This article on the walls of Constantinople is fascinating. The system comprised four defensive lines arranged in formidable layers: The brick-lined ditch, divided by bulkheads and often flooded, 1520 meters wide and up to 7 meters deep. A low breastwork, about 2 meters high, enabling defenders to fire freely from behind. The outer wall, 8 meters tall and 2.8 meters thick, with 82 projecting tow [...]
Microsoft today pushed software updates to fix a staggering 167 security vulnerabilities in its Windows operating systems and related software, including a SharePoint Server zero-day and a publicly disclosed weakness in Windows Defender dubbed “BlueHammer.” Separately, Google Chrome fixed its fourth zero-day of 2026, and an emergency update for Adobe Reader nixes an actively exploited [...]
Basecamp disclosed a bug submitted by xavlimsg: https://hackerone.com/reports/3608199 - Bounty: $500 [...]
Basecamp disclosed a bug submitted by xavlimsg: https://hackerone.com/reports/3543475 - Bounty: $218 [...]
Nextcloud disclosed a bug submitted by cyberjoker: https://hackerone.com/reports/3382343 [...]
This is a current list of where and when I am scheduled to speak: I’m speaking at DemocracyXChange 2026 in Toronto, Ontario, Canada, on April 18, 2026. I’m speaking at the SANS AI Cybersecurity Summit 2026 in Arlington, Virginia, USA, at 9:40 AM ET on April 20, 2026. I’m speaking at the Greater Good Gathering in New York City, USA, on Tuesday, April 21, 2026. I’m speaking at the Nemertes [N [...]
Interesting paper: “What hackers talk about when they talk about AI: Early-stage diffusion of a cybercrime innovation.” Abstract: The rapid expansion of artificial intelligence (AI) is raising concerns about its potential to transform cybercrime. Beyond empowering novice offenders, AI stands to intensify the scale and sophistication of attacks by seasoned cybercriminals. This paper exa [...]
Cloudflare Public Bug Bounty disclosed a bug submitted by matured_kazama: https://hackerone.com/reports/3423950 [...]
Cloudflare Public Bug Bounty disclosed a bug submitted by matured_kazama: https://hackerone.com/reports/3321406 [...]
Brave Software disclosed a bug submitted by mousepadkalilinux12: https://hackerone.com/reports/3665151 - Bounty: $100 [...]
The cybersecurity industry is obsessing over Anthropic’s new model, Claude Mythos Preview, and its effects on cybersecurity. Anthropic said that it is not releasing it to the general public because of its cyberattack capabilities, and has launched Project Glasswing to run the model against a whole slew of public domain and proprietary software, with the aim of finding and patching all the vu [...]
Nextcloud disclosed a bug submitted by py0zz1: https://hackerone.com/reports/3400143 - Bounty: $250 [...]
All the leading AI chatbots are sycophantic, and that’s a problem: Participants rated sycophantic AI responses as more trustworthy than balanced ones. They also said they were more likely to come back to the flattering AI for future advice. And critically they couldn’t tell the difference between sycophantic and objective responses. Both felt equally “neutral” to them. On [...]
curl disclosed a bug submitted by midoussa7: https://hackerone.com/reports/3669305 [...]
curl disclosed a bug submitted by pwnpwn: https://hackerone.com/reports/3665363 [...]
Regulation is hard: The South Pacific Regional Fisheries Management Organization (SPRFMO) oversees fishing across roughly 59 million square kilometers (22 million square miles) of the South Pacific high seas, trying to impose order on a region double the size of Africa, where distant-water fleets pursue species ranging from jack mackerel to jumbo flying squid. The latter dominated this year’ [...]
AWS VDP disclosed a bug submitted by misop00p: https://hackerone.com/reports/3620760 [...]
Posted by Jiacheng Lu, Software Engineer, Google Pixel Team Google is continuously advancing the security of Pixel devices. We have been focusing on hardening the cellular baseband modem against exploitation. Recognizing the risks associated within the complex modem firmware, Pixel 9 shipped with mitigations against a range of memory-safety vulnerabilities. For Pixel 10, Google is advancing its p [...]
Claude is actually pretty good on the issues. [...]
Rocket.Chat disclosed a bug submitted by soohyun: https://hackerone.com/reports/3418031 [...]
Mozilla disclosed a bug submitted by adilnbabras: https://hackerone.com/reports/3020021 [...]
Mozilla disclosed a bug submitted by adilnbabras: https://hackerone.com/reports/3325582 [...]
AI and all the tools built around related technologies have been working their way into the Bug Bounty community for a little over a year now and by around March 2025 we started seeing notably AI-written reports. It is time to take stock of what impact they have wrought already so we can look to the future and begin to address the reality and some of the fears surrounding this new technology. Thi [...]
Posted by Ben Ackerman, Chrome team, Daniel Rubery, Chrome team and Guillaume Ehinger, Google Account Security team Following our April 2024 announcement, Device Bound Session Credentials (DBSC) is now entering public availability for Windows users on Chrome 146, and expanding to macOS in an upcoming Chrome release. This project represents a significant step forward in our ongoing efforts to co [...]
RubyGems disclosed a bug submitted by mclaren650sspider: https://hackerone.com/reports/3079931 [...]
We added a new chapter to our Testing Handbook: a comprehensive security checklist for C and C++ code. We’ve identified a broad range of common bug classes, known footguns, and API gotchas across C and C++ codebases and organized them into sections covering Linux, Windows, and seccomp. Whereas other handbook chapters focus on static and dynamic analysis, this chapter offers a strong basis for manu [...]
ProPublica has a scoop: In late 2024, the federal government’s cybersecurity evaluators rendered a troubling verdict on one of Microsoft’s biggest cloud computing offerings. The tech giant’s “lack of proper detailed security documentation” left reviewers with a “lack of confidence in assessing the system’s overall security posture,” according to an i [...]
curl disclosed a bug submitted by adityasunny_06: https://hackerone.com/reports/3658049 [...]
A look at how Kubernetes CVE-2020-8562 allows attackers to bypass API server proxy protections using DNS rebinding [...]
Glassdoor disclosed a bug submitted by auxilus: https://hackerone.com/reports/909084 [...]
Glassdoor disclosed a bug submitted by amakki: https://hackerone.com/reports/970763 [...]
Glassdoor disclosed a bug submitted by z3ron3: https://hackerone.com/reports/818094 [...]
This is news: A malicious supply chain compromise has been identified in the Python Package Index package litellm version 1.82.8. The published wheel contains a malicious .pth file (litellm_init.pth, 34,628 bytes) which is automatically executed by the Python interpreter on every startup, without requiring any explicit import of the litellm module. There are a lot of really boring things we need t [...]
AI is rapidly changing how software is written, deployed, and used. Trends point to a future where AIs can write custom software quickly and easily: "instant software." Taken to an extreme, it might become easier for a user to have an AI write an application on demand—a spreadsheet, for example—and delete it when you’re done using it than to buy one commercially. Future [...]
Hackers linked to Russia’s military intelligence units are using known flaws in older Internet routers to mass harvest authentication tokens from Microsoft Office users, security experts warned today. The spying campaign allowed state-backed Russian hackers to quietly siphon authentication tokens from users on more than 18,000 networks without deploying any malicious software or code. Micros [...]
AWS VDP disclosed a bug submitted by misop00p: https://hackerone.com/reports/3620761 [...]
Nextcloud disclosed a bug submitted by shiva2550: https://hackerone.com/reports/3518758 [...]
More power for bug hunters An education-first approach to bug bounty Rewards on Meta's Bug Bounty Platform Our shared vision Ready to get started? We’re excited to announce a new partnership with Meta [...]
WhatsApp’s new “Private Inference” feature represents one of the most ambitious attempts to combine end-to-end encryption with AI-powered capabilities, such as message summarization. To make this possible, Meta built a system that processes encrypted user messages inside trusted execution environments (TEEs), secure hardware enclaves designed so that not even Meta can access the plaintext. Our now [...]
curl disclosed a bug submitted by mzfr: https://hackerone.com/reports/3650443 [...]
curl disclosed a bug submitted by mzfr: https://hackerone.com/reports/3650473 [...]
curl disclosed a bug submitted by cutiapretaa: https://hackerone.com/reports/3650435 [...]
The content of the Cyber Security & Resilience Bill (CSRB) recently introduced to Parliament contained few surprises. Having spent a significant amount of time working with European cyber-security frameworks, particularly NIS2, I see the Bill as both a continuation of the trend towards common approaches, and a signal of how seriously governments now take cyber risk. From my perspective, there are [...]
Glassdoor disclosed a bug submitted by downgrade: https://hackerone.com/reports/2516237 [...]
Glassdoor disclosed a bug submitted by zorixu: https://hackerone.com/reports/2682538 [...]
Glassdoor disclosed a bug submitted by imtheking: https://hackerone.com/reports/1820146 [...]
Monero disclosed a bug submitted by jehrenhofermagicgrants: https://hackerone.com/reports/3241102 [...]
Monero disclosed a bug submitted by jehrenhofermagicgrants: https://hackerone.com/reports/3240792 [...]
Glassdoor disclosed a bug submitted by avielt: https://hackerone.com/reports/881118 [...]
curl disclosed a bug submitted by spiderchan26: https://hackerone.com/reports/3645415 [...]
curl disclosed a bug submitted by divsz: https://hackerone.com/reports/3651975 [...]
An elusive hacker who went by the handle “UNKN” and ran the early Russian ransomware groups GandCrab and REvil now has a name and a face. Authorities in Germany say 31-year-old Russian Daniil Maksimovich Shchukin headed both cybercrime gangs and helped carry out at least 130 acts of computer sabotage and extortion against victims across the country between 2019 and 2021. Shchukin was n [...]
curl disclosed a bug submitted by spichanlio76: https://hackerone.com/reports/3646914 [...]
curl disclosed a bug submitted by intrax: https://hackerone.com/reports/3645361 [...]
curl disclosed a bug submitted by rougerseven7: https://hackerone.com/reports/3648199 [...]
curl disclosed a bug submitted by intrax71: https://hackerone.com/reports/3640932 [...]
curl disclosed a bug submitted by calaba_zas: https://hackerone.com/reports/3641893 [...]
Mixed Boolean-Arithmetic (MBA) obfuscation disguises simple operations like x + y behind tangles of arithmetic and bitwise operators. Malware authors and software protectors rely on it because no standard simplification technique covers both domains simultaneously; algebraic simplifiers don’t understand bitwise logic, and Boolean minimizers can’t handle arithmetic. We’re releasing CoBRA, an [...]
Posted by Adam Gavish, Google GenAI Security TeamIndirect prompt injection (IPI) is an evolving threat vector targeting users of complex AI applications with multiple data sources, such as Workspace with Gemini. This technique enables the attacker to influence the behavior of an LLM by injecting malicious instructions into the data or tools used by the LLM as it completes the user’s query. This ma [...]
Code coverage is one of the most dangerous quality metrics in software testing. Many developers fail to realize that code coverage lies by omission: it measures execution, not verification. Test suites with high coverage can obfuscate the fact that critical functionality is untested as software develops over time. We saw this when mutation testing uncovered a high-severity Arkis protocol vulnerabi [...]
In March 2026, we ran BugQuest, a 31-day campaign covering everything you need to know about finding and exploiting broken access control vulnerabilities. From understanding the basics of authentication and authorization to spotting subtle authorization bypasses in real code, we broke down one of the most critical vulnerability classes in modern web applications. Broken access controls have consis [...]
curl disclosed a bug submitted by whitehat411: https://hackerone.com/reports/3639277 [...]
curl disclosed a bug submitted by h3xb1tx: https://hackerone.com/reports/3638715 [...]
Posted by Dirk Göhmann, Tony Mendez, and the Vulnerability Rewards Program Team2025 marked a special year in the history of vulnerability rewards and bug bounty programs at Google: our 15th anniversary 🎉🎉🎉! Originally started in 2010, our vulnerability reward program (VRP) has seen constant additions and expansions over the past decade and a half, clearly indicating the value the programs under [...]
Sony disclosed a bug submitted by resurrect20: https://hackerone.com/reports/3355766 [...]
Nextcloud disclosed a bug submitted by eclipse07077: https://hackerone.com/reports/3479692 [...]
This post is adapted from a talk I gave at [un]prompted, the AI security practitioner conference. Thanks to Gadi Evron for inviting me to speak. You can watch the recorded presentation below or download the slides. Most companies hand out ChatGPT licenses and wait for the productivity numbers to move. We built a system instead. A year ago, about 5% of Trail of Bits was on board with our AI initiat [...]
curl disclosed a bug submitted by ankitsingh131225: https://hackerone.com/reports/3636244 [...]
curl disclosed a bug submitted by m42kl33: https://hackerone.com/reports/3636044 [...]