This is a current list of where and when I am scheduled to speak: I’m giving the Ross Anderson Lecture at the University of Cambridge’s Churchill College at 5:30 PM GMT on Thursday, March 19, 2026. I’m speaking at RSAC 2026 in San Francisco, California, USA, on Wednesday, March 25, 2026. I’m part of an event on “Canada and AI Sovereignty,” hosted by the University of Toronto’s Munk School of Glob [...]
Some good news: squid stocks seem to be recovering in the waters off the Falkland Islands. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
In 2025, Google, Amazon, Microsoft and Meta collectively spent US$380 billion on building artificial-intelligence tools. That number is expected to surge still higher this year, to $650 billion, to fund the building of physical infrastructure, such as data centers (see go.nature.com/3lzf79q). Moreover, these firms are spending lavishly on one particular segment: top technical talent. Meta reported [...]
Note: This is a guest post by pentester Julen Garrido Estévez (@b3xal). 1. Acknowledgements 2. Intro 3. Required tools 4. Strategy to solve/exploit the lab 5. Detecting 0.CL 5.1. Practical confirmatio [...]
Consensys disclosed a bug submitted by aszx87410: https://hackerone.com/reports/3507241 [...]
Apple announcement: …iPhone and iPad are the first and only consumer devices in compliance with the information assurance requirements of NATO nations. This enables iPhone and iPad to be used with classified information up to the NATO restricted level without requiring special software or settings—a level of government certification no other consumer mobile device has met. This is out [...]
IBM disclosed a bug submitted by cr3ckerxploit: https://hackerone.com/reports/3578842 [...]
curl disclosed a bug submitted by henriqueg: https://hackerone.com/reports/3598444 [...]
curl disclosed a bug submitted by otiscui: https://hackerone.com/reports/3598358 [...]
I'm a firm believer that if you want to understand how secure an application really is, you have to test how it behaves, not just how it was written. Automation has become essential to that. No AppSec [...]
Your board wants AI. Your developers are building with it. Your budget committee is asking for an ROI timeline. But as CISO, you're the one who has to answer when the inevitable question comes up: "How do we know this is secure?" If you're like most security leaders, you're caught between two impossible positions. Say yes to AI initiatives without proper security controls, and you're responsib [...]
Lovable VDP disclosed a bug submitted by marioniangi: https://hackerone.com/reports/3599248 [...]
Ethical hacking, often via Bug Bounty Programs or VDPs, operates within defined frameworks. These include a community Code of Conduct (CoC), setting program Rules of Engagement (RoE), and clarifying platform Terms of Service (ToS). Companies that invest in proactive security need to understand what these terms mean and the function they play in maintaining a secure and compliant program. The chall [...]
curl disclosed a bug submitted by m777m0: https://hackerone.com/reports/3597359 [...]
A hacktivist group with links to Iran’s intelligence agencies is claiming responsibility for a data-wiping attack against Stryker, a global medical technology company based in Michigan. News reports out of Ireland, Stryker’s largest hub outside of the United States, said the company sent home more than 5,000 workers there today. Meanwhile, a voicemail message at Stryker’s main U. [...]
AI systems are no longer just isolated models responding to human prompts. In modern production environments, they are increasingly chained together – delegating tasks, calling tools, and coordinating decisions with limited or no human oversight. Almost all that communication happens through APIs. This shift offers enormous productivity benefits. But it has also complicated secu [...]
Canada has a choice to make about its artificial intelligence future. The Carney administration is investing $2-billion over five years in its Sovereign AI Compute Strategy. Will any value generated by “sovereign AI” be captured in Canada, making a difference in the lives of Canadians, or is this just a passthrough to investment in American Big Tech? Forcing the question is OpenAI, the [...]
Account abstraction transforms fixed “private key can do anything” models into programmable systems that enable batching, recovery and spending limits, and flexible gas payment. But that programmability introduces risks: a single bug can be as catastrophic as leaking a private key. After auditing dozens of ERC‑4337 smart accounts, we’ve identified six vulnerability patterns that frequently appear. [...]
At PortSwigger, we’re always looking for ways to enable the world to secure the web, and today we’re excited to take that mission a step further. We’re pleased to announce a new collaboration bringing [...]
curl disclosed a bug submitted by rat5ak: https://hackerone.com/reports/3591944 [...]
curl disclosed a bug submitted by nobcoder: https://hackerone.com/reports/3584903 [...]
curl disclosed a bug submitted by spectreglobalsec: https://hackerone.com/reports/3583983 [...]
Microsoft Corp. today pushed security updates to fix at least 77 vulnerabilities in its Windows operating systems and other software. There are no pressing “zero-day” flaws this month (compared to February’s five zero-day treat), but as usual some patches may deserve more rapid attention from organizations using Windows. Here are a few highlights from this month’s Patch Tue [...]
Intigriti and PortSwigger collaborate to reward hard-working hackers Best known as the creator of Burp Suite, the industry-standard toolkit for manual web application security testing, PortSwigger is a UK-based cybersecurity company on a mission to help the world secure the web. Today, their tools are trusted by over 20,000 organizations worldwide to detect and prevent cyber threats. To further su [...]
curl disclosed a bug submitted by sabari_n: https://hackerone.com/reports/3595753 [...]
Countries around the world are becoming increasingly concerned about their dependencies on the US. If you’ve purchase US-made F-35 fighter jets, you are dependent on the US for software maintenance. The Dutch Defense Secretary recently said that he could jailbreak the planes to accept third-party software. [...]
curl disclosed a bug submitted by sabari_n: https://hackerone.com/reports/3595764 [...]
During research, we sometimes encounter scenarios that remind us that it's a good idea to trust but verify. In September 2025, we noticed that certain Microsoft Copilot Studio agent settings did not log certain administrative actions related to sharing, authentication, logging, and publication of Copilot Studio agents. [...]
AWS VDP disclosed a bug submitted by locus-x64: https://hackerone.com/reports/3557138 [...]
Lovable VDP disclosed a bug submitted by hossam25: https://hackerone.com/reports/3370430 [...]
curl disclosed a bug submitted by brewm4ster: https://hackerone.com/reports/3584491 [...]
It’s called AirSnitch: Unlike previous Wi-Fi attacks, AirSnitch exploits core features in Layers 1 and 2 and the failure to bind and synchronize a client across these and higher layers, other nodes, and other network names such as SSIDs (Service Set Identifiers). This cross-layer identity desynchronization is the key driver of AirSnitch attacks. The most powerful such attack is a full, bidir [...]
Datadog Security Research identified an active adversary-in-the-middle (AiTM) phishing campaign targeting AWS Console credentials via typosquatted domains that mimic AWS infrastructure. [...]
AI-based assistants or “agents” — autonomous programs that have access to the user’s computer, files, online services and can automate virtually any task — are growing in popularity with developers and IT workers. But as so many eyebrow-raising headlines over the past few weeks have shown, these powerful and assertive new tools are rapidly shifting the security priori [...]
curl disclosed a bug submitted by y_security: https://hackerone.com/reports/3584865 [...]
Kubernetes disclosed a bug submitted by fisjkars: https://hackerone.com/reports/2701701 [...]
This is a very weird story about how squid stayed on the menu of Byzantine monks by falling between the cracks of dietary rules. At Constantinople’s Monastery of Stoudios, the kitchen didn’t answer to appetite. It answered to the “typikon”: a manual for ensuring that nothing unexpected happened at mealtimes. Meat: forbidden. Dairy: forbidden. Eggs: forbidden. Fish: feast-da [...]
OpenAI is in and Anthropic is out as a supplier of AI technology for the US defense department. This news caps a week of bluster by the highest officials in the US government towards some of the wealthiest titans of the big tech industry, and the overhanging specter of the existential risks posed by a new technology powerful enough that the Pentagon claims it is essential to national security. At [...]
An unknown hacker used Anthropic’s LLM to hack the Mexican government: The unknown Claude user wrote Spanish-language prompts for the chatbot to act as an elite hacker, finding vulnerabilities in government networks, writing computer scripts to exploit them and determining ways to automate data theft, Israeli cybersecurity startup Gambit Security said in research published Wednesday. [… [...]
LinkedIn disclosed a bug submitted by safehacker_2715: https://hackerone.com/reports/1734639 [...]
LinkedIn disclosed a bug submitted by riadalrashed: https://hackerone.com/reports/2339192 [...]
Lovable VDP disclosed a bug submitted by jdc94: https://hackerone.com/reports/3581815 [...]
Fastify disclosed a bug submitted by onlybugs05: https://hackerone.com/reports/3524779 [...]
GitHub disclosed a bug submitted by ahacker1: https://hackerone.com/reports/3506183 [...]
curl disclosed a bug submitted by errorbehavior200: https://hackerone.com/reports/3584149 [...]
What you will learn What the Intigriti Ambassador Program is and how it works. What are the key benefits and rewards of participation? Who should apply and why it matters. How to apply and next steps. What the global hacking community means to Intigriti The global hacking community has never been more important. From students discovering their first bug to seasoned hackers uncovering flaws in [...]
curl disclosed a bug submitted by deepbluev7: https://hackerone.com/reports/3580247 [...]
Broken authorization is one of the most widely known API vulnerabilities. It features in the OWASP Top 10, AppSec conversations, and secure coding guidelines. Broken Object Level Authorization (BOLA) and Broken Function Level Authorization (BFLA) account for hundreds of API vulnerabilities every quarter. According to the 2026 API ThreatStats report, authorization issues ranked ninth i [...]
Omise disclosed a bug submitted by 0x7ashish: https://hackerone.com/reports/3356149 [...]
In early January 2026, KrebsOnSecurity revealed how a security researcher disclosed a vulnerability that was used to build Kimwolf, the world’s largest and most disruptive botnet. Since then, the person in control of Kimwolf — who goes by the handle “Dort” — has coordinated a barrage of distributed denial-of-service (DDoS), doxing and email flooding attacks against th [...]
Posted by Chrome Secure Web and Networking Team Today we're announcing a new program in Chrome to make HTTPS certificates secure against quantum computers. The Internet Engineering Task Force (IETF) recently created a working group, PKI, Logs, And Tree Signatures (“PLANTS”), aiming to address the performance and bandwidth challenges that the increased size of quantum-resistant cryptography intro [...]
We analyze the evolution of the 1Phish phishing kit from a basic credential harvester into an MFA-aware, multi-stage phishing kit targeting 1Password users. [...]
AWS VDP disclosed a bug submitted by h0ne_analyst_94cm4n1: https://hackerone.com/reports/3514122 [...]
curl disclosed a bug submitted by knickers: https://hackerone.com/reports/3575245 [...]
curl disclosed a bug submitted by davkor: https://hackerone.com/reports/3575250 [...]
Cloudflare Public Bug Bounty disclosed a bug submitted by matured_kazama: https://hackerone.com/reports/3424998 [...]
curl disclosed a bug submitted by shan_nandi: https://hackerone.com/reports/3574928 [...]
curl disclosed a bug submitted by pelioro: https://hackerone.com/reports/3575475 [...]
PortSwigger Web Security disclosed a bug submitted by zorixu: https://hackerone.com/reports/3556892 - Bounty: $200 [...]
Security is built by people. At Intigriti, we don’t just help organizations stay secure; we shine a light on the ethical hackers making a difference. Through our Hacker Spotlight series, we celebrate the talent, curiosity, and impact of the community driving safer digital experiences worldwide. We recently spoke with Marc-Oliver Munz, an ethical hacker from Germany with a global reach. In this Q& [...]
Security is built by people. At Intigriti, we don’t just help organizations stay secure; we shine a light on the ethical hackers making a difference. Through our Hacker Spotlight series, we celebrate the talent, curiosity, and impact of the community driving safer digital experiences worldwide. We recently spoke with Marc-Oliver Munz, an ethical hacker from Germany with a global reach. In this Q& [...]
Posted by Lyubov Farafonova, Product Manager, Phone by Google; Alberto Pastor Nieto, Sr. Product Manager Google Messages and RCS Spam and Abuse We’ve shared how Android’s proactive, multi-layered scam defenses utilize Google AI to protect users around the world from over 10 billion suspected malicious calls and messages every month1. While that scale is significant, the true impact of these p [...]
If you’ve ever done Linux memory forensics, you know the frustration: without debug symbols that match the exact kernel version, you’re stuck. These symbols aren’t typically installed on production systems and must be sourced from external repositories, which quickly become outdated when systems receive updates. If you’ve ever tried to analyze a memory dump only to discover that no one has publish [...]
Mars disclosed a bug submitted by xgoon: https://hackerone.com/reports/3360293 [...]
Mars disclosed a bug submitted by 0xr2r: https://hackerone.com/reports/2200329 [...]
Mars disclosed a bug submitted by prakhar0x01: https://hackerone.com/reports/3376598 [...]
Mars disclosed a bug submitted by xgoon: https://hackerone.com/reports/3066548 [...]
Mars disclosed a bug submitted by 4ksh3ye: https://hackerone.com/reports/3293803 [...]
Mars disclosed a bug submitted by scriptsavvy: https://hackerone.com/reports/3277276 [...]
Mars disclosed a bug submitted by azar_man: https://hackerone.com/reports/3174778 [...]
Node.js disclosed a bug submitted by illia-v: https://hackerone.com/reports/3456148 [...]