Posted by Vijaya Kaza, VP and GM, App & Ecosystem Trust The Android ecosystem is a thriving global community built on trust, giving billions of users the confidence to download the latest apps. In order to maintain that trust, we’re focused on ensuring that apps do not cause real-world harm, such as malware, financial fraud, hidden subscriptions, and privacy invasions. As bad actors leverage [...]
Interesting: Summary: An AI agent of unknown ownership autonomously wrote and published a personalized hit piece about me after I rejected its code, attempting to damage my reputation and shame me into accepting its changes into a mainstream python library. This represents a first-of-its-kind case study of misaligned AI behavior in the wild, and raises serious concerns about currently deployed AI [...]
Nintendo disclosed a bug submitted by hana2736: https://hackerone.com/reports/3042475 [...]
Nintendo disclosed a bug submitted by kinnay: https://hackerone.com/reports/3463719 [...]
The Kubernetes project is urging organizations to migrate away from Ingress NGINX before its retirement in March 2026, with new high-severity CVEs underscoring the urgency. [...]
Automattic disclosed a bug submitted by georgestephanis: https://hackerone.com/reports/3447021 [...]
The title of the post is”What AI Security Research Looks Like When It Works,” and I agree: In the latest OpenSSL security release> on January 27, 2026, twelve new zero-day vulnerabilities (meaning unknown to the maintainers at time of disclosure) were announced. Our AI system is responsible for the original discovery of all twelve, each found and responsibly disclosed to the OpenSSL te [...]
The shadow technology problem is getting worse. Over the past few years, organizations have scaled microservices, cloud-native apps, and partner integrations faster than corporate governance models could keep up, resulting in undocumented or shadow APIs. We’re now seeing this pattern all over again with AI systems. And, even worse, AI introduces non-deterministic behavior, autonomous [...]
Two popular AES libraries, aes-js and pyaes, “helpfully” provide a default IV in their AES-CTR API, leading to a large number of key/IV reuse bugs. These bugs potentially affect thousands of downstream projects. When we shared one of these bugs with an affected vendor, strongSwan, the maintainer provided a model response for security vendors. The aes-js/pyaes maintainer, on the other hand, has tak [...]
Sony disclosed a bug submitted by vortekx: https://hackerone.com/reports/3514490 [...]
API security has been a growing concern for years. However, while it was always seen as important, it often came second to application security or hardening infrastructure. In 2025, the picture changed. Wallarm’s 2026 API ThreatStats Report revealed that APIs are now the primary attack surface for digital business, and not because bad actors discovered new zero-days, but because of compo [...]
Here are three papers describing different side-channel attacks against LLMs. “Remote Timing Attacks on Efficient Language Model Inference“: Abstract: Scaling up language models has significantly increased their capabilities. But larger models are slower models, and so there is now an extensive body of work (e.g., speculative sampling or parallel decoding) that improves the (average ca [...]
Report writing is an integral part of bug bounty or any type of vulnerability assessment. In fact, sometimes, it can become the most important phase. Submitting a confusing report can often lead to misalignment and faulty interpretation of your reported vulnerability. On the contrary, a well-written submission that includes all the necessary details can help shorten the time to triage, lead to inc [...]
Attacks against modern generative artificial intelligence (AI) large language models (LLMs) pose a real threat. Yet discussions around these attacks and their potential defenses are dangerously myopic. The dominant narrative focuses on “prompt injection,” a set of techniques to embed instructions into inputs to LLM intended to perform malicious activity. This term suggests a simple, s [...]
What you will learn in this blog What chaining is and how combining lower-severity issues can create a high-impact security risk. Key chaining techniques and terminology, such as pivoting, lateral movement, and privilege escalation. How chaining is identified and prioritized in practice, including the role of PTaaS and how researchers can use chaining to uncover critical attack paths and guide n [...]
This is a current list of where and when I am scheduled to speak: I’m speaking at Ontario Tech University in Oshawa, Ontario, Canada, at 2 PM ET on Thursday, February 26, 2026. I’m speaking at the Personal AI Summit in Los Angeles, California, USA, on Thursday, March 5, 2026. I’m speaking at Tech Live: Cybersecurity in New York City, USA, on Wednesday, March 11, 2026. I’m giving the Ross An [...]
An exploration of the interesting question. [...]
Node.js disclosed a bug submitted by 0xmaxhax: https://hackerone.com/reports/3473882 [...]
Node.js disclosed a bug submitted by winfunc: https://hackerone.com/reports/3465156 [...]
Node.js disclosed a bug submitted by aaron_vercel: https://hackerone.com/reports/3456295 [...]
Node.js disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3357723 [...]
Node.js disclosed a bug submitted by chalker: https://hackerone.com/reports/3405778 [...]
Node.js disclosed a bug submitted by natann: https://hackerone.com/reports/3417819 [...]
Nextcloud disclosed a bug submitted by se1en: https://hackerone.com/reports/3357036 - Bounty: $350 [...]
New York is contemplating a bill that adds surveillance to 3D printers: New York’s 20262027 executive budget bill (S.9005 / A.10005) includes language that should alarm every maker, educator, and small manufacturer in the state. Buried in Part C is a provision requiring all 3D printers sold or delivered in New York to include “blocking technology.” This is defined as software or firmw [...]
Omise disclosed a bug submitted by alitoni224: https://hackerone.com/reports/3183046 [...]
For the past week, the massive “Internet of Things” (IoT) botnet known as Kimwolf has been disrupting The Invisible Internet Project (I2P), a decentralized, encrypted communications network designed to anonymize and secure online communications. I2P users started reporting disruptions in the network around the same time the Kimwolf botmasters began relying on it to evade takedown attem [...]
I just noticed that the ebook version of Rewiring Democracy is on sale for $5 on Amazon, Apple Books, Barnes & Noble, Books A Million, Google Play, Kobo, and presumably everywhere else in the US. I have no idea how long this will last. Also, Amazon has a coupon that brings the hardcover price down to $20. You’ll see the discount at checkout. [...]
Interesting research: “CHAI: Command Hijacking Against Embodied AI.” Abstract: Embodied Artificial Intelligence (AI) promises to handle edge cases in robotic vehicle systems where data is scarce by using common-sense reasoning grounded in perception and action to generalize beyond training distributions and adapt to novel real-world situations. These capabilities, however, also create [...]
It’s an unusually cold winter morning in Houston, and Craig Riddell is settling into his new role as Wallarm’s Global Field CISO. It’s a position that suits him down to the ground, blending technical depth, empathy, business acumen, and, what Craig believes, the most underrated skill in cybersecurity: curiosity. Like so many of us, Craig got into cybersecurity by accident. He first learned Un [...]
Microsoft today released updates to fix more than 50 security holes in its Windows operating systems and other software, including patches for a whopping six “zero-day” vulnerabilities that attackers are already exploiting in the wild. Zero-day #1 this month is CVE-2026-21510, a security feature bypass vulnerability in Windows Shell wherein a single click on a malicious link can quiet [...]
In 2023, the science fiction literary magazine Clarkesworld stopped accepting new submissions because so many were generated by artificial intelligence. Near as the editors could tell, many submitters pasted the magazine’s detailed story guidelines into an AI and sent in the results. And they weren’t alone. Other fiction magazines have also reported a high number of AI-generated submissions. This [...]
Datadog identified an active campaign employing fake GitHub repositories impersonating software companies and leveraging the ClickFix initial access technique to deliver macOS infostealers. [...]
AWS VDP disclosed a bug submitted by aneeeketh: https://hackerone.com/reports/3426839 [...]
Django disclosed a bug submitted by sy2n0: https://hackerone.com/reports/3426417 [...]
You probably think the security mantra “you can’t protect what you don’t know about” is an inarguable truth. But you would be wrong. It doesn’t hold water in today’s threat landscape. Of course, it sounds reasonable. Before you secure APIs, you must first discover, inventory, and document them exhaustively. The problem is that this way of thinking has hardened into dogma and ignores how attack [...]
Nextcloud disclosed a bug submitted by se1en: https://hackerone.com/reports/3360354 - Bounty: $750 [...]
curl disclosed a bug submitted by pajarori: https://hackerone.com/reports/3531216 [...]
Bug bounty growth insights across the US Bug bounty programs have evolved from a niche security tactic into a core component of modern defense strategies worldwide. In this blog, we focus on the US: one of the most invested and fastest-adopting markets, where organizations, driven by higher security maturity, are increasingly using bug bounty to uncover complex vulnerabilities that traditional t [...]
Django disclosed a bug submitted by stackered: https://hackerone.com/reports/3424977 [...]
GoCD disclosed a bug submitted by aigirl: https://hackerone.com/reports/3509632 [...]
Datadog Security Research has identified an active web traffic hijacking campaign that targets NGINX installations and management panels like Baota (BT). In this post, we provide our analysis of the techniques this campaign uses and share indicators of compromise you can check for in your NGINX configurations. [...]
LinkedIn disclosed a bug submitted by allenjo: https://hackerone.com/reports/3151001 [...]
LinkedIn disclosed a bug submitted by minex627: https://hackerone.com/reports/3235855 [...]
A prolific data ransom gang that calls itself Scattered Lapsus ShinyHunters (SLSH) has a distinctive playbook when it seeks to extort payment from victim firms: Harassing, threatening and even swatting executives and their families, all while notifying journalists and regulators about the extent of the intrusion. Some victims reportedly are paying — perhaps as much to contain the stolen data [...]
PostMessage vulnerabilities arise when developers fail to properly validate message origins or sanitize content within cross-origin communication handlers. As modern web applications increasingly rely on the postMessage API for cross-origin communication, whether for embedded widgets, OAuth flows, third-party integrations, or iframe-based components, the attack surface continues to grow. While pos [...]
APIs are one of the most important technologies in digital business ecosystems. And yet, the responsibility for their security often falls to AppSec teams – and that’s a problem. This organizational mismatch creates systemic risk: business teams assume APIs are “secured,” while attackers exploit logic flaws, authorization gaps, and automated attacks in production. As Tim Erlin noted rece [...]
Last year, our engineers submitted over 375 pull requests that were merged into non–Trail of Bits repositories, touching more than 90 projects from cryptography libraries to the Rust compiler. This work reflects one of our driving values: “share what others can use.” The measure isn’t whether you share something, but whether it’s actually useful to someone else. This princi [...]
Software signatures carry an invisible expiration date. The container image or firmware you sign today might be deployed for 20 years, but the cryptographic signature protecting it may become untrustworthy within 10 years. SHA-1 certificates become worthless, weak RSA keys are banned, and quantum computers may crack today’s elliptic curve cryptography. The question isn’t whether our cu [...]
At Intigriti, we host monthly web-based Capture The Flag (CTF) challenges as a way to engage with the security researcher community. January's challenge presented participants with CRYPTIGRITI, a cryptocurrency trading platform where users could buy and trade Bitcoin (BTC), Monero (XMR), and a custom digital currency, 1337COIN. This article provides a step-by-step walkthrough for solving January's [...]
Posted by Nataliya Stanetsky, Fabricio Ferracioli, Elliot Sisteron, Irene Ang of the Android Security Team Phone theft is more than just losing a device; it's a form of financial fraud that can leave you suddenly vulnerable to personal data and financial theft. That’s why we're committed to providing multi-layered defenses that help protect you before, during, and after a theft attempt. Today, [...]
A deep dive into OpenSSL’s January 2026 CMS and PKCS#12 vulnerabilities, including a pre-auth stack overflow and a PKCS#12 parsing bug. [...]
ExpressionEngine disclosed a bug submitted by fed01k: https://hackerone.com/reports/3249794 [...]
The cybercriminals in control of Kimwolf — a disruptive botnet that has infected more than 2 million devices — recently shared a screenshot indicating they’d compromised the control panel for Badbox 2.0, a vast China-based botnet powered by malicious software that comes pre-installed on many Android TV streaming boxes. Both the FBI and Google say they are hunting for the people b [...]