Tag: bug-bounty
-
USENIX Security ’25 (Enigma Track) Everything Old Is New Again: Legal Restrictions On Vulnerability Disclosure On Bug Bounty Platforms
Author, Creator & Presenter: Kendra Albert, Albert Sellars LLP Our thanks to USENIX Security ’25 (Enigma Track) (USENIX ’25 for publishing their Creators, Authors and Presenter’s tremendous USENIX Security ’25 (Enigma Track) content on the Organizations’ YouTube Channel. Permalink First seen on securityboulevard.com Jump to article: securityboulevard.com/2026/03/usenix-security-25-enigma-track-everything-old-is-new-again-legal-restrictions-on-vulnerability-disclosure-on-bug-bounty-platforms/
-
14 old software bugs that took way too long to squash
Tags: access, api, attack, authentication, automation, bug-bounty, communications, computer, control, credentials, cve, cvss, cyber, data, data-breach, dns, dos, encryption, exploit, flaw, hacker, Hardware, infosec, infrastructure, Internet, kaspersky, linux, malicious, malware, microsoft, mitigation, network, nist, open-source, password, programming, remote-code-execution, risk, service, software, stuxnet, supply-chain, technology, theft, threat, tool, update, usa, vulnerability, windows, zero-dayAge: 30 yearsDate introduced: 1995Date fixed: February 2026Researchers unearthed a legacy flaw in the widely used libpng open-source library that had existed since the technology was first released more than 30 years ago.The heap buffer overflow vulnerability (CVE-2026-25646) meant that applications using the flawed software would crash when presented with a maliciously constructed PNG raster…
-
14 old software bugs that took way too long to squash
Tags: access, api, attack, authentication, automation, bug-bounty, communications, computer, control, credentials, cve, cvss, cyber, data, data-breach, dns, dos, encryption, exploit, flaw, hacker, Hardware, infosec, infrastructure, Internet, kaspersky, linux, malicious, malware, microsoft, mitigation, network, nist, open-source, password, programming, remote-code-execution, risk, service, software, stuxnet, supply-chain, technology, theft, threat, tool, update, usa, vulnerability, windows, zero-dayAge: 30 yearsDate introduced: 1995Date fixed: February 2026Researchers unearthed a legacy flaw in the widely used libpng open-source library that had existed since the technology was first released more than 30 years ago.The heap buffer overflow vulnerability (CVE-2026-25646) meant that applications using the flawed software would crash when presented with a maliciously constructed PNG raster…
-
Psychische Belastung – cURL stoppt Bug-Bounty-Programm wegen KI-generierten Falschmeldungen
First seen on security-insider.de Jump to article: www.security-insider.de/ende-bug-bounty-programm-curl-ki-falschmeldungen-a-7918a628a41352e4cc170987f1788dee/
-
Open-source benchmark EVMbench tests how well AI agents handle smart contract exploits
Smart contract exploits continue to drain funds from blockchain projects, even as auditing tools and bug bounty programs grow. The problem is tied to how Ethereum Virtual … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/02/19/evmbench-open-source-benchmark-ai-agents/
-
Disclosure: SupportCandy Ticket Attachment IDOR (CVE-2026-1251)
During independent security research conducted as part of the Wordfence Bug Bounty Program, we identified a broken access control vulnerability in the SupportCandy plugin for WordPress. SupportCandy is a helpdesk and customer support ticketing plugin that enables organisations to manage user-submitted support requests directly within their WordPress environment, including the ability to upload files and”¦…
-
When responsible disclosure becomes unpaid labor
Tags: ai, bug-bounty, ciso, cloud, compliance, control, credentials, cve, cvss, cybersecurity, data, email, exploit, finance, flaw, governance, healthcare, incident response, infrastructure, jobs, open-source, ransom, risk, security-incident, service, software, threat, tool, update, vulnerability, warfaresupposed to function and how it increasingly does in practice. Enter the gray zone of ethical disclosure: The result is a growing gray zone between ethical research and adversarial pressure. Based on years of reporting on disclosure disputes, that gray zone tends to emerge through a small set of recurring failure modes.Silent treatment and severity…
-
NDSS 2025 PropertyGPT
Tags: blockchain, bug-bounty, conference, crypto, guide, Internet, LLM, network, oracle, strategy, tool, vulnerability, zero-daySession 11A: Blockchain Security 2 Authors, Creators & Presenters: Ye Liu (Singapore Management University), Yue Xue (MetaTrust Labs), Daoyuan Wu (The Hong Kong University of Science and Technology), Yuqiang Sun (Nanyang Technological University), Yi Li (Nanyang Technological University), Miaolei Shi (MetaTrust Labs), Yang Liu (Nanyang Technological University) PAPER PropertyGPT: LLM-driven Formal Verification of Smart Contracts…
-
Wegen KI-Spam: curl stellt Bug-Bounty ein
Das curl-Projekt muss nach Jahren und Tausenden Dollar an Sicherheitsforscher sein Bug-Bounty-Programm einstellen. Der Grund: LLMs. First seen on tarnkappe.info Jump to article: tarnkappe.info/kommentar/wegen-ki-spam-curl-stellt-bug-bounty-ein-325472.html
-
Unplugged holes in the npm and yarn package managers could let attackers bypass defenses against Shai-Hulud
Tags: authentication, bug-bounty, control, corporate, defense, email, github, guide, hacker, malicious, malware, microsoft, vulnerabilitydisabling the ability to run lifecycle scripts, commands that run automatically during package installation,saving lockfile integrity checks (package-lock.json, pnpm-lock.yaml, and others) to version control (git). The lockfile records the exact version and integrity hash of every package in a dependency tree. On subsequent installs, the package manager checks incoming packages against these hashes, and if…
-
Node.js Sets New Standard for HackerOne Reports, Demands Signal of 1.0 or Higher
Node.js has implemented a new quality control measure on its HackerOne bug bounty program, requiring researchers to maintain a minimum Signal reputation score of 1.0 before submitting vulnerability reports. This policy change, announced by the OpenJS Foundation, aims to reduce the growing volume of low-quality submissions that have overwhelmed the security team’s triage capacity. The…
-
Node.js Sets New Standard for HackerOne Reports, Demands Signal of 1.0 or Higher
Node.js has implemented a new quality control measure on its HackerOne bug bounty program, requiring researchers to maintain a minimum Signal reputation score of 1.0 before submitting vulnerability reports. This policy change, announced by the OpenJS Foundation, aims to reduce the growing volume of low-quality submissions that have overwhelmed the security team’s triage capacity. The…
-
Curl ending bug bounty program after flood of AI slop reports
The developer of the popular curl command-line utility and library announced that the project will end its HackerOne security bug bounty program at the end of this month, after being overwhelmed by low-quality AI-generated vulnerability reports. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/curl-ending-bug-bounty-program-after-flood-of-ai-slop-reports/
-
Curl ending bug bounty program after flood of AI slop reports
The developer of the popular curl command-line utility and library announced that the project will end its HackerOne security bug bounty program at the end of this month, after being overwhelmed by low-quality AI-generated vulnerability reports. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/curl-ending-bug-bounty-program-after-flood-of-ai-slop-reports/
-
Curl shutters bug bounty program to remove incentive for submitting AI slop
Maintainer hopes hackers send bug reports anyway, will keep shaming ‘silly ones’ First seen on theregister.com Jump to article: www.theregister.com/2026/01/21/curl_ends_bug_bounty/
-
Bug-Bounty-Programm: Curl-Entwickler dreht dem KI-Schrott den Geldhahn zu
Massen an KI-generierten Bug-Reports belasten Open-Source-Entwickler. Das Curl-Projekt streicht die Prämien – und nimmt damit die Anreize. First seen on golem.de Jump to article: www.golem.de/news/bug-bounty-programm-curl-entwickler-dreht-dem-ki-schrott-den-geldhahn-zu-2601-204260.html
-
Are There IDORs Lurking in Your Code? LLMs Are Finding Critical Business Logic Vulns”, and They’re Everywhere
Security teams have always known that insecure direct object references (IDORs) and broken authorization vulnerabilities exist in their codebases. Ask any AppSec leader if they have IDOR issues, and most would readily admit they do. But here’s the uncomfortable truth: they’ve been dramatically underestimating the scope of the problem. Recent bug bounty data tells a..…
-
HackerOne ‘ghosted’ me for months over $8,500 bug bounty, says researcher
Long after CVEs issued and open source flaws fixed First seen on theregister.com Jump to article: www.theregister.com/2026/01/07/hackerone_ghosted_researcher/
-
Microsoft stellt neue Sicherheitsstrategie vor
Tags: ai, bug-bounty, cloud, cyberattack, governance, hacking, microsoft, open-source, phishing, RedTeam, risk, saas, service, strategy, tool, vulnerabilityMicrosoft hat angekündigt, dass sein Bug-Bounty-Programm ausgeweitet werden soll.Cyberangriffe beschränken sich heutzutage nicht auf bestimmte Unternehmen, Produkte oder Dienstleistungen sie finden dort statt, wo die Schwachstellen sind. Zudem werden die Attacken mit Hilfe von KI-Tools immer ausgefeilter. Vor diesem Hintergrund hat Microsoft seinen neuen Security-Ansatz ‘In Scope by Default” auf der Black Hat Europe angekündigt.Demnach…
-
Microsoft stellt neue Sicherheitsstrategie vor
Tags: ai, bug-bounty, cloud, cyberattack, governance, hacking, microsoft, open-source, phishing, RedTeam, risk, saas, service, strategy, tool, vulnerabilityMicrosoft hat angekündigt, dass sein Bug-Bounty-Programm ausgeweitet werden soll.Cyberangriffe beschränken sich heutzutage nicht auf bestimmte Unternehmen, Produkte oder Dienstleistungen sie finden dort statt, wo die Schwachstellen sind. Zudem werden die Attacken mit Hilfe von KI-Tools immer ausgefeilter. Vor diesem Hintergrund hat Microsoft seinen neuen Security-Ansatz ‘In Scope by Default” auf der Black Hat Europe angekündigt.Demnach…
-
Microsoft expands Bug Bounty scheme to include third-party software
The company is to offer bug bounty awards for people who report security vulnerabilities in third-party and open source software impacting Microsoft services First seen on computerweekly.com Jump to article: www.computerweekly.com/news/366636178/Microsoft-expands-Bug-Bounty-scheme-to-include-third-party-software
-
Why bug bounty schemes have not led to secure software
Computer Weekly speaks to Katie Moussouris, security entrepreneur and bug bounty pioneer, about the life of security researchers, bug bounties and the artificial intelligence revolution First seen on computerweekly.com Jump to article: www.computerweekly.com/news/366636232/Why-bug-bounty-schemes-have-not-led-to-secure-software
-
Hardware Hackers Urge Vendor Engagement for Security Success
Experts Detail Upsides of Bug Bounties and Getting Devices Into Researchers’ Hands. As fresh vulnerabilities in hardware keep coming to light, one question remains: What vendors can do to better prevent, identify and eradiate flaws? One shortlist offered by veteran hardware hackers centered on the upsides of engagement, including bug bounty programs. First seen on…
-
Hardware Hackers Urge Vendor Engagement for Security Success
Experts Detail Upsides of Bug Bounties and Getting Devices Into Researchers’ Hands. As fresh vulnerabilities in hardware keep coming to light, one question remains: What vendors can do to better prevent, identify and eradiate flaws? One shortlist offered by veteran hardware hackers centered on the upsides of engagement, including bug bounty programs. First seen on…
-
WhatsApp flaw allowed discovery of the 3.5 billion mobile numbers registered to the platform
Tags: api, attack, bug-bounty, business, china, cloud, dark-web, data, data-breach, encryption, flaw, government, mobile, phishing, phone, privacy, spam, technology, vulnerability, windowsHey there You are using WhatsApp, marks this as one of the most embarrassing weaknesses yet in the world’s most widely-used communication app.The vulnerability was in WhatsApp’s contact discovery mechanism, the foundation of how this and many similar apps work. When WhatsApp is installed, it asks for permission to match mobile numbers in a user’s…
-
WhatsApp flaw allowed discovery of the 3.5 billion mobile numbers registered to the platform
Tags: api, attack, bug-bounty, business, china, cloud, dark-web, data, data-breach, encryption, flaw, government, mobile, phishing, phone, privacy, spam, technology, vulnerability, windowsHey there You are using WhatsApp, marks this as one of the most embarrassing weaknesses yet in the world’s most widely-used communication app.The vulnerability was in WhatsApp’s contact discovery mechanism, the foundation of how this and many similar apps work. When WhatsApp is installed, it asks for permission to match mobile numbers in a user’s…
-
Bug Bounty Programs Rise as Key Strategic Security Solutions
Bug bounty programs create formal channels for organizations to leverage external security expertise, offering researchers legal protection and financial incentives for ethical vulnerability disclosure. First seen on darkreading.com Jump to article: www.darkreading.com/cybersecurity-operations/bug-bounty-programs-rise-as-key-strategic-security-solutions
-
Meta Expands WhatsApp Security Research with New Proxy Tool and $4M in Bounties This Year
Meta on Tuesday said it has made available a tool called WhatsApp Research Proxy to some of its long-time bug bounty researchers to help improve the program and more effectively research the messaging platform’s network protocol.The idea is to make it easier to delve into WhatsApp-specific technologies as the application continues to be a lucrative…