Open Source Security

Listen, download, subscribe

Apple Podcasts

Spotify

Actually finding vulnerabilities using AI with Joshua Rogers

I chat with Joshua Rogers about a blog post he wrote as well as some bugs he submitted to the curl project. Joshua explains how he went searching for some AI tools to help find security bugs, and found out they can work, if you're a competent human. We discuss the challenges of finding effective tools, the importance of human oversight in triaging vulnerabilities, and how to submit those bugs to open source projects responsibly. It's a very sane and realistic conversation about what AI tools can and can't do, and how humans should be interacting with these things. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-10-ai-joshua-rogers/

• 

  How to actually test a disaster plan with David Bernstein

• 

  Open Source Pledge with Vlad-Stefan Harbuz

• 

  Building a plan for disaster with David Bernstein

• 

  Open Source Malware with Paul McCarty

• 

  Package management challenges with Andrew Nesbitt

• 

  Open Source Security at scale with Michael Winser

• 

  2026 State of the Software Supply Chain with Brian Fox

• 

  MCP and Agent security with Luke Hinds

• 

  The State of OpenSSL for pyca/cryptography with Alex Gaynor and Paul Kehrer

• 

  Rust coreutils with Sylvestre Ledru

• 

  Goose and the Agentic AI Foundation with Brad Axen

• 

  The Global Vulnerability Intelligence Platform with Olle E. Johansson

• 

  Digital Sovereignty and Nextcloud with Frank Karlitschek

• 

  The Art of Crisis Management with David Bernstein

• 

  WTF is a passkey with William Brown

• 

  All about Suricata with Victor Julien