Jacob Kaplan-Moss

I’m a software developer, co-creator of Django, and engineering leader. I’m an owner and consultant at REVSYS, and am the Treasurer of the Django Software Foundation. Previous jobs: Latacora, Hangar, 18F, Heroku. If you’re looking to contact me, please see how to get in touch and the ways I’m available to help.

Writing

Potential causes of accidents in outdoor pursuits (the Meyer/Williamson matrix)

The Meyer/Williamson matrix is a framework enumerating pretty much all potential causes of accidents in outdoor activities. I first ran across it in Deb Ajango’s Lessons Learned II, but I’ve had a really hard time finding an original source to cite. It appears to be taken from various presentations that Dan Meyer and Jed Williamson have given over several decades. There are various PDF versions floating around the web, but they tend to linkrot and I’ve never found a good HTML version. I’m reproducing it here so that I’ve got a good stable HTML version to link to in the future.
June 17th, 2025 • accidents outdoor risk

Changing Directions

I have two important announcements:

  1. I’m leaving the tech industry. Hopefully “for good”; if not, at least “for now”.

  2. As such, the content on this blog is going to shift, perhaps dramatically. I’m going to be writing about a broader range of topics that interest me (projects around my hobby farm, wilderness trips, emergency medicine) – more writing for me, less writing for some imagined audience. (I’ll probably still end up writing about some of the same topics as I’ve been covering since 2020, just less often.)

I’m writing this post mostly to give myself permission to make that change, and to give readers the opportunity to unsubscribe/unfollow if they’re not interested.

If you’re interested in more details about why I’m leaving the industry and what’s next for me and this blog, read on.

June 3rd, 2025 • career personal

🔗 Decision making matrix for alpine climbing (#)

Great example of a simple risk framework in action.

May 13th, 2025 • climbing decisions risk

How to report a security issue in an open source project

So you’ve found a security issue in an open source project – or maybe just a weird problem that you think might be a security problem. What should you do next?
March 27th, 2025 • open source security

Beware tech career advice from old heads

If you’re new to tech – say, less than 5 years in the field – you should take career advice from people who’ve been in the industry more than 10-15 years with enormous skepticism.
March 13th, 2025 • career jobs tech

🔗 Building a Community Privacy Plan (#)

Really great guide. I love the community focus — so many of these security guides are individually-oriented, which limits their applicability to groups, especially volunteer groups.

February 19th, 2025 • community privacy security

Thinking About Risk: Sidebar #4: Quantitative Risk Revisited

In part 1 of this series, I briefly covered quantitative risk measuring – assigning a numeric value to risk, like “$3,500”, rather than a qualitative label like “medium” – only to quickly recommend against trying it. In this final sidebar, I want to come back to this topic. I’ll spend a bit more time explaining what I see as the pros and cons of quantitative risk measurement – why you might or might not want to use numeric values over more simple risk matrixes.
January 28th, 2025 • risk security

Thinking About Risk: Sidebar #3: Two Flavors of Medium Risk

When you look at a likelihood/impact risk matrix, you might notice that “medium” appears twice – once as high-likelihood/low-impact, and once as low-likelihood/high-impact. These two “mediums” aren’t at all the same!
January 17th, 2025 • risk security

Thinking About Risk: Sidebar #2: The Swiss Cheese Model

In the real world, accidents happen when a series of small missteps align to create severe consequences. This is something we call the “Swiss Cheese Model”: imagining a systems failure as a set of “holes” in our layers of defense that all line up to create a series accident.
January 16th, 2025 • risk security

Thinking About Risk: Sidebar #1: "Exposure"

Risk is usually defined as the product of two factors: Likelihood and Impact. However, some disciplines include a third factor: Exposure. What’s that about, and when is it useful?
January 15th, 2025 • risk security

🔗 Cognitive Biases Codex.pdf (#)

January 4th, 2025 •

🔗 The 2025 journalist’s digital security checklist (#)

A pretty good checklist. Some things are tailored for the relatively-higher risk faced by journalists, but with some judicious “not applicable” application could be a good checklist for anyone.

December 11th, 2024 • digital security privacy security

Thinking About Risk: Mitigation

So you’ve identified a risk — now what do you do about it? Here’s a simple framework to help frame discussions about risk mitigation. It’s intentionally very simple, a basic starting point. I’ll present a more complex framework later in this series, but I want to lay more of a foundation before I get there, so we’ll start here.
December 10th, 2024 • risk security

Thinking About Risk: An introduction to thinking about risk

Welcome to a new series about how to think about risk. This series is a crash course, a high-level introduction to the most important concepts and risk frameworks. It’s intended for people who encounter risk from time to time and need some basic tools, but don’t want to make a deep study of it. My hope is that it’ll help you better analyze risk when it comes up for you, and also make it easier to navigate conversations with risk professionals.
December 4th, 2024 • risk security

Free digital security checkups for people/organizations concerned about the incoming US government

If you — as an individual or a group — are re-assessing your digital security posture in light of the US election results, I’m available to help. I’m offering free digital security check-ups to anyone who feels like they need it now.
November 11th, 2024 • security

🔗 Democratising publishing (#)

“Ghost is a distributed non-profit foundation which gives away all of its intellectual property under a permissive MIT license. The company has no investors and, in fact, no owners of any kind. I don’t own any part of Ghost, and neither does my co-founder Hannah.

We currently generate around $7.5M in annual revenue, and have been profitable and sustainable for the past 12 years.

“Wait, what?”

I’m glad you asked.”

🔗 Phishing simulations - Rami's Wiki (#)

Round up of research and commentary on phishing sims

October 22nd, 2024 • phishing research security

Why you should run for the DSF Board, and my goals for the DSF in 2025

Applications are open for the 2025 Django Software Foundation Board of Directors – you can apply until October 25th. So, in this post I’ll do two things: try to convince you to run for the board, and document my goals and priorities for 2025.
October 18th, 2024 • django dsf

🔗 Reflections on Palantir (#)

I suspect the tone here — largely laudatory, abd looking up to people like Peter Thiel and Paul Graham — will rub most of my readers the wrong way.

Look past that, and pay attention to the notes on what makes Palentir work. I completely agree with a lot of the conclusions about how important being embedded with real customers is. It happens also to be the model that I saw working at 18F and USDS!

October 17th, 2024 • engineering management palentir

🔗 Prioritizing Detection Engineering (#)

Detection Engineering is a concept that has emerged in the detection space. It acknowledges the complexity of a detection stack and the…

October 12th, 2024 • alerting detection engineering security

Full Archive →