Field notes on vulnerability research, disclosure, and the bug classes I keep finding.https://securitybugfocus.com/en-ushttps://securitybugfocus.com/writing/dns-rebinding-in-2026/https://securitybugfocus.com/writing/dns-rebinding-in-2026/A short field guide to why a TTL-window race against your own DNS resolver beats most 'block private IPs' controls, drawn from cases against MobSF, MindsDB, and a recent GitLab importer.Sun, 12 Apr 2026 00:00:00 GMTSSRFhttps://securitybugfocus.com/writing/late-unicode-normalisation-dos/https://securitybugfocus.com/writing/late-unicode-normalisation-dos/Filenames, email addresses, identifiers — anywhere user input gets normalised after a length check, the multiplier between bytes-in and bytes-out becomes a denial-of-service primitive. Three case studies.Sun, 08 Feb 2026 00:00:00 GMTUNICODE