bug-bounty

The Math Does Not Work Anymore: Why Patching Faster Is No Longer Enough

John Z Black Apr 12, 2026

Security Operations & Resilience #vulnerability-management #qualys #cisa-kev #bug-bounty #ai-security #patch-management #risk-management

Qualys analyzed a billion CISA KEV remediation records and found attackers are weaponizing critical vulns an average of seven days before patches exist. The human-scale remediation model has hit a structural ceiling.

Google Paid Nearly $17 Million in Bug Bounties Last Year. What That Number Actually Tells Us.

John Z Black Mar 16, 2026

Vulnerabilities & Patching #bug-bounty #google #vulnerability-management #security-economics #exploit-market

Google's record $17 million in bug bounties sounds huge. Then you look at the exploit broker market, where a single iOS chain sells for $2.5 million, and the math gets interesting.