Blog

What we're working on and what we're thinking about

Trivial To Introduce, Impossible to Fix: Why SSRFs are the Trickiest Security Issue in Modern Web Apps

One line of code introduces an SSRF. Fixing it correctly requires aligning URL parsing, DNS resolution, redirect handling, HTTP client behavior, and network policy—all at once, without missing a single edge case.

Rahul Govind·February 27, 2026·8 min read

SecurityWeb Security

Sandboxes Won't Save You From OpenClaw

AI agent misbehavior isn't a sandbox problem—it's a permissions problem.

Aakash Japi·February 24, 2026·5 min read

SecurityAI

OpenWebUI, or How Not To Do Vulnerability Disclosure

A case study in poor vulnerability disclosure practices: how OpenWebUI silently patched a high-severity SSRF without crediting the researchers or notifying users.

Aakash Japi·February 19, 2026·3 min read

SecurityDisclosure

CVE-2025-14297: MLflow Authorization Bypass

How Tachyon's autonomous security researcher found an authorization bypass in the open-source MLflow tracking server by reasoning across protocols and surfaces—and why this class of bug is so hard to catch.

Aakash Japi·February 3, 2026·10 min read

Security

Blog

Trivial To Introduce, Impossible to Fix: Why SSRFs are the Trickiest Security Issue in Modern Web Apps

Sandboxes Won't Save You From OpenClaw

OpenWebUI, or How Not To Do Vulnerability Disclosure

CVE-2025-14297: MLflow Authorization Bypass

Subscribe to get our latest posts