</strong> SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Bert Hubert"
        }
      ],
      "tags": [
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-li-et-al-everything-you-wanted-to-know-about-llm-based-vulnerability-detection-b-2026-05-07",
      "url": "https://arxiv.org/abs/2504.13474",
      "title": "Li et al. — Everything You Wanted to Know About LLM-based Vulnerability Detection But Were Afraid to Ask",
      "content_html": "<p><em>Li et al.</em></p><p><strong>Published:</strong> 2025-04-01</p><p>April 2025 unreviewed preprint applying Snell et al.&#x27;s test-time-compute framework specifically to vulnerability detection, distinguishing &quot;System 1&quot; (pattern-matching) from &quot;System 2&quot; (deliberate reasoning) LLM behaviour.</p><p><strong>Tags:</strong> DISC, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Li et al."
        }
      ],
      "tags": [
        "DISC",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-nist-cybersecurity-framework-csf-2-0-2026-05-07",
      "url": "https://www.nist.gov/cyberframework",
      "title": "NIST — Cybersecurity Framework (CSF 2.0)",
      "content_html": "<p><em>National Institute of Standards and Technology</em></p><p><strong>Published:</strong> 2025-06-30</p><p>NIST&#x27;s flagship voluntary cybersecurity-management framework, updated to version 2.0 in 2024 with explicit governance functions added alongside the original five.</p><p><strong>Tags:</strong> GOV, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "National Institute of Standards and Technology"
        }
      ],
      "tags": [
        "GOV",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-openai-introducing-aardvark-with-dave-aitel-commentary-2026-05-07",
      "url": "https://openai.com/index/introducing-aardvark/",
      "title": "OpenAI — Introducing Aardvark (with Dave Aitel commentary)",
      "content_html": "<p><em>OpenAI; Dave Aitel (public statements)</em></p><p><strong>Published:</strong> 2025-10-01</p><p>October 2025 OpenAI launch of Aardvark, with accompanying public statements from Dave Aitel — former NSA offensive researcher and founder of the SPIKE fuzzer and Immunity — who frames Aardvark as a tool for developers (&quot;tokens cost money but bugs cost more&quot;).</p><p><strong>Tags:</strong> DISC, DISCL, HIST</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "OpenAI; Dave Aitel (public statements)"
        }
      ],
      "tags": [
        "DISC",
        "DISCL",
        "HIST"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-openssf-slsa-framework-2026-05-07",
      "url": "https://slsa.dev/",
      "title": "OpenSSF — SLSA framework",
      "content_html": "<p><em>Open Source Security Foundation</em></p><p><strong>Published:</strong> 2025-06-30</p><p>Supply-chain Levels for Software Artifacts (SLSA), the OpenSSF-maintained framework for assessing supply-chain security maturity across build provenance, source integrity, and dependency management.</p><p><strong>Tags:</strong> SUPPLY</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Open Source Security Foundation"
        }
      ],
      "tags": [
        "SUPPLY"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-owasp-cyclonedx-2026-05-07",
      "url": "https://cyclonedx.org/",
      "title": "OWASP — CycloneDX",
      "content_html": "<p><em>OWASP CycloneDX project</em></p><p><strong>Published:</strong> 2025-06-30</p><p>The OWASP-maintained CycloneDX SBOM standard, one of the two primary SBOM formats (SPDX is the other).</p><p><strong>Tags:</strong> SUPPLY</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "OWASP CycloneDX project"
        }
      ],
      "tags": [
        "SUPPLY"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-piao-and-woods-unfairness-in-the-bug-bounty-ecosystem-2026-05-07",
      "url": "http://kmlabcw.iis.u-tokyo.ac.jp/weis/2025/doc/proceedings/WEIS2025_paper_25.pdf",
      "title": "Piao and Woods — Unfairness in the Bug Bounty Ecosystem",
      "content_html": "<p><em>Yiyao Piao, Daniel W. Woods</em></p><p><strong>Published:</strong> 2025-06-30</p><p>WEIS 2025 paper documenting structural unfairness in the bug-bounty ecosystem: differential treatment of researchers across geographies, opaque triage decisions, and the asymmetric power relationship between platform, programme owner, and researcher.</p><p><strong>Tags:</strong> XCUT, DISC, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Yiyao Piao, Daniel W. Woods"
        }
      ],
      "tags": [
        "XCUT",
        "DISC",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-policy-and-disclosure-2025-edition-reporting-transparency-2026-05-07",
      "url": "https://projectzero.google/2025/07/reporting-transparency.html",
      "title": "Policy and Disclosure: 2025 Edition — Reporting Transparency",
      "content_html": "<p><em>Tim Willis (Google Project Zero)</em></p><p><strong>Published:</strong> 2025-07-01</p><p>Project Zero blog post announcing the 2025 update to P0&#x27;s disclosure policy. P0 now shares limited details (vendor, product, date, deadline) within one week of reporting to vendor.</p><p><strong>Tags:</strong> DISCL, PATCH</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Tim Willis (Google Project Zero)"
        }
      ],
      "tags": [
        "DISCL",
        "PATCH"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-q4-2025-vulnerability-forecast-first-blog-2026-05-07",
      "url": "https://www.first.org/blog/20251016-Q4Vulnerability-Forecast",
      "title": "Q4 2025 Vulnerability Forecast (FIRST blog)",
      "content_html": "<p><em>Éireann Leverett (FIRST)</em></p><p><strong>Published:</strong> 2025-10-01</p><p>October 2025 FIRST blog post in which Leverett sets out the next-generation forecasting agenda for the FIRST Vulnerability Forecasting community: extending forecasts beyond aggregate counts into product, vendor, CVSS vector, CWE, and CNA breakdowns, and ultimately to predicting which vulnerabilities will be exploited and which products and vendors will host them.</p><p><strong>Tags:</strong> TRIAGE, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Éireann Leverett (FIRST)"
        }
      ],
      "tags": [
        "TRIAGE",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-rapid7-2026-global-threat-landscape-report-2026-05-07",
      "url": "https://www.rapid7.com/blog/post/tr-accelerating-attack-cycle-2026-global-threat-landscape-report/",
      "title": "Rapid7 — 2026 Global Threat Landscape Report",
      "content_html": "<p><em>Rapid7 Research</em></p><p><strong>Published:</strong> 2025-06-30</p><p>Time-to-exploit is one of the most operationally meaningful metrics for the AI-era debate: it captures the practical question defenders face about how much patching window they actually have, and Rapid7&#x27;s measurement methodology is one of the most consistent multi-year series in industry reporting.</p><p><strong>Tags:</strong> EXPL, TRIAGE</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Rapid7 Research"
        }
      ],
      "tags": [
        "EXPL",
        "TRIAGE"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-runzero-divining-risk-deciphering-signals-2026-05-07",
      "url": "https://www.runzero.com/uploads/documents/reports/2025_05_REPORT_Divining-Risk_Rev1.pdf",
      "title": "RunZero — Divining Risk: Deciphering Signals",
      "content_html": "<p><em>RunZero</em></p><p><strong>Published:</strong> 2025-05-01</p><p>May 2025 detailed practitioner analysis of CVSS v3.1, EPSS v4, and SSVC v2 together. Key findings: CVSS distributions offer the illusion of stability with little predictive value; EPSS offers strong signal when scores jump but requires monitoring; SSVC highlights that most organisations still struggle with basic asset management, making environmental triage difficult.</p><p><strong>Tags:</strong> TRIAGE</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "RunZero"
        }
      ],
      "tags": [
        "TRIAGE"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-sysdig-cve-wake-up-call-what-s-ahead-after-the-mitre-funding-fiasco-2026-05-07",
      "url": "https://www.sysdig.com/blog/cve-wake-up-call-whats-ahead-after-the-mitre-funding-fiasco",
      "title": "Sysdig — CVE wake-up call: What's ahead after the MITRE funding fiasco",
      "content_html": "<p><em>Sysdig</em></p><p><strong>Published:</strong> 2025-04-01</p><p>April 2025 industry analysis of the April 2025 MITRE/CVE funding crisis in which the CVE Program contract nearly lapsed, prompting CISA&#x27;s emergency 11-month extension and the formation of the CVE Foundation as a nonprofit alternative governance vehicle.</p><p><strong>Tags:</strong> SOV, GOV, TRIAGE</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Sysdig"
        }
      ],
      "tags": [
        "SOV",
        "GOV",
        "TRIAGE"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-vlai-a-roberta-based-model-for-automated-vulnerability-severity-classification-2026-05-07",
      "url": "https://arxiv.org/abs/2507.03607",
      "title": "VLAI: A RoBERTa-Based Model for Automated Vulnerability Severity Classification",
      "content_html": "<p><em>Cédric Bonhomme, Alexandre Dulaunoy</em></p><p><strong>Published:</strong> 2025-07-01</p><p>July 2025 paper describing CIRCL&#x27;s open-source transformer-based model fine-tuned on over 600,000 vulnerabilities.</p><p><strong>Tags:</strong> TRIAGE, SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Cédric Bonhomme, Alexandre Dulaunoy"
        }
      ],
      "tags": [
        "TRIAGE",
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-vulncheck-state-of-exploitation-2026-2026-05-07",
      "url": "https://www.vulncheck.com/blog/state-of-exploitation-2026",
      "title": "VulnCheck — State of Exploitation 2026",
      "content_html": "<p><em>VulnCheck</em></p><p><strong>Published:</strong> 2025-06-30</p><p>VulnCheck&#x27;s annual exploitation analysis, focused on KEV timing and on the lag between vulnerability publication and exploitation in the wild.</p><p><strong>Tags:</strong> EXPL, TRIAGE</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "VulnCheck"
        }
      ],
      "tags": [
        "EXPL",
        "TRIAGE"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-what-we-in-the-open-world-are-messing-up-in-trying-to-compete-with-big-tech-2026-05-07",
      "url": "https://berthub.eu/articles/posts/what-the-open-world-must-do-better/",
      "title": "What we in the open world are messing up in trying to compete with big tech",
      "content_html": "<p><em>Bert Hubert</em></p><p><strong>Published:</strong> 2025-05-01</p><p>Hubert&#x27;s May 2025 piece on why European and open-source alternatives to US tech platforms have struggled to gain traction, focusing on user-experience, service-first design, and the comfort gap between incumbent platforms and challengers.</p><p><strong>Tags:</strong> SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Bert Hubert"
        }
      ],
      "tags": [
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-williams-the-world-runs-20-billion-instances-of-curl-where-s-the-support-2026-05-07",
      "url": "https://thenewstack.io/the-world-runs-20-billion-instances-of-curl-wheres-the-support/",
      "title": "Williams — The World Runs 20 Billion Instances of Curl. Where's the Support?",
      "content_html": "<p><em>Alex Williams (*The New Stack*)</em></p><p><strong>Published:</strong> 2025-08-25</p><p>25 August 2025 *New Stack* coverage of Daniel Stenberg&#x27;s Open Source Summit Europe 2025 keynote (&quot;The World Runs 20 Billion Instances of Curl. Where&#x27;s the Support?&quot;).</p><p><strong>Tags:</strong> OPS, GOV, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Alex Williams (*The New Stack*)"
        }
      ],
      "tags": [
        "OPS",
        "GOV",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-aisle-ai-cybersecurity-after-mythos-the-jagged-frontier-2026-05-07",
      "url": "https://aisle.com/blog/ai-cybersecurity-after-mythos-the-jagged-frontier",
      "title": "AISLE — AI Cybersecurity After Mythos: The Jagged Frontier",
      "content_html": "<p><em>AISLE</em></p><p><strong>Published:</strong> 2026-04-01</p><p>April 2026 analysis from AISLE on the &quot;jagged frontier&quot; of AI cybersecurity capability post-Mythos: the observation that capability advances are uneven across vulnerability classes, with some classes (web application, memory corruption on unhardened targets) commoditised quickly and others (hardware primitives, complex multi-step chains) much less so.</p><p><strong>Tags:</strong> DISC, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "AISLE"
        }
      ],
      "tags": [
        "DISC",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-anthropic-frontier-red-team-0-days-opus-4-6-vulnerability-discovery-2026-05-07",
      "url": "https://red.anthropic.com/2026/zero-days/",
      "title": "Anthropic Frontier Red Team — 0-Days (Opus 4.6 vulnerability discovery)",
      "content_html": "<p><em>Anthropic Frontier Red Team</em></p><p><strong>Published:</strong> 2026-02-01</p><p>February 2026 Frontier Red Team writeup of Opus 4.6 vulnerability-discovery results, the predecessor to the Mythos Preview evaluation.</p><p><strong>Tags:</strong> DISC, HIST</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Anthropic Frontier Red Team"
        }
      ],
      "tags": [
        "DISC",
        "HIST"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-anthropic-claude-security-public-beta-2026-05-07",
      "url": "https://claude.com/blog/claude-security-public-beta",
      "title": "Anthropic — Claude Security public beta",
      "content_html": "<p><em>Anthropic</em></p><p><strong>Published:</strong> 2026-04-30</p><p>30 April 2026 product announcement that Claude Security (formerly Claude Code Security) has moved from limited research preview to public beta for Claude Enterprise customers, with Team and Max access &quot;coming soon.&quot; The product runs Opus 4.7 against customer codebases (selectable repository, directory, or branch), produces vulnerability findings with confidence ratings, severity assessments, reproduction instructions, and proposed targeted patches that can be opened in Claude Code on the Web.</p><p><strong>Tags:</strong> OPS, DISC, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Anthropic"
        }
      ],
      "tags": [
        "OPS",
        "DISC",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-anthropic-cyber-verification-program-real-time-cyber-safeguards-on-claude-2026-05-07",
      "url": "https://support.claude.com/en/articles/14604842-real-time-cyber-safeguards-on-claude",
      "title": "Anthropic — Cyber Verification Program (real-time cyber safeguards on Claude)",
      "content_html": "<p><em>Anthropic</em></p><p><strong>Published:</strong> 2026-04-30</p><p>Anthropic support documentation describing the opt-in mechanism by which organisations conducting work that may trigger Opus 4.7&#x27;s automatic real-time cyber safeguards can become verified for continued capability access.</p><p><strong>Tags:</strong> POL, GOV, XCUT, SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Anthropic"
        }
      ],
      "tags": [
        "POL",
        "GOV",
        "XCUT",
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-anthropic-frontier-red-team-assessing-claude-mythos-preview-s-cybersecurity-capa-2026-05-07",
      "url": "https://red.anthropic.com/2026/mythos-preview/",
      "title": "Anthropic Frontier Red Team — Assessing Claude Mythos Preview's cybersecurity capabilities",
      "content_html": "<p><em>Anthropic Frontier Red Team</em></p><p><strong>Published:</strong> 2026-04-07</p><p>Anthropic&#x27;s 7 April 2026 Frontier Red Team writeup of the Mythos Preview cybersecurity evaluation, which is the primary technical source for the capability claims that drive the broader 2026 discourse.</p><p><strong>Tags:</strong> DISC, EXPL, HIST</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Anthropic Frontier Red Team"
        }
      ],
      "tags": [
        "DISC",
        "EXPL",
        "HIST"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-anthropic-project-glasswing-securing-critical-software-for-the-ai-era-2026-05-07",
      "url": "https://www.anthropic.com/glasswing",
      "title": "Anthropic — Project Glasswing: Securing critical software for the AI era",
      "content_html": "<p><em>Anthropic</em></p><p><strong>Published:</strong> 2026-04-01</p><p>April 2026 announcement of Anthropic&#x27;s Project Glasswing, the defensive-deployment counterpart to the Mythos Preview offensive-capability demonstration.</p><p><strong>Tags:</strong> DISC, POL, HIST</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Anthropic"
        }
      ],
      "tags": [
        "DISC",
        "POL",
        "HIST"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-apple-a-major-evolution-of-apple-security-bounty-october-2025-effective-november-2026-05-07",
      "url": "https://security.apple.com/blog/apple-security-bounty-evolved/",
      "title": "Apple — A major evolution of Apple Security Bounty (October 2025; effective November 2025)",
      "content_html": "<p><em>Apple Security</em></p><p><strong>Published:</strong> 2026-06-30</p><p>October 2025 Apple Security blog post (effective November 2025) announcing the doubling of the top Apple Security Bounty award to $2 million for zero-click full-chain exploits (&quot;mercenary spyware tier&quot;), with a bonus system that can take total awards beyond $5 million.</p><p><strong>Tags:</strong> DISCL, OPS, POL, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Apple Security"
        }
      ],
      "tags": [
        "DISCL",
        "OPS",
        "POL",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-asis-project-glasswing-anthropic-s-new-initiative-to-use-ai-to-bolster-cyber-def-2026-05-07",
      "url": "https://www.asisonline.org/security-management-magazine/latest-news/today-in-security/2026/april/project-glasswing/",
      "title": "ASIS — Project Glasswing: Anthropic's New Initiative to Use AI to Bolster Cyber Defenses",
      "content_html": "<p><em>ASIS International, *Security Management* magazine</em></p><p><strong>Published:</strong> 2026-04-01</p><p>April 2026 ASIS *Security Management* coverage of the Glasswing announcement, providing the security-management-trade-press read on the initiative.</p><p><strong>Tags:</strong> DISC, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "ASIS International, *Security Management* magazine"
        }
      ],
      "tags": [
        "DISC",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-atlantic-council-dragon-tails-preserving-international-cybersecurity-research-2026-05-07",
      "url": "https://www.atlanticcouncil.org/in-depth-research-reports/report/preserving-international-cybersecurity-research/",
      "title": "Atlantic Council — Dragon Tails: Preserving International Cybersecurity Research",
      "content_html": "<p><em>Atlantic Council</em></p><p><strong>Published:</strong> 2026-06-30</p><p>2022 Atlantic Council report on the structural risks to international cybersecurity research from divergent national vulnerability-disclosure regimes.</p><p><strong>Tags:</strong> GOV, SOV, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Atlantic Council"
        }
      ],
      "tags": [
        "GOV",
        "SOV",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-balzarotti-bos-caballero-et-al-public-letter-of-support-for-a-european-grand-cha-2026-05-07",
      "url": "https://docs.google.com/document/d/1t5dXnBNIyQbdpGa9EHOKDFEQs-5Pt-FHNKFw1UGmXLI/edit?usp=sharing",
      "title": "Balzarotti, Bos, Caballero et al. — Public Letter of Support for a European Grand Challenge in AI and Security",
      "content_html": "<p><em>Davide Balzarotti (Eurecom, FR), Herbert Bos (VU Amsterdam, NL), Juan Caballero (IMDEA Software, ES), Lorenzo Cavallaro (UCL, UK), Mauro Conti (Padua, IT), Daniele Cono D&#x27;Elia (Sapienza, IT), Aurélien Francillon (Eurecom, FR), Cristiano Giuffrida (VU Amsterdam, NL), Thorsten Holz (MPI-SP, DE), Wouter Joosen (KU Leuven, BE), Pavel Laskov (Liechtenstein), Evangelos Markatos (Crete and FORTH, GR), Mathias Payer (EPFL, CH), Adrian Perrig (ETHZ, CH), Frank Piessens (KU Leuven, BE), Georgios Portokalidis (IMDEA Software, ES), Christian Rossow (CISPA and TU Dortmund, DE), Stefano Zanero (Politecnico di Milano, IT). Press contacts: Balzarotti, Bos, Holz, Payer, Portokalidis, Rossow.</em></p><p><strong>Published:</strong> 2026-05-06</p><p>6 May 2026 public open letter from eighteen senior European systems-security professors calling for a European-scale Grand Challenge in AI and Security modelled on DARPA&#x27;s AIxCC but extending it for European needs and values.</p><p><strong>Tags:</strong> POL, SOV, XCUT, GOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Davide Balzarotti (Eurecom, FR), Herbert Bos (VU Amsterdam, NL), Juan Caballero (IMDEA Software, ES), Lorenzo Cavallaro (UCL, UK), Mauro Conti (Padua, IT), Daniele Cono D'Elia (Sapienza, IT), Aurélien Francillon (Eurecom, FR), Cristiano Giuffrida (VU Amsterdam, NL), Thorsten Holz (MPI-SP, DE), Wouter Joosen (KU Leuven, BE), Pavel Laskov (Liechtenstein), Evangelos Markatos (Crete and FORTH, GR), Mathias Payer (EPFL, CH), Adrian Perrig (ETHZ, CH), Frank Piessens (KU Leuven, BE), Georgios Portokalidis (IMDEA Software, ES), Christian Rossow (CISPA and TU Dortmund, DE), Stefano Zanero (Politecnico di Milano, IT). Press contacts: Balzarotti, Bos, Holz, Payer, Portokalidis, Rossow."
        }
      ],
      "tags": [
        "POL",
        "SOV",
        "XCUT",
        "GOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-beardsley-kevology-an-analysis-of-cisa-kev-exploits-scores-timelines-runzero-2026-05-07",
      "url": "https://www.runzero.com/resources/kevology/",
      "title": "Beardsley — KEVology: An analysis of CISA KEV exploits, scores, & timelines (RunZero)",
      "content_html": "<p><em>Tod Beardsley (RunZero, formerly CISA KEV programme Section Chief)</em></p><p><strong>Published:</strong> 2026-02-01</p><p>February 2026 RunZero analysis evaluating CVSS, EPSS, SSVC, public-exploit-tooling coverage (Metasploit, Nuclei), and MITRE ATT&amp;CK mappings against the KEV dataset.</p><p><strong>Tags:</strong> TRIAGE, EXPL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Tod Beardsley (RunZero, formerly CISA KEV programme Section Chief)"
        }
      ],
      "tags": [
        "TRIAGE",
        "EXPL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-bonhomme-and-dulaunoy-forecasting-the-sightings-of-vulnerabilities-2026-05-07",
      "url": "https://arxiv.org/abs/2604.16038",
      "title": "Bonhomme and Dulaunoy — Forecasting the Sightings of Vulnerabilities",
      "content_html": "<p><em>Cédric Bonhomme, Alexandre Dulaunoy</em></p><p><strong>Published:</strong> 2026-04-01</p><p>2026 paper extending CIRCL&#x27;s VLAI severity classifier to temporal prediction: given a newly published vulnerability description, estimate when it is likely to be first sighted in operational telemetry.</p><p><strong>Tags:</strong> TRIAGE, EXPL, SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Cédric Bonhomme, Alexandre Dulaunoy"
        }
      ],
      "tags": [
        "TRIAGE",
        "EXPL",
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-bright-defense-80-zero-day-exploit-statistics-march-2026-2026-05-07",
      "url": "https://www.brightdefense.com/resources/zero-day-exploit-statistics/",
      "title": "Bright Defense — 80+ Zero-Day Exploit Statistics (March 2026)",
      "content_html": "<p><em>Bright Defense</em></p><p><strong>Published:</strong> 2026-03-01</p><p>Industry-survey-style compilation of zero-day exploitation statistics aggregated across multiple sources.</p><p><strong>Tags:</strong> EXPL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Bright Defense"
        }
      ],
      "tags": [
        "EXPL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-bugcrowd-bugcrowd-policy-changes-to-address-ai-slop-submissions-2026-05-07",
      "url": "https://www.bugcrowd.com/blog/bugcrowd-policy-changes-to-address-ai-slop-submissions/",
      "title": "Bugcrowd — Bugcrowd policy changes to address \"AI slop\" submissions",
      "content_html": "<p><em>Bugcrowd</em></p><p><strong>Published:</strong> 2026-03-10</p><p>10 March 2026 Bugcrowd blog post coining the term &quot;sloptimism&quot; for &quot;overly optimistic submissions driving large volumes of speculative or AI-generated reports submitted with minimal to no pre-submission validation and limited context.&quot; Reports a **334% queue increase over three weeks** even after excluding legitimate-workflow reports.</p><p><strong>Tags:</strong> DISCL, OPS, POL, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Bugcrowd"
        }
      ],
      "tags": [
        "DISCL",
        "OPS",
        "POL",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-calif-io-mad-bugs-claude-wrote-a-full-freebsd-exploit-2026-05-07",
      "url": "https://blog.calif.io/p/mad-bugs-claude-wrote-a-full-freebsd",
      "title": "Calif.io — MAD Bugs: Claude wrote a full FreeBSD exploit",
      "content_html": "<p><em>Calif.io</em></p><p><strong>Published:</strong> 2026-03-01</p><p>March 2026 blog post and accompanying technical writeup documenting the development, with Opus 4.6, of two working root-shell exploits against FreeBSD on first attempt with approximately four hours of working time.</p><p><strong>Tags:</strong> DISC, EXPL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Calif.io"
        }
      ],
      "tags": [
        "DISC",
        "EXPL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-camp-securing-the-software-supply-chain-by-solving-the-lemons-market-ross-anders-2026-05-07",
      "url": "http://kmlabcw.iis.u-tokyo.ac.jp/weis/2025/program/program.html",
      "title": "Camp — Securing the Software Supply Chain by Solving the Lemons Market (Ross Anderson WEIS Lecture)",
      "content_html": "<p><em>L. Jean Camp</em></p><p><strong>Published:</strong> 2026-06-30</p><p>WEIS 2025 Ross Anderson Lecture by L. Jean Camp applying Akerlof&#x27;s &quot;Market for Lemons&quot; framework to software supply chain security: in markets where buyers cannot reliably distinguish secure from insecure software, the market is structurally biased toward the lower-quality option.</p><p><strong>Tags:</strong> SUPPLY, GOV, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "L. Jean Camp"
        }
      ],
      "tags": [
        "SUPPLY",
        "GOV",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-cert-eu-ai-is-changing-the-economics-of-vulnerability-discovery-defenders-must-a-2026-05-07",
      "url": "https://cert.europa.eu/blog/ai-vulnerability-discovery-defenders-must-adapt",
      "title": "CERT-EU — AI is changing the economics of vulnerability discovery, defenders must adapt",
      "content_html": "<p><em>CERT-EU (Computer Emergency Response Team for the EU institutions)</em></p><p><strong>Published:</strong> 2026-04-01</p><p>April 2026 CERT-EU blog post that is one of the most operationally significant publications of the period: it both confirms that an AI-powered multi-agent pentesting pipeline is operational at CERT-EU and articulates the &quot;asymmetry within the asymmetry&quot; framing — attackers need one exploit while defenders must triage everything.</p><p><strong>Tags:</strong> DISC, EXPL, OPS, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "CERT-EU (Computer Emergency Response Team for the EU institutions)"
        }
      ],
      "tags": [
        "DISC",
        "EXPL",
        "OPS",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-cert-eu-threat-landscape-report-2025-a-year-in-review-2026-05-07",
      "url": "https://cert.europa.eu/blog/threat-landscape-report-2025",
      "title": "CERT-EU — Threat Landscape Report 2025: A Year in Review",
      "content_html": "<p><em>CERT-EU</em></p><p><strong>Published:</strong> 2026-04-01</p><p>April 2026 CERT-EU annual threat-landscape report identifying 174 threat actors and documenting the deepening of supply-chain attacks beyond code dependencies into SaaS.</p><p><strong>Tags:</strong> EXPL, SUPPLY, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "CERT-EU"
        }
      ],
      "tags": [
        "EXPL",
        "SUPPLY",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-chisnall-a-few-notes-about-the-massive-hype-surrounding-claude-mythos-2026-05-07",
      "url": "https://infosec.exchange/@david_chisnall/116419479557680376",
      "title": "Chisnall — A few notes about the massive hype surrounding Claude Mythos",
      "content_html": "<p><em>David Chisnall</em></p><p><strong>Published:</strong> 2026-04-01</p><p>April 2026 Mastodon thread offering a sceptical practitioner read on the Mythos launch, focused on the gap between hardened-target and unhardened-target vulnerability discovery.</p><p><strong>Tags:</strong> DISC, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "David Chisnall"
        }
      ],
      "tags": [
        "DISC",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-cso-online-cve-program-funding-secured-2026-05-07",
      "url": "https://www.csoonline.com/article/4142600/cve-program-funding-secured-easing-fears-of-repeat-crisis.html",
      "title": "CSO Online — CVE program funding secured",
      "content_html": "<p><em>CSO Online</em></p><p><strong>Published:</strong> 2026-03-01</p><p>March 2026 coverage of the more durable CVE programme funding arrangement that emerged after the April 2025 crisis and the subsequent emergency extensions.</p><p><strong>Tags:</strong> SOV, TRIAGE</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "CSO Online"
        }
      ],
      "tags": [
        "SOV",
        "TRIAGE"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-cso-online-patch-windows-collapse-as-time-to-exploit-accelerates-2026-05-07",
      "url": "https://www.csoonline.com/article/4156005/patch-windows-collapse-as-time-to-exploit-accelerates.html",
      "title": "CSO Online — Patch windows collapse as time-to-exploit accelerates",
      "content_html": "<p><em>CSO Online</em></p><p><strong>Published:</strong> 2026-04-01</p><p>April 2026 industry coverage of the time-to-exploit compression story, drawing on Rapid7, VulnCheck, and Mandiant data.</p><p><strong>Tags:</strong> EXPL, PATCH</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "CSO Online"
        }
      ],
      "tags": [
        "EXPL",
        "PATCH"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-cyber-strategy-institute-2026-vulnerability-report-5-critical-exploitation-trend-2026-05-07",
      "url": "https://cyberstrategyinstitute.com/2026-vulnerability-report/",
      "title": "Cyber Strategy Institute — 2026 Vulnerability Report: 5 Critical Exploitation Trends",
      "content_html": "<p><em>Cyber Strategy Institute</em></p><p><strong>Published:</strong> 2026-06-30</p><p>Industry annual report cataloguing the five exploitation trends the institute treats as most consequential for 2026.</p><p><strong>Tags:</strong> EXPL, TRIAGE</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Cyber Strategy Institute"
        }
      ],
      "tags": [
        "EXPL",
        "TRIAGE"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-cybersecurity-dive-the-cve-program-is-teetering-on-the-brink-rsac-2026-panel-2026-05-07",
      "url": "https://www.cybersecuritydive.com/news/cve-program-ai-vulnerability-reports-funding/815594/",
      "title": "Cybersecurity Dive — The CVE Program is teetering on the brink (RSAC 2026 panel)",
      "content_html": "<p><em>Cybersecurity Dive</em></p><p><strong>Published:</strong> 2026-06-30</p><p>RSAC 2026 panel coverage detailing the $28 million MITRE-contract figure and characterising the cancellation as collateral damage from a broader cost-cutting exercise rather than a deliberate vulnerability-management policy decision.</p><p><strong>Tags:</strong> SOV, GOV, TRIAGE</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Cybersecurity Dive"
        }
      ],
      "tags": [
        "SOV",
        "GOV",
        "TRIAGE"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-delinea-cisa-funding-cuts-the-impact-on-mitre-att-ck-and-cve-2026-05-07",
      "url": "https://delinea.com/blog/how-cisa-funding-cuts-will-impact-your-dependence-on-mitre-attack-and-cve",
      "title": "Delinea — CISA Funding Cuts: The Impact on MITRE ATT&CK and CVE",
      "content_html": "<p><em>Delinea</em></p><p><strong>Published:</strong> 2026-01-01</p><p>January 2026 industry-analysis post documenting the CISA budget situation, the six-week federal government shutdown (October–November 2025), and the FY2026 budget proposal&#x27;s approximately 1,000-position cut at CISA.</p><p><strong>Tags:</strong> SOV, GOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Delinea"
        }
      ],
      "tags": [
        "SOV",
        "GOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-deps-dev-google-open-source-insights-2026-05-07",
      "url": "https://deps.dev/",
      "title": "deps.dev (Google Open Source Insights)",
      "content_html": "<p><em>Google</em></p><p><strong>Published:</strong> 2026-06-30</p><p>Google&#x27;s open dependency-graph data platform, providing scale-level reverse-dependency, version, license and security-advisory data across npm, PyPI, Maven, Go, NuGet, Cargo and other registries.</p><p><strong>Tags:</strong> SUPPLY, GOV, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Google"
        }
      ],
      "tags": [
        "SUPPLY",
        "GOV",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-discourse-discourse-is-not-going-closed-source-ai-driven-defensive-scanning-in-p-2026-05-07",
      "url": "https://blog.discourse.org/2026/04/discourse-is-not-going-closed-source/",
      "title": "Discourse — Discourse is Not Going Closed Source (AI-driven defensive scanning in practice)",
      "content_html": "<p><em>Discourse (forum-software vendor)</em></p><p><strong>Published:</strong> 2026-04-01</p><p>April 2026 blog post in which Discourse, the open-source forum platform, documents its operational use of AI-driven defensive vulnerability scanning and explicitly addresses the concern that AI-assisted security scanning would push open-source projects toward closed-source defensive postures.</p><p><strong>Tags:</strong> OPS, DISC, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Discourse (forum-software vendor)"
        }
      ],
      "tags": [
        "OPS",
        "DISC",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-ecosyste-ms-andrew-nesbitt-2026-05-07",
      "url": "https://ecosyste.ms/",
      "title": "Ecosyste.ms (Andrew Nesbitt)",
      "content_html": "<p><em>Andrew Nesbitt</em></p><p><strong>Published:</strong> 2026-06-30</p><p>Open-data infrastructure project providing cross-registry package and dependency data, project metadata, sustainability signals, and download statistics across the open-source ecosystem.</p><p><strong>Tags:</strong> SUPPLY, GOV, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Andrew Nesbitt"
        }
      ],
      "tags": [
        "SUPPLY",
        "GOV",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-european-parliament-european-technological-sovereignty-and-digital-infrastructur-2026-05-07",
      "url": "https://oeil.europarl.europa.eu/oeil/en/document-summary?id=1884418",
      "title": "European Parliament — European technological sovereignty and digital infrastructure (resolution)",
      "content_html": "<p><em>European Parliament</em></p><p><strong>Published:</strong> 2026-01-01</p><p>January 2026 European Parliament resolution adopted 471-68-71 specifically flagging &quot;excessive reliance on non-European actors in critical areas such as cloud infrastructure, semiconductors, AI, and cybersecurity.&quot; The resolution is one of the formal political instruments anchoring the sovereignty argument.</p><p><strong>Tags:</strong> SOV, GOV, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "European Parliament"
        }
      ],
      "tags": [
        "SOV",
        "GOV",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-far-ai-an-independent-safety-evaluation-of-kimi-k2-5-2026-05-07",
      "url": "https://arxiv.org/pdf/2604.03121",
      "title": "FAR.AI — An Independent Safety Evaluation of Kimi K2.5",
      "content_html": "<p><em>Struppek, Gleave, Pelrine et al. (FAR.AI)</em></p><p><strong>Published:</strong> 2026-03-01</p><p>March 2026 arXiv preprint from FAR. AI providing an independent third-party safety and capability evaluation of the Kimi K2.5 open-weight model.</p><p><strong>Tags:</strong> DISC, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Struppek, Gleave, Pelrine et al. (FAR.AI)"
        }
      ],
      "tags": [
        "DISC",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-first-vulnerability-forecast-2026-the-year-ahead-2026-05-07",
      "url": "https://www.first.org/blog/20260211-vulnerability-forecast-2026",
      "title": "FIRST — Vulnerability Forecast 2026: The Year Ahead",
      "content_html": "<p><em>Éireann Leverett (FIRST)</em></p><p><strong>Published:</strong> 2026-02-01</p><p>February 2026 FIRST forecast for the year ahead, using a model optimised for realistic prediction intervals rather than point-prediction accuracy and incorporating the structural break in CVE publication patterns after 2017.</p><p><strong>Tags:</strong> TRIAGE, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Éireann Leverett (FIRST)"
        }
      ],
      "tags": [
        "TRIAGE",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-folkerts-et-al-measuring-ai-agents-progress-on-multi-step-cyber-attack-scenarios-2026-05-07",
      "url": "https://arxiv.org/abs/2603.11214",
      "title": "Folkerts et al. — Measuring AI Agents' Progress on Multi-Step Cyber Attack Scenarios (UK AISI)",
      "content_html": "<p><em>Folkerts et al. (UK AI Security Institute, Cyber &amp; Autonomous Systems team — 14 authors)</em></p><p><strong>Published:</strong> 2026-03-01</p><p>March 2026 arXiv preprint from UK AISI&#x27;s Cyber &amp; Autonomous Systems team measuring AI-agent capability across multi-step cyber-attack scenarios.</p><p><strong>Tags:</strong> DISC, EXPL, HIST</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Folkerts et al. (UK AI Security Institute, Cyber & Autonomous Systems team — 14 authors)"
        }
      ],
      "tags": [
        "DISC",
        "EXPL",
        "HIST"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-forrester-project-glasswing-the-10-consequences-nobody-s-writing-about-yet-2026-05-07",
      "url": "https://www.forrester.com/blogs/project-glasswing-the-10-consequences-nobodys-writing-about-yet/",
      "title": "Forrester — Project Glasswing: The 10 Consequences Nobody's Writing About Yet",
      "content_html": "<p><em>Forrester</em></p><p><strong>Published:</strong> 2026-04-01</p><p>April 2026 industry-analyst piece working through the second-order consequences of the Glasswing announcement that the immediate news coverage missed.</p><p><strong>Tags:</strong> DISC, POL, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Forrester"
        }
      ],
      "tags": [
        "DISC",
        "POL",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-gcve-bcp-02-practical-guide-to-vulnerability-handling-and-disclosure-2026-05-07",
      "url": "https://gcve.eu/news/",
      "title": "GCVE — BCP-02, Practical Guide to Vulnerability Handling and Disclosure",
      "content_html": "<p><em>GCVE community</em></p><p><strong>Published:</strong> 2026-06-30</p><p>GCVE Best Current Practice document on practical vulnerability handling and disclosure procedures within the federated GCVE model.</p><p><strong>Tags:</strong> DISCL, SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "GCVE community"
        }
      ],
      "tags": [
        "DISCL",
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-gcve-bcp-07-federated-kev-assertion-standard-2026-05-07",
      "url": "https://gcve.eu/tags/announce/",
      "title": "GCVE — BCP-07, Federated KEV Assertion Standard",
      "content_html": "<p><em>GCVE community</em></p><p><strong>Published:</strong> 2026-06-30</p><p>GCVE Best Current Practice document on federated KEV assertion: a decentralised approach to KEV-equivalent signals that does not depend on a single national authority.</p><p><strong>Tags:</strong> TRIAGE, SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "GCVE community"
        }
      ],
      "tags": [
        "TRIAGE",
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-github-bug-bounty-program-with-the-wiz-cve-2026-3854-case-2026-05-07",
      "url": "https://bounty.github.com/",
      "title": "GitHub — Bug Bounty Program (with the Wiz CVE-2026-3854 case)",
      "content_html": "<p><em>GitHub Security Lab / Bug Bounty Team</em></p><p><strong>Published:</strong> 2026-04-29</p><p>GitHub Bug Bounty programme home (with about page at https://bounty.github.com/about), notable for two structural features in the post-Mythos environment.</p><p><strong>Tags:</strong> DISCL, OPS, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "GitHub Security Lab / Bug Bounty Team"
        }
      ],
      "tags": [
        "DISCL",
        "OPS",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-global-policy-watch-european-commission-proposes-cybersecurity-act-2-2026-05-07",
      "url": "https://www.globalpolicywatch.com/2026/01/european-commission-proposes-cybersecurity-act-2-new-eu-supply-chain-rules-and-certification-reforms/",
      "title": "Global Policy Watch — European Commission Proposes Cybersecurity Act 2",
      "content_html": "<p><em>Global Policy Watch</em></p><p><strong>Published:</strong> 2026-01-01</p><p>January 2026 analysis of the proposed Cybersecurity Act 2 (CSA2), covering the new EU supply-chain rules and certification reforms.</p><p><strong>Tags:</strong> GOV, SUPPLY, SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Global Policy Watch"
        }
      ],
      "tags": [
        "GOV",
        "SUPPLY",
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-google-bug-hunters-evolving-the-android-chrome-vrps-for-the-ai-era-2026-05-07",
      "url": "https://bughunters.google.com/blog/evolving-the-android-chrome-vrps-for-the-ai-era",
      "title": "Google Bug Hunters — Evolving the Android & Chrome VRPs for the AI Era",
      "content_html": "<p><em>Alex Gough (Information Security Engineer), Shailesh Saini (Director, Android), Tony Mendez (Technical Program Manager) — Google Bug Hunters</em></p><p><strong>Published:</strong> 2026-04-30</p><p>30 April 2026 Google Bug Hunters blog post — direct vendor-side announcement of structural rebalancing of the Android and Chrome bug-bounty programmes in explicit response to AI-accelerated discovery.</p><p><strong>Tags:</strong> DISC, DISCL, OPS, XCUT, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Alex Gough (Information Security Engineer), Shailesh Saini (Director, Android), Tony Mendez (Technical Program Manager) — Google Bug Hunters"
        }
      ],
      "tags": [
        "DISC",
        "DISCL",
        "OPS",
        "XCUT",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-google-gtig-defending-your-enterprise-when-ai-models-can-find-vulnerabilities-fa-2026-05-07",
      "url": "https://cloud.google.com/blog/topics/threat-intelligence/defending-enterprise-ai-vulnerabilities",
      "title": "Google GTIG — Defending Your Enterprise When AI Models Can Find Vulnerabilities Faster Than Ever",
      "content_html": "<p><em>Google Threat Intelligence Group (GTIG)</em></p><p><strong>Published:</strong> 2026-04-01</p><p>April 2026 GTIG analysis on enterprise defensive posture under AI-accelerated discovery, drawing on Google&#x27;s M-Trends 2026 data.</p><p><strong>Tags:</strong> OPS, EXPL, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Google Threat Intelligence Group (GTIG)"
        }
      ],
      "tags": [
        "OPS",
        "EXPL",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-grauer-attack-of-the-killer-script-kiddies-the-verge-2026-05-07",
      "url": "https://www.theverge.com/ai-artificial-intelligence/915660/mythos-script-kiddies-hackers-attack-cybersecurity-ai",
      "title": "Grauer — Attack of the killer script kiddies (*The Verge*)",
      "content_html": "<p><em>Yael Grauer (*The Verge*)</em></p><p><strong>Published:</strong> 2026-04-28</p><p>28 April 2026 mainstream-press synthesis of the post-Mythos offensive-capability evidence base, framed around the script-kiddie capability-floor thesis (the claim that LLMs are putting useful offensive capability in the hands of operators who previously could only run others&#x27; scripts).</p><p><strong>Tags:</strong> DISC, EXPL, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Yael Grauer (*The Verge*)"
        }
      ],
      "tags": [
        "DISC",
        "EXPL",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-grinstead-holler-braun-behind-the-scenes-hardening-firefox-with-claude-mythos-pr-2026-05-07",
      "url": "https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/",
      "title": "Grinstead, Holler & Braun — Behind the Scenes Hardening Firefox with Claude Mythos Preview (Mozilla Hacks)",
      "content_html": "<p><em>Brian Grinstead (Firefox staff engineer), Christian Holler (Firefox Tech Lead and Principal Engineer; canonical Mozilla fuzzing-infrastructure author), Frederik Braun (Manager, Firefox Application Security team; co-editor of W3C Sanitizer API and Subresource Integrity)</em></p><p><strong>Published:</strong> 2026-05-07</p><p>7 May 2026 Mozilla Hacks blog post by the Firefox security and fuzzing leadership describing the agentic harness Mozilla built and ran to produce the Mythos-era Firefox security fixes announced jointly with Anthropic on 23 April 2026.</p><p><strong>Tags:</strong> OPS, DISC, XCUT, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Brian Grinstead (Firefox staff engineer), Christian Holler (Firefox Tech Lead and Principal Engineer; canonical Mozilla fuzzing-infrastructure author), Frederik Braun (Manager, Firefox Application Security team; co-editor of W3C Sanitizer API and Subresource Integrity)"
        }
      ],
      "tags": [
        "OPS",
        "DISC",
        "XCUT",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-hackerone-internet-bug-bounty-pause-and-hai-triage-composite-2026-05-07",
      "url": "https://www.infoworld.com/article/4154210/internet-bug-bounty-program-hits-pause-on-payouts.html",
      "title": "HackerOne — Internet Bug Bounty pause and Hai Triage (composite)",
      "content_html": "<p><em>HackerOne</em></p><p><strong>Published:</strong> 2026-03-27</p><p>Composite entry covering HackerOne&#x27;s two principal moves in the post-Mythos environment.</p><p><strong>Tags:</strong> DISCL, OPS, POL, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "HackerOne"
        }
      ],
      "tags": [
        "DISCL",
        "OPS",
        "POL",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-heelan-on-the-coming-industrialisation-of-exploit-generation-with-llms-2026-05-07",
      "url": "https://sean.heelan.io/2026/01/18/on-the-coming-industrialisation-of-exploit-generation-with-llms/",
      "title": "Heelan — On the Coming Industrialisation of Exploit Generation with LLMs",
      "content_html": "<p><em>Sean Heelan</em></p><p><strong>Published:</strong> 2026-01-01</p><p>January 2026 essay developing the argument that LLM-based exploit generation is moving from artisanal-research mode to industrial-pipeline mode, with consequences across the offence-defence economic landscape.</p><p><strong>Tags:</strong> DISC, EXPL, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Sean Heelan"
        }
      ],
      "tags": [
        "DISC",
        "EXPL",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-hemenway-ai-use-in-cybersecurity-could-show-holes-in-short-term-says-fitch-insur-2026-05-07",
      "url": "https://www.insurancejournal.com/magazines/mag-features/2026/05/04/868024.htm",
      "title": "Hemenway — AI Use in Cybersecurity Could Show Holes in Short Term, Says Fitch (*Insurance Journal*)",
      "content_html": "<p><em>Chad Hemenway (*Insurance Journal*); reporting on Fitch Ratings&#x27; February 2026 cyber-marketplace brief</em></p><p><strong>Published:</strong> 2026-05-04</p><p>4 May 2026 *Insurance Journal* magazine feature reporting Fitch Ratings&#x27; February 2026 cyber-marketplace brief and updated post-Mythos commentary, providing the cyber-insurance-underwriter-side institutional anchor on the AI-era cost-curve shift.</p><p><strong>Tags:</strong> XCUT, OPS, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Chad Hemenway (*Insurance Journal*); reporting on Fitch Ratings' February 2026 cyber-marketplace brief"
        }
      ],
      "tags": [
        "XCUT",
        "OPS",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-help-net-security-coordinated-vulnerability-disclosure-is-now-an-eu-obligation-n-2026-05-07",
      "url": "https://www.helpnetsecurity.com/2026/04/15/nuno-rodrigues-carvalho-enisa-cve-program-vulnerability-disclosure/",
      "title": "Help Net Security — Coordinated vulnerability disclosure is now an EU obligation (Nuno Rodrigues Carvalho interview)",
      "content_html": "<p><em>Help Net Security</em></p><p><strong>Published:</strong> 2026-04-01</p><p>April 2026 interview with ENISA&#x27;s Nuno Rodrigues Carvalho on coordinated vulnerability disclosure as an EU obligation, providing the institutional view on how the NIS2-mandated CVD obligation is being operationalised through the EUVD and ENISA&#x27;s CVE Program Root role.</p><p><strong>Tags:</strong> DISCL, GOV, SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Help Net Security"
        }
      ],
      "tags": [
        "DISCL",
        "GOV",
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-hicks-attridge-janjeva-ashurst-claude-mythos-what-does-anthropic-s-new-model-mea-2026-05-07",
      "url": "https://cetas.turing.ac.uk/publications/claude-mythos-future-cybersecurity",
      "title": "Hicks, Attridge, Janjeva & Ashurst — Claude Mythos: What Does Anthropic's New Model Mean for the Future of Cybersecurity? (CETaS Expert Analysis)",
      "content_html": "<p><em>Chris Hicks, Connor Attridge, Ardi Janjeva, Carolyn Ashurst (Centre for Emerging Technology and Security at the Alan Turing Institute)</em></p><p><strong>Published:</strong> 2026-04-01</p><p>April 2026 UK-academic-policy assessment from CETaS at the Alan Turing Institute providing the cleanest UK-academic-policy critique of the Glasswing distribution model in the corpus.</p><p><strong>Tags:</strong> DISC, XCUT, SOV, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Chris Hicks, Connor Attridge, Ardi Janjeva, Carolyn Ashurst (Centre for Emerging Technology and Security at the Alan Turing Institute)"
        }
      ],
      "tags": [
        "DISC",
        "XCUT",
        "SOV",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-huang-dwarkesh-patel-interview-semiconductor-export-control-mythos-2026-05-07",
      "url": "https://www.dwarkesh.com/p/jensen-huang",
      "title": "Huang — Dwarkesh Patel interview (semiconductor export control & Mythos)",
      "content_html": "<p><em>Jensen Huang (interviewed by Dwarkesh Patel); supplementary statement by US Treasury Secretary Scott Bessent</em></p><p><strong>Published:</strong> 2026-04-01</p><p>April 2026 podcast interview in which Nvidia CEO Jensen Huang, pressed on whether Chinese access to compute for training Mythos-class models posed a national-security concern, argued that the capability had been trained on &quot;fairly mundane&quot; compute widely available outside the United States.</p><p><strong>Tags:</strong> GOV, POL, DISC</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Jensen Huang (interviewed by Dwarkesh Patel); supplementary statement by US Treasury Secretary Scott Bessent"
        }
      ],
      "tags": [
        "GOV",
        "POL",
        "DISC"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-hubert-amerika-runt-binnenkort-onze-btw-vat-fast-enterprises-2026-05-07",
      "url": "https://berthub.eu/articles/posts/btw-as-an-american-service/",
      "title": "Hubert — Amerika runt binnenkort onze btw (VAT/FAST Enterprises)",
      "content_html": "<p><em>Bert Hubert</em></p><p><strong>Published:</strong> 2026-02-01</p><p>February 2026 blog post documenting the case of FAST Enterprises, a US vendor that has become operationally central to the Dutch VAT collection system.</p><p><strong>Tags:</strong> SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Bert Hubert"
        }
      ],
      "tags": [
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-hubert-aws-and-microsoft-are-selling-much-more-than-cloud-services-2026-05-07",
      "url": "https://berthub.eu/articles/posts/aws-and-microsoft-are-selling-much-more-than-cloud/",
      "title": "Hubert — AWS and Microsoft are selling much more than cloud services",
      "content_html": "<p><em>Bert Hubert</em></p><p><strong>Published:</strong> 2026-01-01</p><p>January 2026 blog post developing the &quot;blame absorption&quot; thesis: that the operational value institutions derive from US hyperscalers is partly the technology and partly the political cover of being able to point at a large American vendor when something goes wrong.</p><p><strong>Tags:</strong> SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Bert Hubert"
        }
      ],
      "tags": [
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-hubert-btw-software-turnkey-beheerd-as-a-service-2026-05-07",
      "url": "https://berthub.eu/articles/posts/software-turnkey-as-a-service/",
      "title": "Hubert — Btw: Software, turnkey, beheerd, as a service",
      "content_html": "<p><em>Bert Hubert</em></p><p><strong>Published:</strong> 2026-03-01</p><p>March 2026 expansion of the outsourcing taxonomy for the Dutch parliamentary audience.</p><p><strong>Tags:</strong> SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Bert Hubert"
        }
      ],
      "tags": [
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-hubert-europe-s-executives-need-to-skill-up-to-solve-our-total-us-cloud-dependen-2026-05-07",
      "url": "https://berthub.eu/articles/posts/ft-on-european-cloud/",
      "title": "Hubert — Europe's executives need to skill up to solve our total US cloud dependency",
      "content_html": "<p><em>Bert Hubert</em></p><p><strong>Published:</strong> 2026-01-01</p><p>January 2026 piece (in dialogue with FT coverage) on the executive digital-literacy gap as a binding constraint on European-cloud sovereignty.</p><p><strong>Tags:</strong> SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Bert Hubert"
        }
      ],
      "tags": [
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-hubert-rondetafeloverleg-tweede-kamer-over-solvinity-parliamentary-position-pape-2026-05-07",
      "url": "https://berthub.eu/articles/posts/overheid-operationele-afhankelijkheden/",
      "title": "Hubert — Rondetafeloverleg Tweede Kamer over Solvinity (parliamentary position paper)",
      "content_html": "<p><em>Bert Hubert</em></p><p><strong>Published:</strong> 2026-01-01</p><p>January 2026 position paper for the Dutch parliament&#x27;s Solvinity roundtable. The paper sets out a six-level outsourcing taxonomy (self-built through full SaaS) that is applicable to any infrastructure category including vulnerability infrastructure, documents the DigiD/Solvinity case, and presents the Rekenkamer (Dutch Court of Audit) finding on operational dependencies.</p><p><strong>Tags:</strong> SOV, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Bert Hubert"
        }
      ],
      "tags": [
        "SOV",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-intigriti-a-i-future-of-bug-bounty-composite-with-code-of-conduct-and-ai-model-c-2026-05-07",
      "url": "https://www.intigriti.com/blog/business-insights/ai-future-of-bug-bounty",
      "title": "Intigriti — A(I) Future of Bug Bounty (composite, with Code of Conduct and AI model card)",
      "content_html": "<p><em>Intigriti (Antwerp; the only EU-headquartered major bug-bounty platform)</em></p><p><strong>Published:</strong> 2026-06-30</p><p>Composite entry for Intigriti&#x27;s documented response to AI-slop pressure, the only major commercial bounty platform headquartered in the EU.</p><p><strong>Tags:</strong> DISCL, OPS, POL, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Intigriti (Antwerp; the only EU-headquartered major bug-bounty platform)"
        }
      ],
      "tags": [
        "DISCL",
        "OPS",
        "POL",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-kiteworks-state-of-ai-cybersecurity-in-2026-2026-05-07",
      "url": "https://www.kiteworks.com/cybersecurity-risk-management/ai-cybersecurity-2026-trends-report/",
      "title": "Kiteworks — State of AI Cybersecurity in 2026",
      "content_html": "<p><em>Kiteworks</em></p><p><strong>Published:</strong> 2026-02-01</p><p>February 2026 industry-survey report focused on the CISO-versus-practitioner confidence gap in AI cybersecurity.</p><p><strong>Tags:</strong> OPS, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Kiteworks"
        }
      ],
      "tags": [
        "OPS",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-kwiatkowski-a-serious-conversation-about-mythos-2026-05-07",
      "url": "https://blog.kwiatkowski.fr/mythos",
      "title": "Kwiatkowski — A serious conversation about Mythos",
      "content_html": "<p><em>Ivan Kwiatkowski (Borderline blog; formerly Kaspersky GReAT)</em></p><p><strong>Published:</strong> 2026-04-26</p><p>26 April 2026 sceptical practitioner read on the Mythos moment, structured as four moves.</p><p><strong>Tags:</strong> DISC, XCUT, SOV, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Ivan Kwiatkowski (Borderline blog; formerly Kaspersky GReAT)"
        }
      ],
      "tags": [
        "DISC",
        "XCUT",
        "SOV",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-leverett-and-van-der-ham-de-vos-vulnerability-abundance-a-formal-proof-of-infini-2026-05-07",
      "url": "https://arxiv.org/abs/2604.07539",
      "title": "Leverett and van der Ham-de Vos — Vulnerability Abundance: A formal proof of infinite vulnerabilities in code",
      "content_html": "<p><em>Éireann Leverett, Jeroen van der Ham-de Vos</em></p><p><strong>Published:</strong> 2026-04-01</p><p>April 2026 arXiv preprint providing the formal proof that the vulnerability population in non-trivial code is functionally infinite, settling the density question that Geer (2014), Rescorla (2005), Ozment and Schechter (2006), and Herr et al. (2017) had been circling for two decades.</p><p><strong>Tags:</strong> XCUT, DISC, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Éireann Leverett, Jeroen van der Ham-de Vos"
        }
      ],
      "tags": [
        "XCUT",
        "DISC",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-lexology-new-eu-cybersecurity-package-digital-sovereignty-without-saying-it-2026-05-07",
      "url": "https://www.lexology.com/library/detail.aspx?g=d964049d-8213-4ce4-8436-076b6961adc4",
      "title": "Lexology — New EU cybersecurity package: digital sovereignty without saying it",
      "content_html": "<p><em>Lexology</em></p><p><strong>Published:</strong> 2026-02-01</p><p>February 2026 legal analysis characterising the CSA2 package as &quot;a strategic tool for achieving technological sovereignty&quot; — the Commission&#x27;s own framing of the package as sovereignty policy in cybersecurity dress.</p><p><strong>Tags:</strong> GOV, SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Lexology"
        }
      ],
      "tags": [
        "GOV",
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-lim-spaceraccoon-discovering-negative-days-with-llm-workflows-2026-05-07",
      "url": "https://spaceraccoon.dev/discovering-negative-days-llm-workflows/",
      "title": "Lim (\"Spaceraccoon\") — Discovering Negative-Days with LLM Workflows",
      "content_html": "<p><em>Eugene Lim (&quot;Spaceraccoon&quot;)</em></p><p><strong>Published:</strong> 2026-02-01</p><p>February 2026 personal-blog post by Eugene Lim describing a GitHub Action that monitors open-source repositories for security-relevant commits, passes diffs to Claude for analysis, and creates issues when it identifies a vulnerability being patched.</p><p><strong>Tags:</strong> DISC, EXPL, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Eugene Lim (\"Spaceraccoon\")"
        }
      ],
      "tags": [
        "DISC",
        "EXPL",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-liu-et-al-agentflow-automated-multi-agent-harness-synthesis-for-vulnerability-di-2026-05-07",
      "url": "https://arxiv.org/abs/2604.20801",
      "title": "Liu et al. — AgentFlow: Automated Multi-Agent Harness Synthesis for Vulnerability Discovery",
      "content_html": "<p><em>Hanzhi Liu (UC Santa Barbara), Chaofan Shou (Fuzzland), Xiaonan Liu (Fuzzland), Hongbo Wen (UC Santa Barbara), Yanju Chen (UC San Diego), Ryan Jingyang Fang (World Liberty Financial), Yu Feng (UC Santa Barbara)</em></p><p><strong>Published:</strong> 2026-04-01</p><p>April 2026 paper introducing the TerminalBench-2 benchmark and the AgentFlow orchestration framework, which measure end-to-end vulnerability discovery including harness generation, target instrumentation, and bug confirmation.</p><p><strong>Tags:</strong> DISC, XCUT, POL, HIST</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Hanzhi Liu (UC Santa Barbara), Chaofan Shou (Fuzzland), Xiaonan Liu (Fuzzland), Hongbo Wen (UC Santa Barbara), Yanju Chen (UC San Diego), Ryan Jingyang Fang (World Liberty Financial), Yu Feng (UC Santa Barbara)"
        }
      ],
      "tags": [
        "DISC",
        "XCUT",
        "POL",
        "HIST"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-mak-sakellariadis-nickel-white-house-presses-tech-companies-for-support-on-ai-dr-2026-05-07",
      "url": "https://www.politico.com/news/2026/04/30/white-house-ai-cyber-threats-mythos-00902045",
      "title": "Mak, Sakellariadis & Nickel — White House presses tech companies for support on AI-driven cyberattacks (*Politico*)",
      "content_html": "<p><em>Aaron Mak, John Sakellariadis, Dana Nickel (Politico Pro Cybersecurity)</em></p><p><strong>Published:</strong> 2026-04-30</p><p>30 April 2026 Politico exclusive sourced to four people with knowledge of discussions reporting that the White House Office of the National Cyber Director (ONCD) sent a list of questions to approximately 30 tech and cybersecurity firms in the week of 27 April 2026, with responses requested by Friday 1 May.</p><p><strong>Tags:</strong> POL, GOV, OPS, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Aaron Mak, John Sakellariadis, Dana Nickel (Politico Pro Cybersecurity)"
        }
      ],
      "tags": [
        "POL",
        "GOV",
        "OPS",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-mayrhofer-finding-vulnerabilities-in-the-era-of-ai-llm-coding-agents-2026-05-07",
      "url": "http://www.mayrhofer.eu.org/post/vulnerability-reports-and-llms/",
      "title": "Mayrhofer — Finding Vulnerabilities in the Era of AI/LLM Coding Agents",
      "content_html": "<p><em>Roland Mayrhofer</em></p><p><strong>Published:</strong> 2026-04-01</p><p>April 2026 practitioner blog post analysing the experience of receiving and triaging AI-generated vulnerability reports from the maintainer&#x27;s side.</p><p><strong>Tags:</strong> DISC, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Roland Mayrhofer"
        }
      ],
      "tags": [
        "DISC",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-microsoft-hogan-burney-from-capability-to-responsibility-securing-our-global-dig-2026-05-07",
      "url": "https://blogs.microsoft.com/on-the-issues/2026/05/01/from-capability-to-responsibility-securing-our-global-digital-ecosystem-with-next-generation-ai/",
      "title": "Microsoft (Hogan-Burney) — From capability to responsibility: securing our global digital ecosystem with next-generation AI",
      "content_html": "<p><em>Amy Hogan-Burney, Corporate Vice President, Microsoft *On the Issues*</em></p><p><strong>Published:</strong> 2026-05-01</p><p>1 May 2026 Microsoft policy statement on Microsoft *On the Issues* arguing that next-generation AI capability creates corresponding responsibility for tech companies, governments, and the broader security ecosystem.</p><p><strong>Tags:</strong> POL, GOV, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Amy Hogan-Burney, Corporate Vice President, Microsoft *On the Issues*"
        }
      ],
      "tags": [
        "POL",
        "GOV",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-microsoft-evolving-our-approach-to-coordinated-security-research-in-scope-by-def-2026-05-07",
      "url": "https://www.microsoft.com/en-us/msrc/blog/2025/12/in-scope-by-default",
      "title": "Microsoft — Evolving our approach to coordinated security research: In Scope by Default",
      "content_html": "<p><em>Tom Gallagher (VP Engineering, Microsoft Security Response Center)</em></p><p><strong>Published:</strong> 2025-12-11</p><p>11 December 2025 MSRC announcement, made by Tom Gallagher at Black Hat Europe, introducing the &quot;In Scope by Default&quot; model for Microsoft&#x27;s bug-bounty programme. Historically each eligible product or service had its own defined scope; the new approach makes any critical vulnerability with a direct and demonstrable impact on Microsoft&#x27;s online services eligible for a bounty award — regardless of whether the affected code is owned by Microsoft, a third party, or open source — and brings all online services into scope by default, including new services as soon as they are released. The two highlighted expansion areas are Microsoft-owned domains and cloud infrastructure, and third-party code (including open source) where Microsoft online services are impacted, with Microsoft offering an award where no prior bounty existed. Framed against the &gt;$17 million awarded the previous year through the bounty programme and the Zero Day Quest live-hacking event.</p><p><strong>Tags:</strong> DISCL, OPS, POL, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Tom Gallagher (VP Engineering, Microsoft Security Response Center)"
        }
      ],
      "tags": [
        "DISCL",
        "OPS",
        "POL",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-mogull-core-collapse-ai-and-cybersecurity-reset-2026-05-07",
      "url": "https://cloudsecurityalliance.org/blog/2026/02/26/core-collapse",
      "title": "Mogull — Core Collapse: AI and Cybersecurity Reset",
      "content_html": "<p><em>Rich Mogull</em></p><p><strong>Published:</strong> 2026-04-08</p><p>February 2026 CSA blog post developing the &quot;core collapse&quot; framework for the AI-era cybersecurity reset, with a follow-up applying the framework to Mythos: &quot;Anthropic&#x27;s Mythos Is Here: Defending from the Vulnpocalypse,&quot; CSA blog, 8 April 2026 (https://cloudsecurityalliance.org/blog/2026/04/08/anthropic-s-mythos-is-here-defending-from-the-vulnpocalypse).</p><p><strong>Tags:</strong> XCUT, POL, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Rich Mogull"
        }
      ],
      "tags": [
        "XCUT",
        "POL",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-mozilla-bug-bounty-with-the-9-april-2026-static-analysis-query-price-cut-citing--2026-05-07",
      "url": "https://www.mozilla.org/en-US/security/client-bug-bounty/",
      "title": "Mozilla — Bug Bounty (with the 9 April 2026 static-analysis-query price cut citing AI)",
      "content_html": "<p><em>Mozilla Security</em></p><p><strong>Published:</strong> 2026-04-09</p><p>Composite entry for Mozilla&#x27;s bounty-programme posture in the post-Mythos environment. Mozilla is *reducing* prices on a category where AI tooling has made the work cheaper, rather than holding prices and shifting scope.</p><p><strong>Tags:</strong> DISCL, OPS, POL, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Mozilla Security"
        }
      ],
      "tags": [
        "DISCL",
        "OPS",
        "POL",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-the-new-stack-curl-s-daniel-stenberg-ai-slop-is-ddosing-open-source-fosdem-2026-2026-05-07",
      "url": "https://thenewstack.io/curls-daniel-stenberg-ai-is-ddosing-open-source-and-fixing-its-bugs/",
      "title": "The New Stack — cURL's Daniel Stenberg: AI slop is DDoSing open source (FOSDEM 2026)",
      "content_html": "<p><em>The New Stack (covering Daniel Stenberg&#x27;s FOSDEM 2026 keynote)</em></p><p><strong>Published:</strong> 2026-02-01</p><p>February 2026 coverage of Daniel Stenberg&#x27;s FOSDEM keynote on the AI-slop problem in open-source vulnerability reporting: the volume of low-quality AI-generated reports is becoming a denial-of-service against maintainer attention, even as AI is also genuinely useful for finding and fixing real bugs.</p><p><strong>Tags:</strong> OPS, DISC</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "The New Stack (covering Daniel Stenberg's FOSDEM 2026 keynote)"
        }
      ],
      "tags": [
        "OPS",
        "DISC"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-newport-is-claude-mythos-terrifying-or-just-hype-2026-05-07",
      "url": "https://calnewport.com/is-claude-mythos-terrifying-or-just-hype/",
      "title": "Newport — Is Claude Mythos 'Terrifying' or Just Hype?",
      "content_html": "<p><em>Cal Newport</em></p><p><strong>Published:</strong> 2026-04-01</p><p>April 2026 piece offering a measured outsider read on the Mythos launch and the surrounding capability claims.</p><p><strong>Tags:</strong> DISC, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Cal Newport"
        }
      ],
      "tags": [
        "DISC",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-ncsc-whitehouse-preparing-for-a-vulnerability-patch-wave-2026-05-07",
      "url": "https://www.ncsc.gov.uk/blogs/prepare-for-vulnerability-patch-wave",
      "title": "NCSC (Whitehouse) — Preparing for a \"vulnerability patch wave\"",
      "content_html": "<p><em>Ollie Whitehouse, Chief Technology Officer, UK National Cyber Security Centre (NCSC)</em></p><p><strong>Published:</strong> 2026-05-01</p><p>1 May 2026 NCSC blog post arguing that AI used by sufficiently-skilled and knowledgeable individuals is showing the ability to exploit accumulated technical debt at scale and at pace across the technology ecosystem, and that the NCSC therefore expects a forced correction to address this debt across all types of software (open source, commercial, proprietary, and software as a service).</p><p><strong>Tags:</strong> OPS, PATCH, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Ollie Whitehouse, Chief Technology Officer, UK National Cyber Security Centre (NCSC)"
        }
      ],
      "tags": [
        "OPS",
        "PATCH",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-nhs-england-sdlc-8-internal-guidance-note-via-eden-nhs-goes-to-war-against-open--2026-05-07",
      "url": "https://shkspr.mobi/blog/2026/05/nhs-goes-to-war-against-open-source/",
      "title": "NHS England — SDLC-8 internal guidance note (via Eden, \"NHS Goes To War Against Open Source\") and New Scientist confirmation",
      "content_html": "<p><em>NHS England (issuing body, internal guidance note SDLC-8); Terence Eden (public-surfacing source via shkspr.mobi blog post)</em></p><p><strong>Published:</strong> 2026-04-29</p><p>On 29 April 2026, NHS England issued an internal guidance note designated SDLC-8 establishing that all NHS England source code repositories must be private by default, with public repositories switching to private on Monday 11 May 2026 (exemption requests due COP Wednesday 6 May 2026).</p><p><strong>Tags:</strong> OPS, POL, GOV, XCUT, SOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "NHS England (issuing body, internal guidance note SDLC-8); Terence Eden (public-surfacing source via shkspr.mobi blog post)"
        }
      ],
      "tags": [
        "OPS",
        "POL",
        "GOV",
        "XCUT",
        "SOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-nist-nist-updates-nvd-operations-to-address-record-cve-growth-2026-05-07",
      "url": "https://www.nist.gov/news-events/news/2026/04/nist-updates-nvd-operations-address-record-cve-growth",
      "title": "NIST — NIST Updates NVD Operations to Address Record CVE Growth",
      "content_html": "<p><em>National Institute of Standards and Technology (Harold Booth, VulnCon26)</em></p><p><strong>Published:</strong> 2026-04-15</p><p>15 April 2026 NIST announcement of a structural policy change at the NVD: facing 263% growth in CVE submissions between 2020 and 2025, an insufficient 42,000 enrichments completed in 2025, and Q1 2026 volumes running one-third above Q1 2025, the NVD has abandoned universal enrichment in favour of a three-tier risk-based prioritisation (KEV-listed vulnerabilities first, then software used by federal agencies and EO 14028 critical software, with everything else marked &quot;Not Scheduled&quot;).</p><p><strong>Tags:</strong> TRIAGE, SOV, GOV, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "National Institute of Standards and Technology (Harold Booth, VulnCon26)"
        }
      ],
      "tags": [
        "TRIAGE",
        "SOV",
        "GOV",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-openssf-criticality-score-2026-05-07",
      "url": "https://github.com/ossf/criticality_score",
      "title": "OpenSSF Criticality Score",
      "content_html": "<p><em>Open Source Security Foundation</em></p><p><strong>Published:</strong> 2026-06-30</p><p>Open-source 0–1 criticality scoring tool from OpenSSF that runs against any Git repository, combining contributor count, commit frequency, dependents, organisational diversity, and other signals into a single score.</p><p><strong>Tags:</strong> SUPPLY, GOV, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Open Source Security Foundation"
        }
      ],
      "tags": [
        "SUPPLY",
        "GOV",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-openssf-vulnerability-disclosures-working-group-ai-slop-develop-best-current-pra-2026-05-07",
      "url": "https://github.com/ossf/wg-vulnerability-disclosures/issues/178",
      "title": "OpenSSF Vulnerability Disclosures Working Group — AI-SLOP: Develop best current practices (Issue #178)",
      "content_html": "<p><em>OpenSSF Vulnerability Disclosures Working Group</em></p><p><strong>Published:</strong> 2026-02-01</p><p>February 2026 GitHub issue tracking the OpenSSF working group&#x27;s effort to develop best current practices for handling AI-generated vulnerability reports.</p><p><strong>Tags:</strong> OPS, DISCL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "OpenSSF Vulnerability Disclosures Working Group"
        }
      ],
      "tags": [
        "OPS",
        "DISCL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-owasp-mcp-top-10-beta-2026-05-07",
      "url": "https://owasp.org/www-project-mcp-top-10/",
      "title": "OWASP — MCP Top 10 (beta)",
      "content_html": "<p><em>OWASP</em></p><p><strong>Published:</strong> 2026-06-30</p><p>OWASP&#x27;s beta MCP Top 10, the early-stage attempt to formalise the MCP-specific vulnerability classes that the OX Security and PipeLab research surfaces empirically.</p><p><strong>Tags:</strong> SUPPLY, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "OWASP"
        }
      ],
      "tags": [
        "SUPPLY",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-ox-security-mcp-stdio-rce-research-via-the-hacker-news-2026-05-07",
      "url": "https://thehackernews.com/2026/04/anthropic-mcp-design-vulnerability.html",
      "title": "OX Security — MCP STDIO RCE research (via The Hacker News)",
      "content_html": "<p><em>OX Security (reporting via The Hacker News)</em></p><p><strong>Published:</strong> 2026-04-22</p><p>22 April 2026 reporting on OX Security research identifying 10 CVEs across 7,000+ MCP servers with 150M+ downloads.</p><p><strong>Tags:</strong> SUPPLY, EXPL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "OX Security (reporting via The Hacker News)"
        }
      ],
      "tags": [
        "SUPPLY",
        "EXPL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-patch-to-poc-k-repro-a-systematic-study-of-agentic-llm-systems-for-linux-kernel--2026-05-07",
      "url": "https://arxiv.org/html/2602.07287",
      "title": "Patch-to-PoC (K-Repro) — A Systematic Study of Agentic LLM Systems for Linux Kernel N-Day Reproduction",
      "content_html": "<p><em>authors not yet verified at time of catalogue entry — see arXiv:2602.07287 directly</em></p><p><strong>Published:</strong> 2026-02-01</p><p>February 2026 arXiv paper introducing K-Repro, an agentic system that takes only a security patch commit identifier as input and automatically deploys a reproduction environment (kernel source plus runnable image at the commit before the patch), generates a proof-of-concept exploit, and outputs a PoC, analysis report, and execution logs.</p><p><strong>Tags:</strong> EXPL, PATCH, DISC</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "authors not yet verified at time of catalogue entry — see arXiv:2602.07287 directly"
        }
      ],
      "tags": [
        "EXPL",
        "PATCH",
        "DISC"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-payer-the-aipocalypse-or-how-llm-based-exploitation-is-the-new-normal-2026-05-07",
      "url": "https://nebelwelt.net/blog/2026/0420-AIpocalypse.html",
      "title": "Payer — The AIpocalypse or how LLM-based exploitation is the new normal",
      "content_html": "<p><em>Mathias Payer</em></p><p><strong>Published:</strong> 2026-04-01</p><p>April 2026 essay setting out a four-stage agentic exploitation pipeline mapping to established offensive-research categories: stage 1 is code review, stage 2 is symbolic execution, stage 3 is fuzzing, stage 4 is mitigation bypass.</p><p><strong>Tags:</strong> DISC, EXPL, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Mathias Payer"
        }
      ],
      "tags": [
        "DISC",
        "EXPL",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-pipelab-the-state-of-mcp-security-2026-2026-05-07",
      "url": "https://pipelab.org/blog/state-of-mcp-security-2026/",
      "title": "PipeLab — The State of MCP Security 2026",
      "content_html": "<p><em>PipeLab</em></p><p><strong>Published:</strong> 2026-06-30</p><p>Industry analysis identifying 30+ CVEs in 60 days across MCP implementations and finding that 82% are vulnerable to path traversal.</p><p><strong>Tags:</strong> SUPPLY, EXPL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "PipeLab"
        }
      ],
      "tags": [
        "SUPPLY",
        "EXPL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-provos-finding-zero-days-with-any-model-with-the-ironcurtain-orchestration-frame-2026-05-07",
      "url": "https://www.provos.org/p/finding-zero-days-with-any-model/",
      "title": "Provos — Finding Zero-Days with Any Model (with the IronCurtain orchestration framework)",
      "content_html": "<p><em>Niels Provos</em></p><p><strong>Published:</strong> 2026-04-29</p><p>29 April 2026 first-person research post by Niels Provos — committer of the original OpenBSD TCP SACK code in November 1998 (the same code containing the 27-year-dormant bug Anthropic showcased as the Mythos marquee finding) — documenting use of his open-source IronCurtain orchestration framework (https://github.com/provos/ironcurtain) with a finite-state-machine `vuln-discovery` workflow built around a central Orchestrator agent that dispatches specialised agents based on an append-only execution journal.</p><p><strong>Tags:</strong> DISC, EXPL, XCUT, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Niels Provos"
        }
      ],
      "tags": [
        "DISC",
        "EXPL",
        "XCUT",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-ptacek-vulnerability-research-is-cooked-2026-05-07",
      "url": "https://sockpuppet.org/blog/2026/03/30/vulnerability-research-is-cooked/",
      "title": "Ptacek — Vulnerability Research Is Cooked",
      "content_html": "<p><em>Thomas Ptacek</em></p><p><strong>Published:</strong> 2026-03-30</p><p>30 March 2026 essay arguing that the economics of vulnerability research have shifted decisively under AI pressure.</p><p><strong>Tags:</strong> DISC, XCUT, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Thomas Ptacek"
        }
      ],
      "tags": [
        "DISC",
        "XCUT",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-the-register-ai-slop-got-better-so-now-maintainers-have-more-work-2026-05-07",
      "url": "https://www.theregister.com/2026/04/06/ai_coding_tools_more_work/",
      "title": "The Register — AI slop got better, so now maintainers have more work",
      "content_html": "<p><em>The Register</em></p><p><strong>Published:</strong> 2026-04-01</p><p>April 2026 industry coverage of the changing dynamic in maintainer experience as AI-generated vulnerability reports improve in apparent quality.</p><p><strong>Tags:</strong> OPS, DISC</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "The Register"
        }
      ],
      "tags": [
        "OPS",
        "DISC"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-the-register-linux-foundation-wants-to-shield-foss-devs-from-ai-bug-slop-2026-05-07",
      "url": "https://www.theregister.com/2026/03/18/linux_foundation_ai_slop_defense/",
      "title": "The Register — Linux Foundation wants to shield FOSS devs from AI bug slop",
      "content_html": "<p><em>The Register</em></p><p><strong>Published:</strong> 2026-03-01</p><p>March 2026 coverage of the $12.5M Alpha-Omega/OpenSSF fund established to help open-source maintainers cope with AI-generated bug-report load.</p><p><strong>Tags:</strong> OPS, POL, SUPPLY</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "The Register"
        }
      ],
      "tags": [
        "OPS",
        "POL",
        "SUPPLY"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-reuters-satter-us-officials-weigh-cutting-deadlines-to-fix-digital-flaws-amid-wo-2026-05-07",
      "url": "https://www.reuters.com/legal/litigation/us-officials-weigh-cutting-deadlines-fix-digital-flaws-amid-worries-over-ai-2026-05-01/",
      "title": "Reuters (Satter) — US officials weigh cutting deadlines to fix digital flaws amid worries over AI-powered hacking",
      "content_html": "<p><em>Raphael Satter (byline); Chizu Nomiyama (editor)</em></p><p><strong>Published:</strong> 2026-05-01</p><p>1 May 2026 Reuters exclusive sourced to two officials reporting that the US Cybersecurity and Infrastructure Security Agency (CISA) under acting director Nick Andersen and the US Office of the National Cyber Director (ONCD) under Sean Cairncross are considering cutting the default Binding Operational Directive deadline for federal civilian agencies to remediate KEV-listed actively-exploited vulnerabilities from the current ~two-week window down to three days.</p><p><strong>Tags:</strong> PATCH, OPS, POL, GOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Raphael Satter (byline); Chizu Nomiyama (editor)"
        }
      ],
      "tags": [
        "PATCH",
        "OPS",
        "POL",
        "GOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-sans-csa-owasp-un-prompted-the-ai-vulnerability-storm-joint-emergency-strategy-b-2026-05-07",
      "url": "https://cloudsecurityalliance.org/press-releases/2026/04/14/sans-institute-cloud-security-alliance-un-prompted-and-owasp-genai-security-project-release-emergency-strategy-briefing-as-ai-driven-vulnerability-discovery-compresses-exploit-timelines-from-weeks-to-hours",
      "title": "SANS, CSA, OWASP — [un]prompted, The AI Vulnerability Storm (joint emergency strategy briefing)",
      "content_html": "<p><em>SANS Institute, Cloud Security Alliance, OWASP GenAI Security Project</em></p><p><strong>Published:</strong> 2026-04-01</p><p>April 2026 joint emergency strategy briefing mapping 13 risk items to four frameworks: OWASP LLM Top 10 2025, OWASP Agentic Top 10 2026, MITRE ATLAS, and NIST CSF 2.0. The &quot;emergency briefing&quot; framing is itself a notable signal of how the major industry security bodies positioned the post-Mythos moment.</p><p><strong>Tags:</strong> OPS, POL, GOV</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "SANS Institute, Cloud Security Alliance, OWASP GenAI Security Project"
        }
      ],
      "tags": [
        "OPS",
        "POL",
        "GOV"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-saxe-exploits-don-t-cause-cyberattacks-2026-05-07",
      "url": "https://joshuasaxe181906.substack.com/p/exploits-dont-cause-cyberattacks",
      "title": "Saxe — Exploits don't cause cyberattacks",
      "content_html": "<p><em>Joshua Saxe</em></p><p><strong>Published:</strong> 2026-04-01</p><p>April 2026 Substack essay arguing, from observed patterns of AI tool adoption by attackers, that the dominant use cases — social engineering, deepfake impersonation, voice fraud — exploit human trust rather than software vulnerabilities.</p><p><strong>Tags:</strong> EXPL, XCUT, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Joshua Saxe"
        }
      ],
      "tags": [
        "EXPL",
        "XCUT",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-schneier-on-anthropic-s-mythos-preview-and-project-glasswing-2026-05-07",
      "url": "https://www.schneier.com/blog/archives/2026/04/on-anthropics-mythos-preview-and-project-glasswing.html",
      "title": "Schneier — On Anthropic's Mythos Preview and Project Glasswing",
      "content_html": "<p><em>Bruce Schneier</em></p><p><strong>Published:</strong> 2026-04-01</p><p>April 2026 blog post offering Schneier&#x27;s measured assessment of the Mythos and Glasswing announcements.</p><p><strong>Tags:</strong> DISC, POL, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Bruce Schneier"
        }
      ],
      "tags": [
        "DISC",
        "POL",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-security-cryptography-whatever-podcast-episode-with-nicholas-carlini-2026-05-07",
      "url": "https://securitycryptographywhatever.com/2026/03/25/ai-bug-finding/",
      "title": "*Security Cryptography Whatever* podcast — episode with Nicholas Carlini",
      "content_html": "<p><em>*Security Cryptography Whatever* podcast (Nicholas Carlini guest)</em></p><p><strong>Published:</strong> 2026-03-25</p><p>25 March 2026 podcast episode that is the primary source for Carlini&#x27;s file-by-file vulnerability scanning pipeline, which Ptacek and others reference.</p><p><strong>Tags:</strong> DISC, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "*Security Cryptography Whatever* podcast (Nicholas Carlini guest)"
        }
      ],
      "tags": [
        "DISC",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-sonatype-2026-state-of-the-software-supply-chain-report-2026-05-07",
      "url": "https://www.sonatype.com/state-of-the-software-supply-chain/introduction",
      "title": "Sonatype — 2026 State of the Software Supply Chain Report",
      "content_html": "<p><em>Sonatype</em></p><p><strong>Published:</strong> 2026-06-30</p><p>Sonatype&#x27;s annual State of the Software Supply Chain Report, the most cited industry data source on open-source dependency consumption, malicious-package trends, and supply-chain attack volumes.</p><p><strong>Tags:</strong> SUPPLY</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Sonatype"
        }
      ],
      "tags": [
        "SUPPLY"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-sovereign-tech-fund-sovereign-tech-agency-2026-05-07",
      "url": "https://www.sovereign.tech/",
      "title": "Sovereign Tech Fund / Sovereign Tech Agency",
      "content_html": "<p><em>German Federal Ministry for Economic Affairs and Climate Action (sponsoring body); operated as Sovereign Tech Agency</em></p><p><strong>Published:</strong> 2026-06-30</p><p>German federal programme (operated as the Sovereign Tech Agency) providing targeted public funding to load-bearing open-source infrastructure projects, including a 2022 grant to curl (see Stenberg, &quot;Funded curl improvements,&quot; October 2022).</p><p><strong>Tags:</strong> SUPPLY, GOV, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "German Federal Ministry for Economic Affairs and Climate Action (sponsoring body); operated as Sovereign Tech Agency"
        }
      ],
      "tags": [
        "SUPPLY",
        "GOV",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-stanley-coordinated-disclosure-in-the-llm-age-oss-sec-mailing-list-2026-05-07",
      "url": "https://seclists.org/oss-sec/2026/q2/250",
      "title": "Stanley — Coordinated Disclosure in the LLM Age (oss-sec mailing list)",
      "content_html": "<p><em>Jeremy Stanley (Open Infrastructure Foundation Infrastructure Engineer; OpenStack Vulnerability Management Team; OpenDev Collaboratory root administrator; Zuul maintainer; OpenStack Technical Committee member). Substantive replies from Clemens Lang (Red Hat RHEL Crypto Team) and Greg Kroah-Hartman (Linux stable maintainer).</em></p><p><strong>Published:</strong> 2026-04-28</p><p>28 April 2026 oss-sec mailing-list post by Jeremy Stanley — Open Infrastructure Foundation Infrastructure Engineer and OpenStack Vulnerability Management Team member (his name appears as the &quot;From:&quot; line on OSSAs from at least 2019 through OSSA-2025-002 and OSSA-2026-002) — questioning whether embargo workflows retain coherence given LLM-driven discovery volume and the risk of training-data feedback through public LLM services.</p><p><strong>Tags:</strong> DISC, GOV, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Jeremy Stanley (Open Infrastructure Foundation Infrastructure Engineer; OpenStack Vulnerability Management Team; OpenDev Collaboratory root administrator; Zuul maintainer; OpenStack Technical Committee member). Substantive replies from Clemens Lang (Red Hat RHEL Crypto Team) and Greg Kroah-Hartman (Linux stable maintainer)."
        }
      ],
      "tags": [
        "DISC",
        "GOV",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-stenberg-high-quality-chaos-2026-05-07",
      "url": "https://daniel.haxx.se/blog/2026/04/22/high-quality-chaos/",
      "title": "Stenberg — High-Quality Chaos",
      "content_html": "<p><em>Daniel Stenberg</em></p><p><strong>Published:</strong> 2026-04-22</p><p>22 April 2026 follow-up post by the curl maintainer to the FOSDEM 2026 talk, providing more specific data on the curl project&#x27;s experience with AI-generated vulnerability reports.</p><p><strong>Tags:</strong> OPS, DISC, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Daniel Stenberg"
        }
      ],
      "tags": [
        "OPS",
        "DISC",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-stenberg-bagder-mastodon-january-2026-curl-is-a-small-project-2026-05-07",
      "url": "https://mastodon.social/@bagder/115893088600630096",
      "title": "Stenberg (@bagder) — Mastodon, January 2026 (\"curl is a small project\")",
      "content_html": "<p><em>Daniel Stenberg (@bagder@mastodon.social)</em></p><p><strong>Published:</strong> 2026-01-01</p><p>January 2026 Mastodon post by the curl maintainer framing curl, in his own words, as a &quot;small project&quot; that &quot;cannot spend multiple hours every day arguing with people who want money,&quot; set against the &gt;20-billion-installation footprint that the curl narrative documents.</p><p><strong>Tags:</strong> OPS, GOV, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Daniel Stenberg (@bagder@mastodon.social)"
        }
      ],
      "tags": [
        "OPS",
        "GOV",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-toomey-nist-can-t-keep-up-the-whole-digital-ecosystem-will-soon-feel-it-just-sec-2026-05-07",
      "url": "https://www.justsecurity.org/136914/nist-cant-keep-up/",
      "title": "Toomey — NIST Can't Keep Up. The Whole Digital Ecosystem Will Soon Feel It. (*Just Security*)",
      "content_html": "<p><em>Joe Toomey (VP Underwriting Security, Coalition)</em></p><p><strong>Published:</strong> 2026-04-27</p><p>27 April 2026 *Just Security* policy commentary on the 15 April 2026 NIST NVD announcement, articulating the structural retreat from universal enrichment as critical-infrastructure underinvestment rather than as scarcity-driven optimisation.</p><p><strong>Tags:</strong> TRIAGE, SOV, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Joe Toomey (VP Underwriting Security, Coalition)"
        }
      ],
      "tags": [
        "TRIAGE",
        "SOV",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-uk-aisi-inspect-ai-evaluation-framework-2026-05-07",
      "url": "https://github.com/UKGovernmentBEIS/inspect_ai",
      "title": "UK AISI — Inspect AI evaluation framework",
      "content_html": "<p><em>UK AI Security Institute</em></p><p><strong>Published:</strong> 2026-06-30</p><p>UK AISI&#x27;s open-source MIT-licensed evaluation framework for AI capability assessment, the infrastructure underlying the cyber evaluations cited above.</p><p><strong>Tags:</strong> DISC, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "UK AI Security Institute"
        }
      ],
      "tags": [
        "DISC",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-uk-aisi-our-evaluation-of-claude-mythos-preview-s-cyber-capabilities-2026-05-07",
      "url": "https://www.aisi.gov.uk/blog/our-evaluation-of-claude-mythos-previews-cyber-capabilities",
      "title": "UK AISI — Our evaluation of Claude Mythos Preview's cyber capabilities",
      "content_html": "<p><em>UK AI Security Institute</em></p><p><strong>Published:</strong> 2026-04-01</p><p>April 2026 AISI blog post on the Mythos Preview cyber-capability evaluation, providing an independent UK-government read on Anthropic&#x27;s capability claims.</p><p><strong>Tags:</strong> DISC, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "UK AI Security Institute"
        }
      ],
      "tags": [
        "DISC",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-uk-aisi-our-evaluation-of-openai-s-gpt-5-5-cyber-capabilities-2026-05-07",
      "url": "https://www.aisi.gov.uk/blog/our-evaluation-of-openais-gpt-5-5-cyber-capabilities",
      "title": "UK AISI — Our evaluation of OpenAI's GPT-5.5 cyber capabilities",
      "content_html": "<p><em>UK AI Security Institute (AISI)</em></p><p><strong>Published:</strong> 2026-04-30</p><p>30 April 2026 AISI blog post — AISI&#x27;s second public frontier-model cyber evaluation in three weeks, tested against the same suite used for Mythos Preview (95 narrow CTF tasks across four difficulty tiers; the TLO and Cooling Tower cyber ranges).</p><p><strong>Tags:</strong> DISC, POL, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "UK AI Security Institute (AISI)"
        }
      ],
      "tags": [
        "DISC",
        "POL",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-walls-django-security-team-recent-trends-in-the-work-of-the-django-security-team-2026-05-07",
      "url": "https://www.djangoproject.com/weblog/2026/feb/04/recent-trends-security-team/",
      "title": "Walls (Django Security Team) — Recent trends in the work of the Django Security Team",
      "content_html": "<p><em>Jacob Walls (Django Fellow, Django Security Team)</em></p><p><strong>Published:</strong> 2026-02-04</p><p>4 February 2026 Django Project blog post — published the day after the 3 February 2026 security release covering Django 6.0.2, 5.2.11 and 4.2.28 (six CVEs of varying severity) — providing the cleanest first-person maintainer account of LLM-driven *variant amplification*, the qualitative dynamic that complements the quantitative volume dynamic the curl/Stenberg arc documents.</p><p><strong>Tags:</strong> OPS, DISC, TRIAGE</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Jacob Walls (Django Fellow, Django Security Team)"
        }
      ],
      "tags": [
        "OPS",
        "DISC",
        "TRIAGE"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-weissberg-et-al-llm-based-vulnerability-discovery-through-the-lens-of-code-metri-2026-05-07",
      "url": "https://www.mlsec.org/docs/2026-icse.pdf",
      "title": "Weissberg et al. — LLM-based Vulnerability Discovery through the Lens of Code Metrics (ICSE 2026)",
      "content_html": "<p><em>Weissberg et al.</em></p><p><strong>Published:</strong> 2026-06-30</p><p>ICSE 2026 academic paper analysing LLM-based vulnerability discovery through the lens of established software-engineering code metrics.</p><p><strong>Tags:</strong> DISC, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Weissberg et al."
        }
      ],
      "tags": [
        "DISC",
        "XCUT"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-zhang-park-fleischer-et-al-sok-darpa-s-ai-cyber-challenge-aixcc-competition-desi-2026-05-07",
      "url": "https://arxiv.org/abs/2602.07666",
      "title": "Zhang, Park, Fleischer et al. — SoK: DARPA's AI Cyber Challenge (AIxCC): Competition Design, Architectures, and Lessons Learned",
      "content_html": "<p><em>Cen Zhang, Younggi Park, Fabian Fleischer, Yu-Fu Fu, Jiho Kim, Dongkwan Kim, Youngjoon Kim, Qingxiao Xu, Andrew Chin, Ze Sheng, Hanqing Zhao, Brian J. Lee, Joshua Wang, Michael Pelican, David J. Musliner, Jeff Huang, Jon Silliman, Mikel Mcdaniel, Jefferson Casavant, Isaac Goldthwaite, Nicholas Vidovich, Matthew Lehman, Taesoo Kim. 23-author paper across Georgia Institute of Technology, Texas A&amp;M University, Smart Information Flow Technologies (SIFT), Kudu Dynamics, and Microsoft.</em></p><p><strong>Published:</strong> 2026-02-01</p><p>First systematic third-party analysis of DARPA&#x27;s AI Cyber Challenge (AIxCC, 2023–2025), drawing on all seven finalist Cyber Reasoning System (CRS) codebases and whitepapers, the complete competition database, organiser reflection documents, and questionnaires/meetings with most finalist teams; cross-validated by at least two authors per technical analysis section.</p><p><strong>Tags:</strong> DISC, PATCH, XCUT, HIST, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Cen Zhang, Younggi Park, Fabian Fleischer, Yu-Fu Fu, Jiho Kim, Dongkwan Kim, Youngjoon Kim, Qingxiao Xu, Andrew Chin, Ze Sheng, Hanqing Zhao, Brian J. Lee, Joshua Wang, Michael Pelican, David J. Musliner, Jeff Huang, Jon Silliman, Mikel Mcdaniel, Jefferson Casavant, Isaac Goldthwaite, Nicholas Vidovich, Matthew Lehman, Taesoo Kim. 23-author paper across Georgia Institute of Technology, Texas A&M University, Smart Information Flow Technologies (SIFT), Kudu Dynamics, and Microsoft."
        }
      ],
      "tags": [
        "DISC",
        "PATCH",
        "XCUT",
        "HIST",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-korv-nek-et-al-hunting-for-vulnerabilities-call-for-european-protection-of-secur-2026-05-07",
      "url": "https://academic.oup.com/cybersecurity/article/12/1/tyag002/8449232",
      "title": "Škorvánek et al. — Hunting for vulnerabilities: call for European protection of security researchers",
      "content_html": "<p><em>Ivan Škorvánek et al.</em></p><p><strong>Published:</strong> 2026-01-01</p><p>January 2026 *Journal of Cybersecurity* paper providing a comparative analysis of European coordinated-vulnerability-disclosure frameworks.</p><p><strong>Tags:</strong> DISCL, GOV, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Ivan Škorvánek et al."
        }
      ],
      "tags": [
        "DISCL",
        "GOV",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-bbc-ecb-mythos-coverage-2026-05-07",
      "url": "https://www.bbc.com/news/articles/c2ev24yx4rmo",
      "title": "BBC — ECB / Mythos coverage",
      "content_html": "<p><em>BBC</em></p><p>Reuters/ECB-sourced BBC coverage of bankers being warned about Mythos risks. The journal records that the article could not be retrieved in the preparation window; included here for traceability.</p><p><strong>Tags:</strong> GOV, OPS</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "BBC"
        }
      ],
      "tags": [
        "GOV",
        "OPS"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-joyce-linkedin-liability-with-a-clock-2026-05-07",
      "url": "https://www.linkedin.com/posts/rob-joyce-b43445116_every-repository-of-code-you-rely-upon-just-activity-7447695180419371008-WLw0",
      "title": "Joyce — LinkedIn (\"liability with a clock\")",
      "content_html": "<p><em>Rob Joyce</em></p><p>LinkedIn post by Rob Joyce framing every code repository a developer depends on as &quot;a liability with a clock.&quot; The journal records the decision not to integrate this framing on the grounds that it is FUD-adjacent and does not match the paper&#x27;s measured tone, even though the underlying observation about supply-chain dependence is consistent with the paper&#x27;s argument.</p><p><strong>Tags:</strong> XCUT, POL</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Rob Joyce"
        }
      ],
      "tags": [
        "XCUT",
        "POL"
      ]
    },
    {
      "id": "https://tzafaar.codeberg.page/#entry-ottenheimer-freebsd-cve-2026-4747-log-suggests-mythos-is-a-marketing-trick-2026-05-07",
      "url": "https://www.flyingpenguin.com/freebsd-cve-2026-4747-log-suggests-mythos-is-a-marketing-trick/",
      "title": "Ottenheimer — FreeBSD CVE-2026-4747 Log Suggests Mythos is a Marketing Trick",
      "content_html": "<p><em>Davi Ottenheimer</em></p><p>14 April 2026 (updated 21 April) Ottenheimer post arguing that the FreeBSD CVE-2026-4747 commit log suggests the bug was independently in flight before the Mythos disclosure, complicating the marketing narrative around AI-discovered novelty.</p><p><strong>Tags:</strong> DISC, XCUT</p><p><a href=\"https://tzafaar.codeberg.page/\">View in bibliography</a></p>",
      "date_published": "2026-05-07T12:00:00Z",
      "authors": [
        {
          "name": "Davi Ottenheimer"
        }
      ],
      "tags": [
        "DISC",
        "XCUT"
      ]
    }
  ]
}
