March 06, 2026
Go 1.26.1 fixes two crypto/x509 CVEs: a name constraint bypass that silently dropped duplicate email keys, and a panic from empty SAN values.
March 04, 2026
AI coding agents on proprietary code already meet two of the three conditions for data exfiltration. Egress controls are your primary lever.
January 29, 2026
Go's filepath.Clean doesn't prevent path traversal despite its name. Learn why it fails, see a real-world vulnerability, and how os.Root fixes it.
January 21, 2026
A threat model for RAG features covering untrusted source data, query authorization flaws, sensitive document exposure, and conversation context leaks.
January 05, 2026
Go's string comparison leaks timing info, but compares in chunks, making timing attacks impractical. However, you should still use constant time comparison.
