Episode description:
Show notes:
This month, Adrian and Alexandre dig into a mix of vulnerability management fundamentals, supply chain security developments, and the accelerating push for European digital sovereignty. The episode opens with a reality check on AI-assisted hacking: despite the hype around tools like Anthropic's Mythos, the vulnerabilities actually causing damage are still the old, unpatched ones sitting on forgotten assets.
Cyber insurance claims data from Coalition, At-Bay, and Cowbell is increasingly backing this up with hard numbers — including an significant increase in ransomware risk for organizations running SonicWall devices. The guys also make the case that smart CISOs are using the AI security scare as political cover to finally get boards to fund the basics.
From there, the conversation turns to a brewing conflict between Microsoft and the security research community. After researcher Nightmare Eclipse alleged that Microsoft silently patched submitted vulnerabilities without credit or payment, other researchers piled on with similar stories. Microsoft's aggressive legal threats only made things worse — and now Nightmare Eclipse is dropping full disclosures on Patch Tuesday, with more promised. The episode includes practical guidance on what a healthy vulnerability disclosure program looks like, and what happens when organizations get it wrong.
The episode also covers npm's new package provenance features as a meaningful but incomplete step against supply chain attacks like the TeamPCP campaign, plus a look at the growing EU digital sovereignty movement — including one Dutch entrepreneur's experience moving his entire stack off US providers, and why subprocessor relationships mean you might not be as decoupled as you think.
