Evan Harris
@evanharris.bsky.social
Agentic systems engineer.
Securing MCP integrations.
Building dev tools & Obsidian plugins.
Securing MCP integrations.
Building dev tools & Obsidian plugins.
Pinned
Evan Harris
@evanharris.bsky.social
· Jul 17
Last week I received my first bounty from ethical hacking.
Here's how I went from curious to paid in 3 months:
Here's how I went from curious to paid in 3 months:
New Security Advisory: A High severity DNS rebinding vulnerability (CVE-2025-10193) in the Neo4j MCP Cypher Server allows for complete database takeover by remote attackers.
The breakdown:
The breakdown:
October 16, 2025 at 3:18 PM
New Security Advisory: A High severity DNS rebinding vulnerability (CVE-2025-10193) in the Neo4j MCP Cypher Server allows for complete database takeover by remote attackers.
The breakdown:
The breakdown:
Some companies are friendly to submit disclosures to.
Others are so abrasive I do not expect to ever have another positive word to say about them.
There may be many downstream users of the second batch of companies.
However, the pain of helping them is not worth it.
Sorry.
Others are so abrasive I do not expect to ever have another positive word to say about them.
There may be many downstream users of the second batch of companies.
However, the pain of helping them is not worth it.
Sorry.
October 13, 2025 at 2:27 PM
Some companies are friendly to submit disclosures to.
Others are so abrasive I do not expect to ever have another positive word to say about them.
There may be many downstream users of the second batch of companies.
However, the pain of helping them is not worth it.
Sorry.
Others are so abrasive I do not expect to ever have another positive word to say about them.
There may be many downstream users of the second batch of companies.
However, the pain of helping them is not worth it.
Sorry.
Evals Evals Evals
I am on Day 5 of AI Evals for Engineers
& I am having a blast
I learned about:
- Axial Coding
- Open Coding
- LLM as Judge
- Error Analysis
- Golden Datasets
- Perturbing Traces
- Guardrails Versus Evals
- Programmatic Evaluators
What will next week hold?
I am on Day 5 of AI Evals for Engineers
& I am having a blast
I learned about:
- Axial Coding
- Open Coding
- LLM as Judge
- Error Analysis
- Golden Datasets
- Perturbing Traces
- Guardrails Versus Evals
- Programmatic Evaluators
What will next week hold?
October 10, 2025 at 3:15 PM
Evals Evals Evals
I am on Day 5 of AI Evals for Engineers
& I am having a blast
I learned about:
- Axial Coding
- Open Coding
- LLM as Judge
- Error Analysis
- Golden Datasets
- Perturbing Traces
- Guardrails Versus Evals
- Programmatic Evaluators
What will next week hold?
I am on Day 5 of AI Evals for Engineers
& I am having a blast
I learned about:
- Axial Coding
- Open Coding
- LLM as Judge
- Error Analysis
- Golden Datasets
- Perturbing Traces
- Guardrails Versus Evals
- Programmatic Evaluators
What will next week hold?
What is your favorite type of programming?
Mine is deleting a feature someone thought would be useful.
But the data shows that no one wants it.
Less maintenance work.
More time to focus on value delivery.
Mine is deleting a feature someone thought would be useful.
But the data shows that no one wants it.
Less maintenance work.
More time to focus on value delivery.
October 9, 2025 at 3:01 PM
What is your favorite type of programming?
Mine is deleting a feature someone thought would be useful.
But the data shows that no one wants it.
Less maintenance work.
More time to focus on value delivery.
Mine is deleting a feature someone thought would be useful.
But the data shows that no one wants it.
Less maintenance work.
More time to focus on value delivery.
AI Evals for Engineers & PMs - Day 3
This course is high value.
I had no expectations.
I have already been blown away.
Feeling blessed be in Oct cohort as the infinite repeats will be my play.
The community questions really drive much of my learning.
This course is high value.
I had no expectations.
I have already been blown away.
Feeling blessed be in Oct cohort as the infinite repeats will be my play.
The community questions really drive much of my learning.
October 8, 2025 at 2:27 PM
AI Evals for Engineers & PMs - Day 3
This course is high value.
I had no expectations.
I have already been blown away.
Feeling blessed be in Oct cohort as the infinite repeats will be my play.
The community questions really drive much of my learning.
This course is high value.
I had no expectations.
I have already been blown away.
Feeling blessed be in Oct cohort as the infinite repeats will be my play.
The community questions really drive much of my learning.
Not your keys not your crypto is a common saying.
The new attack vectors via MCP servers add a new layer to this.
Use of your keys, by the software you give too much trust to, again leads to the scenario of:
Not your crypto.
The new attack vectors via MCP servers add a new layer to this.
Use of your keys, by the software you give too much trust to, again leads to the scenario of:
Not your crypto.
October 7, 2025 at 7:00 PM
Not your keys not your crypto is a common saying.
The new attack vectors via MCP servers add a new layer to this.
Use of your keys, by the software you give too much trust to, again leads to the scenario of:
Not your crypto.
The new attack vectors via MCP servers add a new layer to this.
Use of your keys, by the software you give too much trust to, again leads to the scenario of:
Not your crypto.
Your vulnerability scan results could leak to attackers via DNS rebinding. CVE-2025-59163 affects SafeDep Vet MCP Server running SSE transport.
The attack: A single website visit. The payload: Your entire package vulnerability database. The fix: Already shipped.
Here's how it works:
The attack: A single website visit. The payload: Your entire package vulnerability database. The fix: Already shipped.
Here's how it works:
October 6, 2025 at 12:34 PM
Your vulnerability scan results could leak to attackers via DNS rebinding. CVE-2025-59163 affects SafeDep Vet MCP Server running SSE transport.
The attack: A single website visit. The payload: Your entire package vulnerability database. The fix: Already shipped.
Here's how it works:
The attack: A single website visit. The payload: Your entire package vulnerability database. The fix: Already shipped.
Here's how it works:
Binding to 0.0.0.0 versus 127.0.0.1
What is the difference?
If you write APIs and do not know, I would love to point you in the right direction.
What is the difference?
If you write APIs and do not know, I would love to point you in the right direction.
October 5, 2025 at 11:09 AM
Binding to 0.0.0.0 versus 127.0.0.1
What is the difference?
If you write APIs and do not know, I would love to point you in the right direction.
What is the difference?
If you write APIs and do not know, I would love to point you in the right direction.
Your Amp AI agent can be tricked by attackers into sending them your API keys.
A prompt injection vulnerability allows them to exfiltrate your sensitive data via DNS queries.
Amp does not consider this a vulnerability.
Here is the breakdown:
A prompt injection vulnerability allows them to exfiltrate your sensitive data via DNS queries.
Amp does not consider this a vulnerability.
Here is the breakdown:
October 3, 2025 at 1:50 PM
Your Amp AI agent can be tricked by attackers into sending them your API keys.
A prompt injection vulnerability allows them to exfiltrate your sensitive data via DNS queries.
Amp does not consider this a vulnerability.
Here is the breakdown:
A prompt injection vulnerability allows them to exfiltrate your sensitive data via DNS queries.
Amp does not consider this a vulnerability.
Here is the breakdown:
Is your AI coding assistant secretly working for an attacker? A new Kilo Code vulnerability shows it's possible.
It allows attackers to execute an automated supply chain attack by pushing malicious code to upstream repositories.
Here's how it works:
It allows attackers to execute an automated supply chain attack by pushing malicious code to upstream repositories.
Here's how it works:
October 2, 2025 at 9:14 PM
Is your AI coding assistant secretly working for an attacker? A new Kilo Code vulnerability shows it's possible.
It allows attackers to execute an automated supply chain attack by pushing malicious code to upstream repositories.
Here's how it works:
It allows attackers to execute an automated supply chain attack by pushing malicious code to upstream repositories.
Here's how it works:
Saying that your product only runs within trusted systems does only one thing: demonstrate little awareness you have of the software supply chain.
October 2, 2025 at 2:48 PM
Saying that your product only runs within trusted systems does only one thing: demonstrate little awareness you have of the software supply chain.
Learning AI evals at the moment
My favorite part?
Setting up the environments that the evals run in.
Fun Docker question:
Why is `source` not very useful in the context of a `RUN` invocation within a Dockerfile?
My favorite part?
Setting up the environments that the evals run in.
Fun Docker question:
Why is `source` not very useful in the context of a `RUN` invocation within a Dockerfile?
October 1, 2025 at 2:23 PM
Learning AI evals at the moment
My favorite part?
Setting up the environments that the evals run in.
Fun Docker question:
Why is `source` not very useful in the context of a `RUN` invocation within a Dockerfile?
My favorite part?
Setting up the environments that the evals run in.
Fun Docker question:
Why is `source` not very useful in the context of a `RUN` invocation within a Dockerfile?
Have not landed your first CVE?
That was me a few months ago.
Now I have 3 under my belt.
And more in the pipeline.
Here is how to go from 0 - 100 on CVEs:
That was me a few months ago.
Now I have 3 under my belt.
And more in the pipeline.
Here is how to go from 0 - 100 on CVEs:
September 30, 2025 at 3:02 PM
Have not landed your first CVE?
That was me a few months ago.
Now I have 3 under my belt.
And more in the pipeline.
Here is how to go from 0 - 100 on CVEs:
That was me a few months ago.
Now I have 3 under my belt.
And more in the pipeline.
Here is how to go from 0 - 100 on CVEs:
Hacking.
The ocean.
Beautiful sunsets.
All I need.
A deeper state of peace
Leads to greater clarity of mind.
A far away horizon
Allows for a feeling of openness.
At which point
Anything becomes possible.
The ocean.
Beautiful sunsets.
All I need.
A deeper state of peace
Leads to greater clarity of mind.
A far away horizon
Allows for a feeling of openness.
At which point
Anything becomes possible.
September 11, 2025 at 11:36 AM
Hacking.
The ocean.
Beautiful sunsets.
All I need.
A deeper state of peace
Leads to greater clarity of mind.
A far away horizon
Allows for a feeling of openness.
At which point
Anything becomes possible.
The ocean.
Beautiful sunsets.
All I need.
A deeper state of peace
Leads to greater clarity of mind.
A far away horizon
Allows for a feeling of openness.
At which point
Anything becomes possible.
The NPM supply chain attack yesterday only targetting crypto wallets is funny.
It highlights the:
- Lack of readiness of the internet as a whole for an increasingly hostile internet.
- Alarmist nature of a poorly scoped advisory.
- Low ambition of the attacker.
In the future:
It highlights the:
- Lack of readiness of the internet as a whole for an increasingly hostile internet.
- Alarmist nature of a poorly scoped advisory.
- Low ambition of the attacker.
In the future:
September 9, 2025 at 12:35 PM
The NPM supply chain attack yesterday only targetting crypto wallets is funny.
It highlights the:
- Lack of readiness of the internet as a whole for an increasingly hostile internet.
- Alarmist nature of a poorly scoped advisory.
- Low ambition of the attacker.
In the future:
It highlights the:
- Lack of readiness of the internet as a whole for an increasingly hostile internet.
- Alarmist nature of a poorly scoped advisory.
- Low ambition of the attacker.
In the future:
Want to save your future self trouble?
Take better notes.
Last night I pulled off an attack vector I had not touched in a month.
At first - no idea what I was doing.
Popped open my notes from last month.
Like following a step by step guide.
Better notes.
Better life.
Take better notes.
Last night I pulled off an attack vector I had not touched in a month.
At first - no idea what I was doing.
Popped open my notes from last month.
Like following a step by step guide.
Better notes.
Better life.
August 22, 2025 at 2:08 PM
Want to save your future self trouble?
Take better notes.
Last night I pulled off an attack vector I had not touched in a month.
At first - no idea what I was doing.
Popped open my notes from last month.
Like following a step by step guide.
Better notes.
Better life.
Take better notes.
Last night I pulled off an attack vector I had not touched in a month.
At first - no idea what I was doing.
Popped open my notes from last month.
Like following a step by step guide.
Better notes.
Better life.
Hacking hacking hacking.
5 months ago I would have never guessed what I can now do.
5 months from now?
I can only imagine what I will be able to do.
The outer world offers its approval.
Inbounds as the primary signal.
Security analyst conversations as the secondary signal.
5 months ago I would have never guessed what I can now do.
5 months from now?
I can only imagine what I will be able to do.
The outer world offers its approval.
Inbounds as the primary signal.
Security analyst conversations as the secondary signal.
August 15, 2025 at 11:05 AM
Hacking hacking hacking.
5 months ago I would have never guessed what I can now do.
5 months from now?
I can only imagine what I will be able to do.
The outer world offers its approval.
Inbounds as the primary signal.
Security analyst conversations as the secondary signal.
5 months ago I would have never guessed what I can now do.
5 months from now?
I can only imagine what I will be able to do.
The outer world offers its approval.
Inbounds as the primary signal.
Security analyst conversations as the secondary signal.
Tired?
Stop trying so hard.
You are forcing it.
Surrender into the process.
You will find infinite energy there.
Stop trying so hard.
You are forcing it.
Surrender into the process.
You will find infinite energy there.
August 14, 2025 at 7:39 PM
Tired?
Stop trying so hard.
You are forcing it.
Surrender into the process.
You will find infinite energy there.
Stop trying so hard.
You are forcing it.
Surrender into the process.
You will find infinite energy there.
Would you rather:
- Spend attention responding to vulnerability disclosures
- Get thrown off the board for negligent management of security risk
Knowing that...
Path 1 will impact your 'velocity.'
Path 2 is improbable (???) || a problem that may only present post-success.
- Spend attention responding to vulnerability disclosures
- Get thrown off the board for negligent management of security risk
Knowing that...
Path 1 will impact your 'velocity.'
Path 2 is improbable (???) || a problem that may only present post-success.
August 7, 2025 at 2:19 PM
Would you rather:
- Spend attention responding to vulnerability disclosures
- Get thrown off the board for negligent management of security risk
Knowing that...
Path 1 will impact your 'velocity.'
Path 2 is improbable (???) || a problem that may only present post-success.
- Spend attention responding to vulnerability disclosures
- Get thrown off the board for negligent management of security risk
Knowing that...
Path 1 will impact your 'velocity.'
Path 2 is improbable (???) || a problem that may only present post-success.
Automate or AI?
Knowing where to draw the line between the two is essential.
To minimize your token burn.
To maximize your output.
If you always default to one over the other, take a look at what is blocking you on the alternative path.
There are gains to be had there.
Knowing where to draw the line between the two is essential.
To minimize your token burn.
To maximize your output.
If you always default to one over the other, take a look at what is blocking you on the alternative path.
There are gains to be had there.
August 6, 2025 at 12:37 PM
Automate or AI?
Knowing where to draw the line between the two is essential.
To minimize your token burn.
To maximize your output.
If you always default to one over the other, take a look at what is blocking you on the alternative path.
There are gains to be had there.
Knowing where to draw the line between the two is essential.
To minimize your token burn.
To maximize your output.
If you always default to one over the other, take a look at what is blocking you on the alternative path.
There are gains to be had there.
Indirect prompt injection == not the responsibility of the vendor (?)
At least with MCP Servers.
As the client you can say no.
If your agent is set to auto approve and has privileged access to resources, then all external inputs are untrusted.
Secure yourself.
At least with MCP Servers.
As the client you can say no.
If your agent is set to auto approve and has privileged access to resources, then all external inputs are untrusted.
Secure yourself.
August 5, 2025 at 8:28 PM
Indirect prompt injection == not the responsibility of the vendor (?)
At least with MCP Servers.
As the client you can say no.
If your agent is set to auto approve and has privileged access to resources, then all external inputs are untrusted.
Secure yourself.
At least with MCP Servers.
As the client you can say no.
If your agent is set to auto approve and has privileged access to resources, then all external inputs are untrusted.
Secure yourself.
Given a CORS misconfiguration that allows for data exfiltration:
Why do some vendors label this as a vulnerability while others don't?
If you run a software team, which bucket do you fall into?
Why do some vendors label this as a vulnerability while others don't?
If you run a software team, which bucket do you fall into?
August 1, 2025 at 12:25 PM
Given a CORS misconfiguration that allows for data exfiltration:
Why do some vendors label this as a vulnerability while others don't?
If you run a software team, which bucket do you fall into?
Why do some vendors label this as a vulnerability while others don't?
If you run a software team, which bucket do you fall into?
No greater satisfaction than a successful DNS rebind with data exfiltration
I took a week off from this class of attack
Built some fun & unrelated tools
Came back mad energized
First attack landed within an hour of server boot
2 hours later report submitted
Hack more
Win
I took a week off from this class of attack
Built some fun & unrelated tools
Came back mad energized
First attack landed within an hour of server boot
2 hours later report submitted
Hack more
Win
July 25, 2025 at 1:57 PM
No greater satisfaction than a successful DNS rebind with data exfiltration
I took a week off from this class of attack
Built some fun & unrelated tools
Came back mad energized
First attack landed within an hour of server boot
2 hours later report submitted
Hack more
Win
I took a week off from this class of attack
Built some fun & unrelated tools
Came back mad energized
First attack landed within an hour of server boot
2 hours later report submitted
Hack more
Win
When I pick up an old side project...
July 24, 2025 at 6:29 PM
When I pick up an old side project...
Diving into vLLMs today.
No idea what is best in class at the moment.
I want to distill unstructured key info out of videos up to 5 minutes long.
OSS-wise Qwen2.5-VL seems neat.
Their GH looks very unmaintained :)
Sonnet? Gemini? GPT???
Any advice?
Plz
No idea what is best in class at the moment.
I want to distill unstructured key info out of videos up to 5 minutes long.
OSS-wise Qwen2.5-VL seems neat.
Their GH looks very unmaintained :)
Sonnet? Gemini? GPT???
Any advice?
Plz
July 24, 2025 at 7:42 AM
Diving into vLLMs today.
No idea what is best in class at the moment.
I want to distill unstructured key info out of videos up to 5 minutes long.
OSS-wise Qwen2.5-VL seems neat.
Their GH looks very unmaintained :)
Sonnet? Gemini? GPT???
Any advice?
Plz
No idea what is best in class at the moment.
I want to distill unstructured key info out of videos up to 5 minutes long.
OSS-wise Qwen2.5-VL seems neat.
Their GH looks very unmaintained :)
Sonnet? Gemini? GPT???
Any advice?
Plz