Every secure API draws a line between code and data. HTTP separates headers from bodies. SQL has prepared statements. Even email distinguishes the envelope from the message. The Model Context Protocol (MCP), the fast-growing standard for connecting AI agents to external services, inherits that gap from the models it sits on top of. Its central premise is that a language model reads tool descripti [...]
ICE has admitted that it uses spyware from the Israeli company Graphite. [...]
Rocket.Chat disclosed a bug submitted by npc: https://hackerone.com/reports/3564655 [...]
A 24-year-old British national and senior member of the cybercrime group “Scattered Spider” has pleaded guilty to wire fraud conspiracy and aggravated identity theft. Tyler Robert Buchanan admitted his role in a series of text-message phishing attacks in the summer of 2022 that allowed the group to hack into at least a dozen major technology companies and steal tens of millions of doll [...]
TL;DR AI risk doesn’t live in the model. It lives in the APIs behind it. Every AI interaction triggers a chain of API calls across your environment. Many of those APIs aren’t documented or tracked. That’s your real exposure. Shadow API discovery gives you visibility into those hidden endpoints, so you can find them before attackers do. If you don’t know which APIs your AI relies on, you can [...]
Grupo Seguritech is a Mexican surveillance company that is expanding into the US. [...]
Nextcloud disclosed a bug submitted by nullcathedral: https://hackerone.com/reports/3486747 [...]
Nextcloud disclosed a bug submitted by nullcathedral: https://hackerone.com/reports/3590586 [...]
Nextcloud disclosed a bug submitted by nullcathedral: https://hackerone.com/reports/3590583 [...]
Nextcloud disclosed a bug submitted by nullcathedral: https://hackerone.com/reports/3590576 [...]
The New York Times has a long article where the author lays out an impressive array of circumstantial evidence that the inventor of Bitcoin is the cypherpunk Adam Back. I don’t know. The article is convincing, but it’s written to be convincing. I can’t remember if I ever met Adam. I was a member of the Cypherpunks mailing list for a while, but I was never really an active partici [...]
curl disclosed a bug submitted by valvelvel: https://hackerone.com/reports/3680680 [...]
curl disclosed a bug submitted by fg0x0: https://hackerone.com/reports/3680038 [...]
Nextcloud disclosed a bug submitted by aikido_security: https://hackerone.com/reports/3594137 [...]
curl disclosed a bug submitted by skksndk: https://hackerone.com/reports/3680234 [...]
Ruby on Rails disclosed a bug submitted by smlee: https://hackerone.com/reports/3601655 [...]
Pretty fantastic video from Japan of a giant squid eating another squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
curl disclosed a bug submitted by asdwe: https://hackerone.com/reports/3673277 [...]
Last week, Anthropic pulled back the curtain on Claude Mythos Preview, an AI model so capable at finding and exploiting software vulnerabilities that the company decided it was too dangerous to release to the public. Instead, access has been restricted to roughly 50 organizations—Microsoft, Apple, Amazon Web Services, CrowdStrike and other vendors of critical infrastructure—under an in [...]
Two weeks ago, Google’s Quantum AI group published a zero-knowledge proof of a quantum circuit so optimized, they concluded that first-generation quantum computers will break elliptic curve cryptography keys in as little as 9 minutes. Today, Trail of Bits is publishing our own zero-knowledge proof that significantly improves Google’s on all metrics. Our result is not due to some quantum breakthrou [...]
What you will learn How AI is boosting researcher productivity How new researchers are approaching bug bounties Why the quality of submissions is not declining How effective triage and coordination are crucial AI and the growing ecosystem of tools built around it have now moved beyond early experimentation and into everyday use across the bug bounty community. What initially showed up as AI- [...]
Why we’re launching the program What it means to be a Burp Ambassador What we’re aiming for Our Burp Ambassadors Alan Levy Corey Ball Federico Dotta Rana Khalil Tib3rius Looking ahead Get Involved - B [...]
HackerOne disclosed a bug submitted by joejoe5: https://hackerone.com/reports/3168691 [...]
HackerOne disclosed a bug submitted by hellokbit: https://hackerone.com/reports/3287208 - Bounty: $12500 [...]
Interesting research: “Humans expect rationality and cooperation from LLM opponents in strategic games.” Abstract: As Large Language Models (LLMs) integrate into our social and economic interactions, we need to deepen our understanding of how humans respond to LLMs opponents in strategic settings. We present the results of the first controlled monetarily-incentivised laboratory experim [...]
curl disclosed a bug submitted by hybirdss: https://hackerone.com/reports/3674275 [...]
Understanding npm and the importance of dependency cooldowns. [...]
arkadiyt-projects disclosed a bug submitted by argareksapatii: https://hackerone.com/reports/3642600 [...]
AWS VDP disclosed a bug submitted by killnet-edc: https://hackerone.com/reports/3591725 [...]
This article on the walls of Constantinople is fascinating. The system comprised four defensive lines arranged in formidable layers: The brick-lined ditch, divided by bulkheads and often flooded, 15-20 meters wide and up to 7 meters deep. A low breastwork, about 2 meters high, enabling defenders to fire freely from behind. The outer wall, 8 meters tall and 2.8 meters thick, with 82 projecting to [...]
Microsoft today pushed software updates to fix a staggering 167 security vulnerabilities in its Windows operating systems and related software, including a SharePoint Server zero-day and a publicly disclosed weakness in Windows Defender dubbed “BlueHammer.” Separately, Google Chrome fixed its fourth zero-day of 2026, and an emergency update for Adobe Reader nixes an actively exploited [...]
Basecamp disclosed a bug submitted by xavlimsg: https://hackerone.com/reports/3608199 - Bounty: $500 [...]
Basecamp disclosed a bug submitted by xavlimsg: https://hackerone.com/reports/3543475 - Bounty: $218 [...]
Nextcloud disclosed a bug submitted by cyberjoker: https://hackerone.com/reports/3382343 [...]
This is a current list of where and when I am scheduled to speak: I’m speaking at DemocracyXChange 2026 in Toronto, Ontario, Canada, on April 18, 2026. I’m speaking at the SANS AI Cybersecurity Summit 2026 in Arlington, Virginia, USA, at 9:40 AM ET on April 20, 2026. I’m speaking at the Greater Good Gathering in New York City, USA, on Tuesday, April 21, 2026. I’m speaking at the Nemertes [N [...]
Interesting paper: “What hackers talk about when they talk about AI: Early-stage diffusion of a cybercrime innovation.” Abstract: The rapid expansion of artificial intelligence (AI) is raising concerns about its potential to transform cybercrime. Beyond empowering novice offenders, AI stands to intensify the scale and sophistication of attacks by seasoned cybercriminals. This paper exa [...]
Cloudflare Public Bug Bounty disclosed a bug submitted by matured_kazama: https://hackerone.com/reports/3423950 [...]
Cloudflare Public Bug Bounty disclosed a bug submitted by matured_kazama: https://hackerone.com/reports/3321406 [...]
Brave Software disclosed a bug submitted by mousepadkalilinux12: https://hackerone.com/reports/3665151 - Bounty: $100 [...]
The cybersecurity industry is obsessing over Anthropic’s new model, Claude Mythos Preview, and its effects on cybersecurity. Anthropic said that it is not releasing it to the general public because of its cyberattack capabilities, and has launched Project Glasswing to run the model against a whole slew of public domain and proprietary software, with the aim of finding and patching all the vu [...]
Nextcloud disclosed a bug submitted by py0zz1: https://hackerone.com/reports/3400143 - Bounty: $250 [...]
curl disclosed a bug submitted by midoussa7: https://hackerone.com/reports/3669305 [...]
curl disclosed a bug submitted by pwnpwn: https://hackerone.com/reports/3665363 [...]
AWS VDP disclosed a bug submitted by misop00p: https://hackerone.com/reports/3620760 [...]
Posted by Jiacheng Lu, Software Engineer, Google Pixel Team Google is continuously advancing the security of Pixel devices. We have been focusing on hardening the cellular baseband modem against exploitation. Recognizing the risks associated within the complex modem firmware, Pixel 9 shipped with mitigations against a range of memory-safety vulnerabilities. For Pixel 10, Google is advancing its p [...]
Rocket.Chat disclosed a bug submitted by soohyun: https://hackerone.com/reports/3418031 [...]
Mozilla disclosed a bug submitted by adilnbabras: https://hackerone.com/reports/3020021 [...]
Mozilla disclosed a bug submitted by adilnbabras: https://hackerone.com/reports/3325582 [...]
What you will learn How AI is changing bug bounty Where AI helps security teams Why human hackers matter What the future of bug bounty looks like AI and all the tools built around related technologies have been working their way into the Bug Bounty community for a little over a year now and by around March 2025 we started seeing notably AI-written reports. It is time to take stock of what imp [...]
Posted by Ben Ackerman, Chrome team, Daniel Rubery, Chrome team and Guillaume Ehinger, Google Account Security team Following our April 2024 announcement, Device Bound Session Credentials (DBSC) is now entering public availability for Windows users on Chrome 146, and expanding to macOS in an upcoming Chrome release. This project represents a significant step forward in our ongoing efforts to co [...]
RubyGems disclosed a bug submitted by mclaren650sspider: https://hackerone.com/reports/3079931 [...]
We added a new chapter to our Testing Handbook: a comprehensive security checklist for C and C++ code. We’ve identified a broad range of common bug classes, known footguns, and API gotchas across C and C++ codebases and organized them into sections covering Linux, Windows, and seccomp. Whereas other handbook chapters focus on static and dynamic analysis, this chapter offers a strong basis for manu [...]
curl disclosed a bug submitted by adityasunny_06: https://hackerone.com/reports/3658049 [...]
A look at how Kubernetes CVE-2020-8562 allows attackers to bypass API server proxy protections using DNS rebinding [...]
Glassdoor disclosed a bug submitted by auxilus: https://hackerone.com/reports/909084 [...]
Glassdoor disclosed a bug submitted by amakki: https://hackerone.com/reports/970763 [...]
Glassdoor disclosed a bug submitted by z3ron3: https://hackerone.com/reports/818094 [...]
Hackers linked to Russia’s military intelligence units are using known flaws in older Internet routers to mass harvest authentication tokens from Microsoft Office users, security experts warned today. The spying campaign allowed state-backed Russian hackers to quietly siphon authentication tokens from users on more than 18,000 networks without deploying any malicious software or code. Micros [...]
AWS VDP disclosed a bug submitted by misop00p: https://hackerone.com/reports/3620761 [...]
Nextcloud disclosed a bug submitted by shiva2550: https://hackerone.com/reports/3518758 [...]
More power for bug hunters An education-first approach to bug bounty Rewards on Meta's Bug Bounty Platform Our shared vision Ready to get started? We’re excited to announce a new partnership with Meta [...]
WhatsApp’s new “Private Inference” feature represents one of the most ambitious attempts to combine end-to-end encryption with AI-powered capabilities, such as message summarization. To make this possible, Meta built a system that processes encrypted user messages inside trusted execution environments (TEEs), secure hardware enclaves designed so that not even Meta can access the plaintext. Our now [...]
curl disclosed a bug submitted by mzfr: https://hackerone.com/reports/3650443 [...]
curl disclosed a bug submitted by mzfr: https://hackerone.com/reports/3650473 [...]
curl disclosed a bug submitted by cutiapretaa: https://hackerone.com/reports/3650435 [...]
What You Will Learn What the UK Cyber Security & Resilience Bill covers Which organizations and sectors will be affected New incident reporting and regulatory requirements How to prepare your organization for compliance The content of the Cyber Security & Resilience Bill (CSRB) recently introduced to Parliament contained few surprises. Having spent a significant amount of time working with E [...]
Glassdoor disclosed a bug submitted by downgrade: https://hackerone.com/reports/2516237 [...]
Glassdoor disclosed a bug submitted by zorixu: https://hackerone.com/reports/2682538 [...]
Glassdoor disclosed a bug submitted by imtheking: https://hackerone.com/reports/1820146 [...]
Monero disclosed a bug submitted by jehrenhofermagicgrants: https://hackerone.com/reports/3241102 [...]
Monero disclosed a bug submitted by jehrenhofermagicgrants: https://hackerone.com/reports/3240792 [...]
Glassdoor disclosed a bug submitted by avielt: https://hackerone.com/reports/881118 [...]
curl disclosed a bug submitted by spiderchan26: https://hackerone.com/reports/3645415 [...]
curl disclosed a bug submitted by divsz: https://hackerone.com/reports/3651975 [...]
An elusive hacker who went by the handle “UNKN” and ran the early Russian ransomware groups GandCrab and REvil now has a name and a face. Authorities in Germany say 31-year-old Russian Daniil Maksimovich Shchukin headed both cybercrime gangs and helped carry out at least 130 acts of computer sabotage and extortion against victims across the country between 2019 and 2021. Shchukin was n [...]
curl disclosed a bug submitted by spichanlio76: https://hackerone.com/reports/3646914 [...]
curl disclosed a bug submitted by intrax: https://hackerone.com/reports/3645361 [...]
curl disclosed a bug submitted by rougerseven7: https://hackerone.com/reports/3648199 [...]
curl disclosed a bug submitted by intrax71: https://hackerone.com/reports/3640932 [...]
curl disclosed a bug submitted by calaba_zas: https://hackerone.com/reports/3641893 [...]
Mixed Boolean-Arithmetic (MBA) obfuscation disguises simple operations like x + y behind tangles of arithmetic and bitwise operators. Malware authors and software protectors rely on it because no standard simplification technique covers both domains simultaneously; algebraic simplifiers don’t understand bitwise logic, and Boolean minimizers can’t handle arithmetic. We’re releasing CoBRA, an [...]