taxonomy · how systems fail
Patterns.
Named bug-classes and conceptual frames. Each pattern is its own meta-analysis. The mechanism that gets named, plus every post that exhibits it.
- Trust Inversion016 postsTrust Inversion
The tools and credentials that authorize access to your systems are now the attack surface.
- Design Debt Driver023 postsDesign Debt Driver
A component whose bug-class keeps recurring. Patches address symptoms; the design holds the primitive.
- Disclosure After Exploitation033 postsDisclosure After Exploitation
Vendor discloses only after active in-wild exploitation. The gap between first-seen and CVE is the story.
- Maintainer Account Compromise043 postsMaintainer Account Compromise
Single maintainer account gates publishes to millions. One compromise ships to every downstream.
- Revocation Gap053 postsRevocation Gap
The window between credential compromise and detection. Every action in that window is legitimate.
- Security Tool As Primitive063 postsSecurity Tool As Primitive
The privileged action of your security tool becomes the attack. Defender's hands become attacker's hands.
- Content Is Command072 postsContent Is Command
External content feeds an interpreter that treats it as instructions. Prompt injection is one instance.
- Emergent Primitive082 postsEmergent Primitive
Individually safe components that compose into an attack. Nobody owns the intersection.
- Mutable Reference As Immutable092 postsMutable Reference As Immutable
Git tags, date-labeled artifacts, the latest tag. Treated as pinned. Not.
- Persistent Blindspot102 postsPersistent Blindspot
The attack does not steal. It makes the defender permanently blind to a class of events.
- The Detector Is The Target112 postsThe Detector Is The Target
The sandbox, scanner, or SOC tool is itself the attack surface.
- TOCTOU That Isn't122 postsunmappedTOCTOU That Isn't
A 'race condition' that's actually deterministic. Attacker controls timing because the other side hasn't run yet.
- Unauth Write To Execution Path132 postsUnauth Write To Execution Path
No auth required to write a file into a path the server executes. Webroot upload, CGI drop, etc.
- Unpatchable Primitive142 postsUnpatchable Primitive
The bug class is too fundamental to the design. Patches close instances; the primitive remains.
- Commented Out Code Is Testimony151 postCommented Out Code Is Testimony
The capability the researcher didn't ship tells you what the capability is. Read what's commented out.
- Denial By Pedantry161 postDenial By Pedantry
'We weren't breached' via a narrow reading of their own terms. Non-denial denial.
- Disclaimer Wrapped Campaign Kit171 postDisclaimer Wrapped Campaign Kit
A PoC that ships a full weaponizer behind a 'for authorized testing only' disclaimer.
- Fail Open Intercept181 postFail Open Intercept
Security gate can't decrypt/validate a message and forwards it anyway. Logs the failure, does the action.
- MFT as Primary Target191 postMFT as Primary Target
Managed file transfer products carry the payload and the trust. Now carry the breaches.
- Nonce Is Not Auth201 postNonce Is Not Auth
CSRF tokens mistaken for authentication. Valid nonce does not equal authenticated caller.
- Prototype Pollution Trust Bypass211 postPrototype Pollution Trust Bypass
A trust check that reads shared prototype state. Attacker writes once, every object reports trusted.
- Self Propagating Supply Chain221 postSelf Propagating Supply Chain
Worm pattern in a package registry: infected package harvests credentials, publishes to the next.
- Signing Surface Poisoning231 postSigning Surface Poisoning
Hardware wallet / HSM / signer shows one thing, signs another. Trust boundary lives at the rendering layer.
- Todo That Shipped241 postTodo That Shipped
The fix was in a comment. The code shipped without it. Audit your oldest TODOs.
- Unsigned Ecosystem Echo251 postUnsigned Ecosystem Echo
A new ecosystem replaying every lesson the old ones learned. Same registry shape, same provenance gap.
- Security Metric Theater260 postsunmappedSecurity Metric Theater
Coverage reported as a fraction when only the numerator was ever the story. MFA %, EDR coverage, etc.