Last month DEF CON and the Cyber Policy Initiative at the University of Chicago at released the inaugural Hackers’ Almanack, which “curate[ed] the top technical discoveries from DEF CON that have significant potential impact on public policy.” One section written by Sven Cattell put forward a view of the how vulnerability disclosure programs (or more accurately described as vulnerability reporting programs) and bug bounties should be used that runs counter to how WordPress security providers and others usually present them:

The evaluations used in AI and the unit tests and integration tests deployed in traditional software probe for known problems. Red teaming, on the other hand, looks for unknown problems. As AI pushes us into this new frontier of technology, these unknown unknowns are often the most elusive yet critical vulnerabilities to uncover. In traditional software we deal with these with disclosure programs and bug bounties.

He portrayed those as being not being there to find known problems, but to find the “most elusive yet critical vulnerabilities.” He didn’t suggest that was anything other than a fact. While that is an accurate description of how they should be used, that isn’t how they are often used and how they promoted by less than scrupulous security providers. Instead, they are presented as being a replacement for proper practices, including having professionals do security reviews of software.

We keep seeing the poor results of that, including the failure of Patchstack’s VDP program to make sure publicly known security issues are fixed or to avoid simple to catch security failures. The misuse seems to be caused by security providers, as is far too often the case, looking to profit off of continuing insecurity instead of doing the work that would actually improve securing.