Interesting: The company has released a working rootkit called “Curing” that uses io_uring, a feature built into the Linux kernel, to stealthily perform malicious activities without being caught by many of the detection solutions currently on the market. At the heart of the issue is the heavy reliance on monitoring system calls, which has become the go-to method for many cybersecurity [...]
Dust disclosed a bug submitted by 0xsom3a: https://hackerone.com/reports/3103755 [...]
AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/2926361 [...]
Cosmos disclosed a bug submitted by vakzz: https://hackerone.com/reports/3018307 - Bounty: $15000 [...]
A whistleblower at the National Labor Relations Board (NLRB) alleged last week that denizens of Elon Musk’s Department of Government Efficiency (DOGE) siphoned gigabytes of data from the agency’s sensitive case files in early March. The whistleblower said accounts created for DOGE at the NLRB downloaded three code repositories from GitHub. Further investigation into one of those code b [...]
Dust disclosed a bug submitted by qatada: https://hackerone.com/reports/3101986 [...]
Dust disclosed a bug submitted by mous_haxk: https://hackerone.com/reports/3101858 [...]
Monero disclosed a bug submitted by boog900: https://hackerone.com/reports/2315026 [...]
Interesting research: “Guillotine: Hypervisors for Isolating Malicious AIs.” Abstract:As AI models become more embedded in critical sectors like finance, healthcare, and the military, their inscrutable behavior poses ever-greater risks to society. To mitigate this risk, we propose Guillotine, a hypervisor architecture for sandboxing powerful AI models—models that, by accident or [...]
Monero disclosed a bug submitted by boog900: https://hackerone.com/reports/2693786 [...]
This post explains how malicious MCP servers can exploit the Model Context Protocol to covertly exfiltrate entire conversation histories by injecting trigger phrases into tool descriptions, allowing for targeted data theft against specific organizations. [...]
Monero disclosed a bug submitted by sagewilder2022: https://hackerone.com/reports/2912194 [...]
Monero disclosed a bug submitted by asurar0: https://hackerone.com/reports/2677306 [...]
Whatâs the difference between a risk, threat, and a vulnerability? A risk, according to NIST, is defined as âAn effect of uncertainty on or within information and technology. Cybersecurity risks relate to the loss of confidentiality, integrity, or availability of information, data, or information (or control) systems and reflect the potential adverse impacts to organizational o⊠[...]
Android phones will soon reboot themselves after sitting idle for three days. iPhones have had this feature for a while; it’s nice to see Google add it to their phones. [...]
A security architect with the National Labor Relations Board (NLRB) alleges that employees from Elon Musk‘s Department of Government Efficiency (DOGE) transferred gigabytes of sensitive data from agency case files in early March, using short-lived accounts configured to leave few traces of network activity. The NLRB whistleblower said the unusual large data outflows coincided with multiple b [...]
This post is about a vulnerability in the Model Context Protocol (MCP) called “Line Jumping,” where malicious servers can inject prompts through tool descriptions to manipulate AI model behavior without being explicitly invoked, effectively bypassing security measures designed to protect users. [...]
Trail of Bits’ Cyber Reasoning System “Buttercup” is competing in DARPA’s AI Cyber Challenge Finals, which now features increased budgets, multiple rounds, diverse challenge types, and the ability to use custom AI models. [...]
A live colossal squid was filmed for the first time in the ocean. It’s only a juvenile: a foot long. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. [...]
We’re working on integrating an ASN.1 API into PyCA Cryptography, built on top of the same Rust ASN.1 implementation already used by Cryptography’s X.509 APIs. [...]
PlayStation disclosed a bug submitted by theflow0: https://hackerone.com/reports/2900606 - Bounty: $10000 [...]
Discord is testing the feature: “We’re currently running tests in select regions to age-gate access to certain spaces or user settings,” a spokesperson for Discord said in a statement. “The information shared to power the age verification method is only used for the one-time age verification process and is not stored by Discord or our vendor. For Face Scan, the solution ou [...]
Autodesk disclosed a bug submitted by ahmednasr1: https://hackerone.com/reports/3045455 [...]
This post describes a sophisticated social engineering campaign using Zoom’s remote control feature and provides technical solutions to protect organizations against this attack vector. [...]
Threat insights from Datadog Security Labs for Q1 2025. [...]
Mitre’s CVE’s program—which provides common naming and other informational resources about cybersecurity vulnerabilities—was about to be cancelled, as the US Department of Homeland Security failed to renew the contact. It was funded for eleven more months at the last minute. This is a big deal. The CVE program is one of those pieces of common infrastructure that everyone be [...]
WakaTime disclosed a bug submitted by 0x_matrix: https://hackerone.com/reports/3091909 [...]
A critical resource that cybersecurity professionals worldwide rely on to identify, mitigate and fix security vulnerabilities in software and hardware is in danger of breaking down. The federally funded, non-profit research and development organization MITRE warned today that its contract to maintain the Common Vulnerabilities and Exposures (CVE) program — which is traditionally funded each [...]
Vibe coding is the latest trend sweeping through developer communities. Itâs the art of describing a concept, feeding it to an AI, and letting the LLM (Large Language Model) manifest the code based purely on vibes. The quote states, "You fully give in to the vibes, embrace exponentials, and forget that the code even exists." And as more developers rely on AI to "vibe" their way⊠[...]
Shopify disclosed a bug submitted by raymond_lind: https://hackerone.com/reports/1754843 [...]
As AI coding assistants invent nonexistent software libraries to download and use, enterprising attackers create and upload libraries with those names—laced with malware, of course. EDITED TO ADD (1/22): Research paper. Slashdot thread. [...]
Burp Suite Enterprise Edition has a new name: Burp Suite DAST. This new name better reflects what the product truly is: the most accurate, scalable solution for automated dynamic application security [...]
President Trump last week revoked security clearances for Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency (CISA) who was fired by Trump after declaring the 2020 election the most secure in U.S. history. The White House memo, which also suspended clearances for other security professionals at Krebs’s employer SentinelOne, comes as CISA is facing huge f [...]
Monero disclosed a bug submitted by padillac: https://hackerone.com/reports/2858802 [...]
This is a current list of where and when I am scheduled to speak: I’m giving an online talk on AI and trust for the Weizenbaum Institute on April 24, 2025 at 2:00 PM CEST (8:00 AM ET). The list is maintained on this page. [...]
Wallarm Research has just released a powerful new Nuclei template targeting a new kind of exposure: the Model Context Protocol (MCP). This isnât about legacy devtools or generic JSON-RPC pinging. Itâs about the protocol fueling next-gen LLM applications â and itâs already showing up exposed in the wild. What is Model Context Protocol? MCP, developed by Anthropic, introduces a standardized w [...]
The Wall Street Journal has the story: Chinese officials acknowledged in a secret December meeting that Beijing was behind a widespread series of alarming cyberattacks on U.S. infrastructure, according to people familiar with the matter, underscoring how hostilities between the two superpowers are continuing to escalate. The Chinese delegation linked years of intrusions into computer networks at U [...]
WakaTime disclosed a bug submitted by parthabishwas: https://hackerone.com/reports/3090641 [...]
1Password - Enterprise Password Manager disclosed a bug submitted by stomper4: https://hackerone.com/reports/3042984 [...]
Researchers are trying to use squid color-changing biochemistry for solar tech. This appears to be new and related research to a 2019 squid post. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. [...]
Lichess disclosed a bug submitted by ryomenshuvro: https://hackerone.com/reports/3068485 [...]
Hello Hackers đ Spring is in the air, and so is the sweet scent of freshly reported bugs. Intigritiâs blooming tooâeach month, we squad up with elite hackers to drop hot tips, platform news, shiny new programs, and community events you wonât want to miss. Letâs make this bug season one for the bounty books. đđ° Hackdonalds Challenge! Want a bonus challenge? Quick, the game is⊠[...]
China-based purveyors of SMS phishing kits are enjoying remarkable success converting phished payment card data into mobile wallets from Apple and Google. Until recently, the so-called “Smishing Triad” mainly impersonated toll road operators and shipping companies. But experts say these groups are now directly targeting customers of international financial institutions, while dramatica [...]
On March 25, 2025, NIST released the initial public draft of NIST SP 800-228, "Guidelines for API Protection for Cloud-Native Systems." The document provides a comprehensive framework for securing APIs in cloud-enabled environments. However, for organizations looking to align with these objectives, the tooling requirements may seem initially overwhelming. Fortunately, Wallarm helps strea [...]
When we wrapped up our biggest-ever webinar, The Future of AppSec: PortSwiggerâs Vision, the conversation was far from over. With thousands of security professionals tuning in live, the questions came [...]
Agentic AI is transforming business. Organizations are increasingly integrating AI agents into core business systems and processes, using them as intermediaries between users and these internal systems. As a result, these organizations are improving efficiency, automating routine tasks, and driving innovation. But these benefits come at a cost. AI agents rely on APIs to access data and f [...]
Every year, the number of vulnerabilities discovered and recorded increases. The sheer volume of vulnerabilities makes it impractical for organizations to patch everything, which is why they focus on prioritizing and remediating the most critical ones. On top of this, itâs very difficult to assess the true criticality of a vulnerability. This is precisely why bug bounty program⊠[...]
Snapshot Fuzzing enables security engineers to effectively test software that is traditionally difficult to analyze, such as kernels, secure monitors, and other complex targets that require non-trivial setup. Whether you’re auditing drivers or other kernel-mode components, including antivirus software, snapshot fuzzing provides a robust way to discover critical vulnerabilities. Consult our n [...]
Microsoft today released updates to plug at least 121 security holes in its Windows operating systems and software, including one vulnerability that is already being exploited in the wild. Eleven of those flaws earned Microsoft’s most-dire “critical” rating, meaning malware or malcontents could exploit them with little to no interaction from Windows users. The zero-day flaw alre [...]
Ruby on Rails disclosed a bug submitted by leonsirio: https://hackerone.com/reports/3008446 [...]
AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/3014785 [...]
Subdomain takeovers are a well-documented security misconfiguration. Despite widespread awareness, developers still frequently forget to remove DNS records pointing to forgotten and unused third-party services, allowing these vulnerabilities to be present even today. In this article, we will learn what subdomain takeover vulnerabilities are, we will cover ways on how to identif⊠[...]
Autodesk disclosed a bug submitted by 0xsom3a: https://hackerone.com/reports/2978923 [...]
KHealth disclosed a bug submitted by eneri: https://hackerone.com/reports/2193454 [...]
Adobe disclosed a bug submitted by jf0x0r: https://hackerone.com/reports/2615168 [...]
Posted by Elie Burzstein and Marianna Tishchenko, Sec-Gemini teamToday, weâre announcing Sec-Gemini v1, a new experimental AI model focused on advancing cybersecurity AI frontiers. As outlined a year ago, defenders face the daunting task of securing against all cyber threats, while attackers need to successfully find and exploit only a single vulnerability. This fundamental asymmetry has made [...]
Posted by Mihai Maruseac, Google Open Source Security Team (GOSST)In partnership with NVIDIA and HiddenLayer, as part of the Open Source Security Foundation, we are now launching the first stable version of our model signing library. Using digital signatures like those from Sigstore, we allow users to verify that the model used by the application is exactly the model that was created by the develo [...]
A Minnesota cybersecurity and computer forensics expert whose testimony has featured in thousands of courtroom trials over the past 30 years is facing questions about his credentials and an inquiry from the Federal Bureau of Investigation (FBI). Legal experts say the inquiry could be grounds to reopen a number of adjudicated cases in which the expert’s testimony may have been pivotal. One mi [...]
PortSwigger's Vision In March, PortSwigger hosted its biggest webinar to date and the turnout spoke volumes. With over 7,500 registrants, itâs clear that the future of application security is top of m [...]