Ramblings from a .NET Security PM

Sign in Subscribe

Latest — 14 Jun 2026

Is your .NET vulnerability report going to get a CVE?

Recently, we’ve seen an increase in .NET vulnerability reports that fall into what we would call “bug-bug” territory rather than security vulnerability territory. To help guide future vulnerability research, we have a set of framing guidance.

More issues

When is a guid not a guid?

A conversation with Azure Security about an unexpected behaviour when comparing Guid types in .NET demonstrated the need to explain how value versus representation comparisons can lead to security bugs.

Protecting your .NET app from Server-Side Request Forgery (SSRF) vulnerabilities.

A couple of weeks ago a friend asked what Server-Side Request Forgery (SSRF) was, how worried they should be, and how to fix it, as GitHub Copilot had told them that their application was vulnerable. This sent me down a rabbit hole thinking about my own .NET Bluesky SDK

Generating SBOMs in NuGet packages with Microsoft.Sbom.Targets

How to use the Microsoft.SBOM.Targets NuGet package to produce a Software Bill of Materials (SBOM) during your release builds.

Enabling Source Control integration in Windows File Explorer

Windows Explorer can now show Git commit messages, the last changed date, and a version status of the file is modified and needs to be committed, as well as branch information in the status bar.

Publishing NuGet packages from a Github Action without secrets

This guide will walk you through using a combination of GitHub actions and NuGet publishing policies to push packages to nuget.org from within an action without needing to worry about API keys.

.NET code & nupkg signing in GitHub Actions

This guide will walk you through using a combination of GitHub actions and Entra managed identities to enable signing code and NuGet packages from within an action without needing to worry about access tokens.

Post Quantum Support in .NET

.NET 10 added ML-KEM, ML-DSA, SLH-DSA and Composite ML-KEM. Here I break down the support and its current limitations.

The year in .NET Security

A breakdown the year in .NET CVEs, including the code that caused the vulnerability, the fixes, and links to the GitHub PRs or commits that fixed the issues.