Hiring strategies, product updates, and engineering insights.
Microsoft threatened a researcher with criminal charges, then backtracked in days. Here's how safe harbor in your vulnerability disclosure policy prevents that.
The Mercor breach exposed 4TB of candidate SSNs, passports, and video interviews. Here is why your ATS is a prime target and the privacy-by-design controls that shrink the blast radius.
HackerOne cut Internet Bug Bounty rewards up to 89% on work already done. Here's how to set bug bounty tiers that survive AI slop without betraying researchers.
From 11 September 2026, the EU Cyber Resilience Act forces software vendors to run coordinated vulnerability disclosure and report exploited bugs to ENISA on a 24-hour clock.
The North Korean IT worker scheme nets an estimated $250M-$600M a year by placing fake remote hires inside U.S. companies. Here's how to catch them at intake.
curl, HackerOne, and Nextcloud all buckled under AI-generated bug bounty slop in 2026. Here's the triage playbook that keeps a VDP alive under volume.
Researchers don't drop zero-days because they're hostile. They publish after slow acks, silent fixes, and severity downgrades. Keep them coordinating with you.
One employee who signs a policy after getting access can expand the audit sample from 25 to 60. Pipeline-driven onboarding stops CC1.4 and CC6.x failures.
77% of bug bounty programs ran a VDP first. One engineer can stand up the intake in a week: scope, security.txt, safe harbor, and triage SLAs.