BSides Vancouver 2026

Open source runs the world. AI now ships most of the code. That means security decisions are happening inside the tools engineers already use, not in dashboards or tickets. The problem is no longer finding vulnerabilities. It is delivering the right remediation guidance at the exact moment an engineer can act.

This talk is a field report from building open patterns for that delivery. We built OVRSE, an open remediation specification, and a community MCP server that brings exploitability, breaking change risk, patch stability signals, and remediation commands directly into the AI tools engineers already use. It worked. It also broke in surprising ways.

You will see why tool prompt instructions became security controls, why structured output replaced dashboards as the interface between security and engineering, and why MCP adoption created a governance gap most security teams have not noticed yet.

This is not a product talk. It is a practitioner report on how the delivery layer for security intelligence is changing, and what the community needs to do about it.