Kendra Albert gave an excellent talk at USENIX Security this year, pointing out that the legal agreements surrounding vulnerability disclosure muzzle researchers while allowing companies to not fix the vulnerabilities—exactly the opposite of what the responsible disclosure movement of the early 2000s was supposed to prevent. This is the talk. > Thirty years ago, a debate raged over whether vulnerability disclosure was > good for computer security. On one side, full disclosure advocates argued that > software bugs weren’t getting fixed and wouldn’t get fixed if companies that > made insecure software wasn’t called out publicly. On the other side, > companies argued that full disclosure led to exploitation of unpatched > vulnerabilities, especially if they were hard to fix. After blog posts, public > debates, and countless mailing list flame wars, there emerged a compromise > solution: coordinated vulnerability disclosure, where vulnerabilities were > disclosed after a period of confidentiality where vendors can attempt to fix > things. Although full disclosure fell out of fashion, disclosure won and > security through obscurity lost. We’ve lived happily ever after since...

This is bad: > F5, a Seattle-based maker of networking software, disclosed the breach on > Wednesday. F5 said a “sophisticated” threat group working for an undisclosed > nation-state government had surreptitiously and persistently dwelled in its > network over a “long-term.” Security researchers who have responded to similar > intrusions in the past took the language to mean the hackers were inside the > F5 network for years. > > During that time, F5 said, the hackers took control of the network segment the > company uses to create and distribute updates for BIG IP, a line of server > appliances that F5 ...

Apple is now offering a $2M bounty for a zero-click exploit. According to the Apple website: > Today we’re announcing the next major chapter for Apple Security Bounty, > featuring the industry’s highest rewards, expanded research categories, and a > flag system for researchers to objectively demonstrate vulnerabilities and > obtain accelerated awards. > > 1. We’re doubling our top award to $2 million for exploit chains that can > achieve similar goals as sophisticated mercenary spyware attacks. This is > an unprecedented amount in the industry and the largest payout offered by > any bounty program we’re aware of ­ and our bonus system, providing > additional rewards for Lockdown Mode bypasses and vulnerabilities > discovered in beta software, can more than double this reward, with a > maximum payout in excess of $5 million. We’re also doubling or > significantly increasing rewards in many other categories to encourage > more intensive research. This includes $100,000 for a complete Gatekeeper > bypass, and $1 million for broad unauthorized iCloud access, as no > successful exploit has been demonstrated to date in either category. ...

AI agents are now hacking computers. They’re getting better at all phases of cyberattacks, faster than most of us expected. They can chain together different aspects of a cyber operation, and hack autonomously, at computer speeds and scale. This is going to change everything. Over the summer, hackers proved the concept, industry institutionalized it, and criminals operationalized it. In June, AI company XBOW took the top spot on HackerOne’s US leaderboard after submitting over 1,000 new vulnerabilities in just a few months. In August, the seven teams competing in DARPA’s AI Cyber Challenge ...

Attaullah Baig, WhatsApp’s former head of security, has filed a whistleblower lawsuit alleging that Facebook deliberately failed to fix a bunch of security flaws, in violation of its 2019 settlement agreement with the Federal Trade Commission. > The lawsuit, alleging violations of the whistleblower protection provision of > the Sarbanes-Oxley Act passed in 2002, said that in 2022, roughly 100,000 > WhatsApp users had their accounts hacked every day. By last year, the > complaint alleged, as many as 400,000 WhatsApp users were getting locked out > of their accounts each day as a result of such account takeovers...

They’re interesting: > Tracked as CVE-2025-5054 and CVE-2025-4598, both vulnerabilities are race > condition bugs that could enable a local attacker to obtain access to access > sensitive information. Tools like Apport and systemd-coredump are designed to > handle crash reporting and core dumps in Linux systems. > > […] > > “This means that if a local attacker manages to induce a crash in a privileged > process and quickly replaces it with another one with the same process ID that > resides inside a mount and pid namespace, apport will attempt to forward the > core dump (which might contain sensitive information belonging to the > original, privileged process) into the namespace.”...

Mitre’s CVE’s program—which provides common naming and other informational resources about cybersecurity vulnerabilities—was about to be cancelled, as the US Department of Homeland Security failed to renew the contact. It was funded for eleven more months at the last minute. This is a big deal. The CVE program is one of those pieces of common infrastructure that everyone benefits from. Losing it will bring us back to a world where there’s no single way to talk about vulnerabilities. It’s kind of crazy to think that the US government might damage its own security in this way—but I suppose no crazier than any of the other ways the US is working against its own interests right now...

Microsoft is reporting that its AI systems are able to find new vulnerabilities in source code: > Microsoft discovered eleven vulnerabilities in GRUB2, including integer and > buffer overflows in filesystem parsers, command flaws, and a side-channel in > cryptographic comparison. > > Additionally, 9 buffer overflows in parsing SquashFS, EXT4, CramFS, JFFS2, and > symlinks were discovered in U-Boot and Barebox, which require physical access > to exploit. > > The newly discovered flaws impact devices relying on UEFI Secure Boot, and if > the right conditions are met, attackers can bypass security protections to > execute arbitrary code on the device...

US National Security Advisor Mike Waltz, who started the now-infamous group chat coordinating a US attack against the Yemen-based Houthis on March 15, is seemingly now suggesting that the secure messaging service Signal has security vulnerabilities. "I didn’t see this loser in the group," Waltz told Fox News about Atlantic editor in chief Jeffrey Goldberg, whom Waltz invited to the chat. "Whether he did it deliberately or it happened in some other technical mean, is something we’re trying to figure out." Waltz’s implication that Goldberg may have hacked his way in was followed by a ...

Of the five, one is a Windows vulnerability, another is a Cisco vulnerability. We don’t have any details about who is exploiting them, or how. News article. Slashdot thread.