Page Inspect

Jacob Kaplan-Moss

# Jacob Kaplan-Moss

I’m a software developer, co-creator of Django, and engineering leader. I’m an owner and consultant at REVSYS, and am the Treasurer of the Django Software Foundation. Previous jobs: Latacora, Hangar, 18F, Heroku. If you’re looking to contact me, please see how to get in touch and the ways I’m available to help.

## Writing

### 📝 Working in Between Public and Private

If working in public isn’t working, consider adopting a middle-ground option instead of retreating into fully-private.

October 18th, 2025 • community open source working models

### 🔗 Writing a risk scenario (#)

A risk scenario is a fictional but plausible event that could harm your organization. Writing one well improves communication with others…

October 8th, 2025 • risk security threatmodeling

### 🔗 FACETS - Avalanche.org (#)

“FACETS is an acronym presented by Ian McCammon to describe a set of 6 heuristic traps that were common in his study of recreational accidents.”

September 9th, 2025 • avalanche risk safety

### 🔗 This World of Ours (James Mickens) (#)

I was reminded of this classic paper in the threat modeling literature canon. Hilarious and also insightful — worth a read if you haven’t seen it before.

August 12th, 2025 • essays humor threatmodeling

### 📝 Two Scenario Threat Modeling

A trap that many people fall into when trying to threat modeling or risk planning is a fear of being incomplete that leads them to not even try. People think, “there are so many possible things that could go wrong, so many potential risks. It’s going to be such a *huge* effort to enumerate all possible scenarios, and I don’t have time, so I guess I can’t do threat modeling.” That is, threat modeling seems so big, so hairy, that people believe it’s too complex to tackle.

This just isn’t true! **Some planning is always better than no planning**. In fact, you can get a surprising amount of value out of a very simple and fast technique: imagine a couple of scenarios – **just two!** – and game out what you could do to mitigate them.

August 8th, 2025 • planning risk threat modeling

### 📝 Comfort Scores: A risk mitigation tool for pre-trip briefings

A tool I like for pre-trip briefings the can help groups assess its ability to tackle a tricky objective.

August 4th, 2025 • briefings decision making groups risk

### 🔗 Using AI to build a tactical shooter (#)

Via RC’s AI article, a fascinating recording of someone programming a game almost entirely by prompting Claude by voice. This feels truly “futuristic” to me. Sure it’s clunky at times, but damn if this isn’t closer to the Star Trek computer than I ever thought I’d see in my lifetime.

July 28th, 2025 • ai programming

### 🔗 Developing our position on AI - Blog - Recurse Center (#)

Detailed, nuanced, and well-thought-out. Tons of great and insightful quotes from RC alums. And their conclusion is, I think, perfect:

> You should use AI-powered tools to complement or increase your agency, not replace it.

July 28th, 2025 • ai llm programming recurse center

### 📝 What if We Thought About Risk Decisions Differently?

Risk professionals often operate from the assumption that people are inherently bad at assessing risk, especially when it comes to low-probability, high-consequence scenarios. But what if this foundational belief is wrong? What if people are actually pretty good at understanding their own risks? What are some of the implications of approaching risk this way?

July 22nd, 2025 • risk security

### 📝 Ultralight Heresies

Stay off r/ultralight. Bring the gear that’s appropriate to your trip objectives and conditions.

July 21st, 2025 • backpacking ultralight

### 🔗 Evan Reese - Custom OnShape features (#)

A bunch of really useful custom features for OnShape

July 12th, 2025 • cad onshape

### 💡TIL: 3d printed parts have different strength characteristics than conventionally-manufactured parts

An interesting 3d printing lesson about how the physical characteristics of printed parts differ from other manufacturing:

I needed to replace a rubber hydraulic hose retention strap on my tractor. The part’s $40 + shipping – ludicrous for a 6x2" strip of rubber – so perfect to try to replicate. I have some TPU filament that’s of similar flexibility, let’s go.

For V1, I just replicated the geometry exactly - including, without thinking about it, some little relief holes around the main hose holes:

July 8th, 2025 • 3d printing

### 📝 Potential causes of accidents in outdoor pursuits (the Meyer/Williamson matrix)

The Meyer/Williamson matrix is a framework enumerating pretty much all potential causes of accidents in outdoor activities. I first ran across it in Deb Ajango’s Lessons Learned II, but I’ve had a really hard time finding an original source to cite. It appears to be taken from various presentations that Dan Meyer and Jed Williamson have given over several decades. There are various PDF versions floating around the web, but they tend to linkrot and I’ve never found a good HTML version. I’m reproducing it here so that I’ve got a good stable HTML version to link to in the future.

June 17th, 2025 • accidents outdoor risk

### 📝 Changing Directions

I have two important announcements:

- I’m leaving the tech industry. Hopefully “for good”; if not, at least “for now”.
- As such, the content on this blog is going to shift, perhaps dramatically. I’m going to be writing about a broader range of topics that interest me (projects around my hobby farm, wilderness trips, emergency medicine) – more writing for *me*, less writing for some imagined audience. (I’ll probably still end up writing about some of the same topics as I’ve been covering since 2020, just less often.)

I’m writing this post mostly to give myself permission to make that change, and to give readers the opportunity to unsubscribe/unfollow if they’re not interested.

If you’re interested in more details about why I’m leaving the industry and what’s next for me and this blog, read on.

June 3rd, 2025 • career personal

### 🔗 Decision making matrix for alpine climbing (#)

Great example of a simple risk framework in action.

May 13th, 2025 • climbing decisions risk

### 📝 How to report a security issue in an open source project

So you’ve found a security issue in an open source project – or maybe just a weird problem that you think might be a security problem. What should you do next?

March 27th, 2025 • open source security

### 📝 Beware tech career advice from old heads

If you’re new to tech – say, less than 5 years in the field – you should take career advice from people who’ve been in the industry more than 10-15 years with enormous skepticism.

March 13th, 2025 • career jobs tech

### 🔗 Building a Community Privacy Plan (#)

Really great guide. I love the *community* focus — so many of these security guides are individually-oriented, which limits their applicability to groups, especially volunteer groups.

February 19th, 2025 • community privacy security

### 📝 Thinking About Risk: Sidebar #4: Quantitative Risk Revisited

In part 1 of this series, I briefly covered quantitative risk measuring – assigning a numeric value to risk, like “$3,500”, rather than a qualitative label like “medium” – only to quickly recommend against trying it. In this final sidebar, I want to come back to this topic. I’ll spend a bit more time explaining what I see as the pros and cons of quantitative risk measurement – why you might or might not want to use numeric values over more simple risk matrixes.

January 28th, 2025 • risk security

### 📝 Thinking About Risk: Sidebar #3: Two Flavors of Medium Risk

When you look at a likelihood/impact risk matrix, you might notice that “medium” appears twice – once as high-likelihood/low-impact, and once as low-likelihood/high-impact. These two “mediums” aren’t at all the same!

January 17th, 2025 • risk security

Full Archive →

© Jacob Kaplan-Moss