Younger Americans have soured on the second Donald Trump presidency, but they are not protesting it. Despite an unpopular Iran war and an even more unpopular Trump administration, college campus protests nationwide have gone silent. And at many schools, student activism is virtually nonexistent. This silence comes in the wake of a relentless Trump administration war on campus speech that has invol [...]
AWS VDP disclosed a bug submitted by misop00p: https://hackerone.com/reports/3620748 [...]
AWS VDP disclosed a bug submitted by misop00p: https://hackerone.com/reports/3620753 [...]
Brave Software disclosed a bug submitted by aaront: https://hackerone.com/reports/3693295 [...]
Security teams running Bug Bounty programs often require similar insights and reporting to prove the value and ROSI for security initiatives, and often ask questions such as: What changed? Where are we spending? Are we improving? What needs attention right now? Until now, answering those questions often meant exporting data, stitching together spreadsheets, or pulling screenshots from [...]
CVE-2026-31431 (Copy Fail) lets any unprivileged user corrupt the Linux page cache via AF_ALG sockets to escalate privileges. This post covers the exploit mechanics and how Datadog Security Research used coding agents to ship a detection content pack in a single session. [...]
The 2025 Internet Crime Report was published a few weeks ago, but I only just saw it. Lots of interesting statistics. Press release. News articles. [...]
Not identifying people based on their use of Wi-Fi routers, but identifying people using Wi-Fi signals. This is accomplished through what is known as WiFi sensing, or the use of WiFi signals to infer information about a physical environment. When radio signals like WiFi travel through a space, they interact with the objects and people around them. Those signals can be reflected, scattered, or abso [...]
As part of our recent AI series, I’ve been sharing my insights on the key topics, questions, and debates currently shaping the industry. I have covered my opinions regarding holding the human layer sacred in the AI era, where I explored what I deem is the beating heart of the Bug Bounty industry, AI strengths and weaknesses, where human hackers fit in, and what businesses will face in the next 3 t [...]
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3751715 [...]
curl disclosed a bug submitted by jingzhou: https://hackerone.com/reports/3752567 [...]
Rocket.Chat disclosed a bug submitted by deprrous: https://hackerone.com/reports/3734326 [...]
Authorities in the Netherlands have arrested the co-owners of two related Internet hosting companies for operating IT infrastructure used by Russia to carry out cyberattacks, influence operations and disinformation campaigns inside the European Union. The two men were the focus of a 2025 KrebsOnSecurity story about how their hosting companies had assumed control over the technical infrastructure o [...]
Node.js disclosed a bug submitted by junius: https://hackerone.com/reports/3736889 [...]
Node.js disclosed a bug submitted by v1ct0rv0nd00m: https://hackerone.com/reports/3752489 [...]
🦗 There hasn’t been a post here in years and I really should do something about this, but in the meantime here are my slides for my BSides Dublin 2026 talk Fighting Fire with Fire: Using AI to Scale Your Product Security Team https://docs.google.com/presentation/d/1zuB920nmw4UtKP3ZsHoUT9Eqi04NVLD7upWK6C9Vmhg I will update this post when the recording is posted on YouTube. [...]
The South Pacific Regional Fisheries Management Organization (SPRFMO) needs to regulate squid fishing in the South Pacific. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
Lawmakers in both houses of Congress are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) after KrebsOnSecurity reported this week that a CISA contractor intentionally published AWS GovCloud keys and a vast trove of other agency secrets on a public GitHub account. The inquiry comes as CISA is still struggling to contain the breach and invalidate the leaked [...]
Crazy story: Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, a [...]
In March 2026, attackers exploited a pull_request_target misconfiguration in the aquasecurity/trivy-action GitHub Action to exfiltrate organization and repository secrets, then used those credentials to backdoor LiteLLM on PyPI (see Trivy’s post-mortem for the full timeline). zizmor is a static analyzer that GitHub Actions users run to catch exactly these misconfigurations before they ship. [...]
Nextcloud disclosed a bug submitted by msatz: https://hackerone.com/reports/3572848 [...]
Canadian authorities on Wednesday arrested a 23-year-old Ottawa man on suspicion of building and operating Kimwolf, a fast spreading Internet-of-Things botnet that enslaved millions of devices for use in a series of massive distributed denial-of-service (DDoS) attacks over the past six months. KrebsOnSecurity publicly named the suspect in February 2026 after the accused launched a volley of DDoS, [...]
A group used Anthropic’s Mythos AI model to help find a kernel memory corruption vulnerability and exploit on Apple’s M5. News article. [...]
AI is changing the volume and accelerating the pace of vulnerability submissions. If you've been following our recent AI series, you already know that submission growth isn't a quality problem; it's a coordination problem. As Head of Triage, Lennaert Oudshoorn, outlines in his recent post, ‘The AI impact: A triager’s perspective’, the security industry is experiencing a surge in vulnerability disc [...]
A look at how Kubernetes CVE-2021-25740 allows users with EndpointSlice access to redirect traffic via shared ingress and load balancer services. [...]
curl disclosed a bug submitted by sdjasj: https://hackerone.com/reports/3747959 [...]
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3733946 [...]
Good report: Executive Summary: Let’s say you wanted to make sure that your AI is secure. Can you just maximize the security and privacy benchmark and call it a day? Nope, because benchmarks don’t actually work for measuring AI capabilities (even when they are NOT emergent systemic properties like security). So let’s take a step back: how do you measure security in the first plac [...]
CoinMate.io disclosed a bug submitted by glferreira-devsecops: https://hackerone.com/reports/3676308 [...]
CoinMate.io disclosed a bug submitted by glferreira-devsecops: https://hackerone.com/reports/3670955 [...]
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3734947 [...]
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3734992 [...]
curl disclosed a bug submitted by 7omoo: https://hackerone.com/reports/3741135 [...]
curl disclosed a bug submitted by hexproof: https://hackerone.com/reports/3739561 [...]
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3735179 [...]
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3735276 [...]
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3734095 [...]
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3734020 [...]
Not by name, but Laurie Anderson quotes me in one of the tracks of her new album: My favorite quote is from a cryptologist who said “If you think technology will solve your problems, you don’t understand technology and you don’t understand your problems.” Also in interviews: “Of course, it’s ridiculous, outrageous, blah, blah, blah,” Anderson says about th [...]
GitHub disclosed a bug submitted by ahacker1: https://hackerone.com/reports/3560256 [...]
Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it rep [...]
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3733934 [...]
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3735238 [...]
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3735080 [...]
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3734935 [...]
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3733984 [...]
It’s nasty, but it requires physical access to the computer: The exploit, named YellowKey, was published earlier this week by a researcher who goes by the alias Nightmare-Eclipse. It reliably bypasses default Windows 11 deployments of BitLocker, the full-volume encryption protection Microsoft provides to make disk contents off-limits to anyone without the decryption key, which is stored in a [...]
Editor's note: This article was originally published by Craig Riddell on LinkedIn. It has been republished here with the author's permission. Boards are giving AI security more airtime than ever. What they're not giving is the right framing. A year or two ago, AI was mostly a question of experimentation risk. Today, it's tied directly to revenue, customer experience, operational efficiency, [...]
Enjin disclosed a bug submitted by ph0r3nsic: https://hackerone.com/reports/3589247 [...]
Rocket.Chat disclosed a bug submitted by josan_george: https://hackerone.com/reports/3713682 [...]
As part of our AI series, I recently released a blog on the topic of keeping the human layer sacred in the AI era. There, I shared my thoughts on where human intelligence fits, the decisions I believe companies will face in the next 3 to 5 years, and explored what I deem to be the beating heart of the Bug Bounty industry. Considering that discussion, I want to continue the conversation regarding [...]
Introducing Pathfinding Labs, a collection of intentionally vulnerable AWS environments for red teamers and blue teamers to deploy, exploit, and use for detection validation. [...]
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3734921 [...]
curl disclosed a bug submitted by mulan_dh: https://hackerone.com/reports/3736234 [...]
Article about the bigfin squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
Nextcloud disclosed a bug submitted by suul: https://hackerone.com/reports/3462991 [...]
Yuga Labs disclosed a bug submitted by r00tsid: https://hackerone.com/reports/1821085 - Bounty: $250 [...]
curl disclosed a bug submitted by rootofpi_ramesh: https://hackerone.com/reports/3725659 [...]
We investigate how a coordinated supply chain campaign that compromised npm and PyPI packages also backdoored the official Cemu Nintendo Wii U emulator GitHub release, reaching nearly 20,000 Linux users. [...]
An analysis of backdoored node-ipc npm releases that add an obfuscated credential collection and DNS exfiltration payload to the CommonJS entrypoint. [...]
A static analysis of the open-sourced Shai-Hulud offensive framework attributed to TeamPCP, covering its credential harvesting, supply chain poisoning, and exfiltration capabilities. [...]
Artificial intelligence platforms may be just as susceptible to social engineering as human beings, but they are proving remarkably good at finding security vulnerabilities in human-made computer code. That reality is on full display this month with some of the more widely-used software makers — including Apple, Google, Microsoft, Mozilla and Oracle — fixing near record volumes of secu [...]
The Model Context Protocol (MCP) is a de facto standard for providing structured access to privileged systems for AI agents and external integrations. It acts as a USB-C port for AI, enabling faster innovation by allowing organizations to expose tools, resources, and workflows without the time-consuming work of building APIs. Adoption has surged in recent months, and categories like payments, [...]
AWS VDP disclosed a bug submitted by jcow: https://hackerone.com/reports/3577145 [...]
Now that the dust has settled on Mythos dropping, there is space for more considered reflection on the direction of travel. Mythos wasn't a surprise; it's another data point on a trajectory that's bee [...]