#security-research — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #security-research, aggregated by home.social.
-
I need followers in tech + cybersecurity—please help... I promise I’ll post stuff smarter than “oops, wrong config”.
#CyberSecurity #Infosec #ThreatIntelligence #SecurityResearch #BlueTeam #RedTeam #SOC #VulnerabilityManagement #AppSec #PenTesting #threatintel
-
New blog post!
The title should be self-explanatory, it's an appreciation post for Nightmare Eclipse.
You might notice that the tone is a bit more emotional/angry than my usual style of writing.
This one's personal.https://ti-kallisti.com/general/ms/nightmare-eclipse.html
#NightmareEclipse #Microsoft #Hackers #InfoSec #SecurityResearch #ChainsawMan #Reze
-
New blog post!
The title should be self-explanatory, it's an appreciation post for Nightmare Eclipse.
You might notice that the tone is a bit more emotional/angry than my usual style of writing.
This one's personal.https://ti-kallisti.com/general/ms/nightmare-eclipse.html
#NightmareEclipse #Microsoft #Hackers #InfoSec #SecurityResearch #ChainsawMan #Reze
-
https://winbuzzer.com/2026/06/21/pypi-malware-wave-exposes-weak-ai-scanner-boundary-xcxwbn/
PyPI Malware Wave Exposes Weak AI Malware Scanner Boundary
#AI #PyPI #Malware #AISecurity #Cybersecurity #Javascript #AISafety #AntiMalware #SecurityResearch #CyberThreats
-
https://winbuzzer.com/2026/06/21/pypi-malware-wave-exposes-weak-ai-scanner-boundary-xcxwbn/
PyPI Malware Wave Exposes Weak AI Malware Scanner Boundary
#AI #PyPI #Malware #AISecurity #Cybersecurity #Javascript #AISafety #AntiMalware #SecurityResearch #CyberThreats
-
Looking forward to #OWASP Global AppSec EU and the inaugural #MAScon next week. Excited for the opportunity to learn from researchers and practitioners who are pushing mobile security forward.
Check out some of the sessions: https://loom.ly/qC3L65o
@owasp #OWASPGlobalAppSec #MobileApps #MobileSecurity #SecurityResearch
-
Looking forward to #OWASP Global AppSec EU and the inaugural #MAScon next week. Excited for the opportunity to learn from researchers and practitioners who are pushing mobile security forward.
Check out some of the sessions: https://loom.ly/qC3L65o
@owasp #OWASPGlobalAppSec #MobileApps #MobileSecurity #SecurityResearch
-
You demonstrate a fileless RCE chain. Complex delivery, in-memory execution, zero detections, confirmed working on multiple devices.
The vendor reviews it twice, involves engineering, then tells you:
"Your research demonstrates a complex chain for delivering and executing code."
...and closes it as 'intended behavior. Not a platform vulnerability.'
Question: is it a vulnerability?
Follow-up: does your answer change if the attack surface exists *between* components — where no single owner's scope definition covers the full chain?
Asking because I have a paper dropping soon about that.
#VRP #responsibleDisclosure #semanticGap #infosec #securityResearch
-
I was tired of digging through endless random cybersecurity lists, so naturally I built another random cybersecurity list - just cleaner, prettier and actually organized.
Hack Hub is a curated directory of useful security resources.
#CyberSecurity #InfoSec #Hacking #EthicalHacking #Pentesting #RedTeam #BlueTeam #DFIR #OSINT #ThreatIntel #MalwareAnalysis #BugBounty #CloudSecurity #MobileSecurity #OpenSource #SecurityTools #SecurityResearch #Linux #Hackers #Tech
-
I was tired of digging through endless random cybersecurity lists, so naturally I built another random cybersecurity list - just cleaner, prettier and actually organized.
Hack Hub is a curated directory of useful security resources.
#CyberSecurity #InfoSec #Hacking #EthicalHacking #Pentesting #RedTeam #BlueTeam #DFIR #OSINT #ThreatIntel #MalwareAnalysis #BugBounty #CloudSecurity #MobileSecurity #OpenSource #SecurityTools #SecurityResearch #Linux #Hackers #Tech
-
https://winbuzzer.com/2026/06/03/toronto-ai-worm-prototype-tests-adaptive-malware-risk-xcxwbn/
Researchers built a contained AI powered malware worm that adapts attacks across lab hosts, exposing how local open-weight models complicate malware containment.
#AI #AIAgents #AISecurity #AIResearch #Cybersecurity #Malware #SecurityVulnerabilities #CyberThreats #SecurityResearch
-
https://winbuzzer.com/2026/06/03/toronto-ai-worm-prototype-tests-adaptive-malware-risk-xcxwbn/
Researchers built a contained AI powered malware worm that adapts attacks across lab hosts, exposing how local open-weight models complicate malware containment.
#AI #AIAgents #AISecurity #AIResearch #Cybersecurity #Malware #SecurityVulnerabilities #CyberThreats #SecurityResearch
-
https://winbuzzer.com/2026/06/02/microsoft-backs-off-threats-against-security-researchers-xcxwbn/
Microsoft has ruled out action against security researchers after a backlash, narrowing legal risk around its wider disclosure dispute.
#SecurityResearch #Microsoft #Security #Cybersecurity #ZeroDay #MicrosoftWindows #WindowsSecurity #WindowsVulnerability #Windows11
-
https://winbuzzer.com/2026/06/02/microsoft-backs-off-threats-against-security-researchers-xcxwbn/
Microsoft has ruled out action against security researchers after a backlash, narrowing legal risk around its wider disclosure dispute.
#SecurityResearch #Microsoft #Security #Cybersecurity #ZeroDay #MicrosoftWindows #WindowsSecurity #WindowsVulnerability #Windows11
-
Bug Bounty situation = Netflix & Piracy situation?
*Boosts welcome
I want to hear your opinion on an idea I had recently:
So, movies/TV piracy is rising recently. And much of it is due to the overwhelming amount of providers, and the fact that each one has a small portion of the pie.
Unlike Music, where providers have mostly the same, allowing for a good customer experience, lowering the need to pirate music, in the movies/TV industry the situation is just getting worse each day, making the rise of piracy (discussed in DarknetDiaries' episode about the magic box) bigger each day.I was wondering if the same thing would/is happening in the bug bounty world.
As more and more companies close their bug bounty programs, or lower the rewards, could researchers turn to selling their findings on the dark net/other forums alike?After all, many researchers do this to make a living, and not be a knight on a white horse.
And if someone invested months researching and testing to find a critical vulnerability, they won't be able to go shopping with a Thank You letter.what do you think?
I'm not a bug bounter so I don't really live this world, but some of you are. what do you think?
is it already happening? -
Bug Bounty situation = Netflix & Piracy situation?
*Boosts welcome
I want to hear your opinion on an idea I had recently:
So, movies/TV piracy is rising recently. And much of it is due to the overwhelming amount of providers, and the fact that each one has a small portion of the pie.
Unlike Music, where providers have mostly the same, allowing for a good customer experience, lowering the need to pirate music, in the movies/TV industry the situation is just getting worse each day, making the rise of piracy (discussed in DarknetDiaries' episode about the magic box) bigger each day.I was wondering if the same thing would/is happening in the bug bounty world.
As more and more companies close their bug bounty programs, or lower the rewards, could researchers turn to selling their findings on the dark net/other forums alike?After all, many researchers do this to make a living, and not be a knight on a white horse.
And if someone invested months researching and testing to find a critical vulnerability, they won't be able to go shopping with a Thank You letter.what do you think?
I'm not a bug bounter so I don't really live this world, but some of you are. what do you think?
is it already happening? -
Shodan Dork Cheat Sheet
In this cheat sheet, I cover useful Shodan search queries, filtering techniques, and practical reconnaissance workflows for cybersecurity assessments
https://denizhalil.com/2023/12/19/shodan-dork-cheat-sheet/#CyberSecurity #Shodan #OSINT #Reconnaissance #AttackSurface #ThreatIntelligence #Pentesting #RedTeam #InfoSec #EthicalHacking #SecurityResearch #DenizHalil
-
Shodan Dork Cheat Sheet
In this cheat sheet, I cover useful Shodan search queries, filtering techniques, and practical reconnaissance workflows for cybersecurity assessments
https://denizhalil.com/2023/12/19/shodan-dork-cheat-sheet/#CyberSecurity #Shodan #OSINT #Reconnaissance #AttackSurface #ThreatIntelligence #Pentesting #RedTeam #InfoSec #EthicalHacking #SecurityResearch #DenizHalil
-
I bypassed AWS API Gateway auth with a trailing slash. Got $12K bounty
https://theguptalog.blogspot.com/2026/04/i-bypassed-aws-api-gateway-auth-with.html
#HackerNews #AWS #API #Gateway #Bounty #TrailingSlash #SecurityResearch #Cybersecurity
-
I bypassed AWS API Gateway auth with a trailing slash. Got $12K bounty
https://theguptalog.blogspot.com/2026/04/i-bypassed-aws-api-gateway-auth-with.html
#HackerNews #AWS #API #Gateway #Bounty #TrailingSlash #SecurityResearch #Cybersecurity
-
Fuzzing finds bugs in Rust code - reliably so. But async Rust has largely stayed out of reach with its complexity making it hard for fuzzers to explore meaningfully.
At Oxidize 2026, Morgan Hill (@pcwizz) walks through what it takes to actually fuzz async Rust: the naive approaches that don't work, and an involved technique that does - involving LibAFL, user mode QEMU, and a fair amount of head scratching.
🔗 https://oxidizeconf.com/sessions/awaiting_exploitation
#Oxidize2026 #RustLang #Fuzzing #SecurityResearch #AsyncRust
-
Fuzzing finds bugs in Rust code - reliably so. But async Rust has largely stayed out of reach with its complexity making it hard for fuzzers to explore meaningfully.
At Oxidize 2026, Morgan Hill (@pcwizz) walks through what it takes to actually fuzz async Rust: the naive approaches that don't work, and an involved technique that does - involving LibAFL, user mode QEMU, and a fair amount of head scratching.
🔗 https://oxidizeconf.com/sessions/awaiting_exploitation
#Oxidize2026 #RustLang #Fuzzing #SecurityResearch #AsyncRust
-
Sometimes I’ve found myself banging my head against the keyboard trying to contact companies to help them fix their misconfigurations and exposed servers.
After several frustrating experiences, I decided to create my own clear and structured Responsible Disclosure methodology.
Today I’m sharing it with you 👇
This flow represents how I handle vulnerabilities — always prioritizing ethical contact, escalation when necessary, and only publishing write-ups once the issue is fixed.
Opinions and constructive feedback are more than welcome. Have you faced similar situations? What’s your approach?
-
Sometimes I’ve found myself banging my head against the keyboard trying to contact companies to help them fix their misconfigurations and exposed servers.
After several frustrating experiences, I decided to create my own clear and structured Responsible Disclosure methodology.
Today I’m sharing it with you 👇
This flow represents how I handle vulnerabilities — always prioritizing ethical contact, escalation when necessary, and only publishing write-ups once the issue is fixed.
Opinions and constructive feedback are more than welcome. Have you faced similar situations? What’s your approach?
-
https://winbuzzer.com/2026/05/19/anthropic-says-it-began-letting-mythos-users-share-xcxwbn/
Anthropic has loosened sharing limits for Claude Mythos after earlier confidentiality restrictions, turning a tightly controlled cyber program into a broader disclosure channel.
#AI #ClaudeMythos #Anthropic #Claude #ProjectGlasswing #AISecurity #Cybersecurity #ThreatIntelligence #SecurityResearch #AIModels #AISafety
-
https://winbuzzer.com/2026/05/19/anthropic-says-it-began-letting-mythos-users-share-xcxwbn/
Anthropic has loosened sharing limits for Claude Mythos after earlier confidentiality restrictions, turning a tightly controlled cyber program into a broader disclosure channel.
#AI #ClaudeMythos #Anthropic #Claude #ProjectGlasswing #AISecurity #Cybersecurity #ThreatIntelligence #SecurityResearch #AIModels #AISafety
-
https://winbuzzer.com/2026/05/16/windows-11-and-microsoft-edge-hacked-at-pwn2own-be-xcxwbn/
Microsoft Edge and Windows 11 were successfully exploited at the Pwn2Own Berlin 2026 hacking event, contributing to a $523,000 day-one payout total.
#Cybersecurity #MicrosoftEdge #Windows11 #Pwn2Own #SecurityResearch #Exploits #ZeroDayVulnerabilities #WebBrowsers #WindowsSecurity
-
https://winbuzzer.com/2026/05/16/windows-11-and-microsoft-edge-hacked-at-pwn2own-be-xcxwbn/
Microsoft Edge and Windows 11 were successfully exploited at the Pwn2Own Berlin 2026 hacking event, contributing to a $523,000 day-one payout total.
#Cybersecurity #MicrosoftEdge #Windows11 #Pwn2Own #SecurityResearch #Exploits #ZeroDayVulnerabilities #WebBrowsers #WindowsSecurity
-
https://winbuzzer.com/2026/05/14/openais-gpt-55-matches-claude-mythos-in-security-tests-xcxwbn/
A UK AI Security Institute evaluation put GPT-5.5 near Claude Mythos on vulnerability-finding tasks.
#AI #GPT55Cyber #ClaudeMythos #UKAISecurityInstitute #OpenAI #Anthropic #Claude #AIBenchmarks #SecurityResearch #Cybersecurity
-
https://winbuzzer.com/2026/05/14/openais-gpt-55-matches-claude-mythos-in-security-tests-xcxwbn/
A UK AI Security Institute evaluation put GPT-5.5 near Claude Mythos on vulnerability-finding tasks.
#AI #GPT55Cyber #ClaudeMythos #UKAISecurityInstitute #OpenAI #Anthropic #Claude #AIBenchmarks #SecurityResearch #Cybersecurity
-
https://winbuzzer.com/2026/05/14/microsoft-launches-mdash-after-finding-16-windows-flaws-xcxwbn/
Microsoft has launched the MDASH agentic security system beating OpenAI and Anthropic on the CyberGym benchmark.
#AI #Microsoft #Cybersecurity #MDASH #AgenticAI #AIAgents #Cybersecurity #SecurityResearch
-
https://winbuzzer.com/2026/05/14/microsoft-launches-mdash-after-finding-16-windows-flaws-xcxwbn/
Microsoft has launched the MDASH agentic security system beating OpenAI and Anthropic on the CyberGym benchmark.
#AI #Microsoft #Cybersecurity #MDASH #AgenticAI #AIAgents #Cybersecurity #SecurityResearch
-
https://www.wiz.io/blog/mini-shai-hulud-strikes-again-tanstack-more-npm-packages-compromised
#CyberSecurity #InfoSec #SupplyChainSecurity #SoftwareSupplyChain #NPM #OpenSourceSecurity #AppSec #DevSecOps #ThreatIntel #Malware #JavaScript #NodeJS #CICD #GitHubActions #CloudSecurity #TypeScript #ReactJS #WebDev #OpenSource #DevTools #SoftwareEngineering #DeveloperSecurity #SecureCoding #GitHub #SupplyChainAttack #Programming #TechNews #DevOps #ApplicationSecurity #ThreatResearch #SecurityEngineering #CyberAttack #Hackers #MalwareAlert #SecurityResearch #DevCommunity -
https://www.wiz.io/blog/mini-shai-hulud-strikes-again-tanstack-more-npm-packages-compromised
#CyberSecurity #InfoSec #SupplyChainSecurity #SoftwareSupplyChain #NPM #OpenSourceSecurity #AppSec #DevSecOps #ThreatIntel #Malware #JavaScript #NodeJS #CICD #GitHubActions #CloudSecurity #TypeScript #ReactJS #WebDev #OpenSource #DevTools #SoftwareEngineering #DeveloperSecurity #SecureCoding #GitHub #SupplyChainAttack #Programming #TechNews #DevOps #ApplicationSecurity #ThreatResearch #SecurityEngineering #CyberAttack #Hackers #MalwareAlert #SecurityResearch #DevCommunity -
https://winbuzzer.com/2026/05/10/openai-opens-gpt-5-5-cyber-to-vetted-security-researchers-xcxwbn/
OpenAI Opens GPT-5.5-Cyber to Vetted Cybersecurity Researchers
#AI #GPT55 #GPT54Cyber #OpenAI #GPT5 #AISecurity #AISafety #AIModels #ClaudeMythos #SecurityResearch
-
https://winbuzzer.com/2026/05/10/openai-opens-gpt-5-5-cyber-to-vetted-security-researchers-xcxwbn/
OpenAI Opens GPT-5.5-Cyber to Vetted Cybersecurity Researchers
#AI #GPT55 #GPT54Cyber #OpenAI #GPT5 #AISecurity #AISafety #AIModels #ClaudeMythos #SecurityResearch
-
Dear companies of the world , if your turnover is £1m+ , have a security contact email . Or respond to it . Ffs #securityresearch #security #business
-
Dear companies of the world , if your turnover is £1m+ , have a security contact email . Or respond to it . Ffs #securityresearch #security #business
-
>The security industry is going to get bigger because of AI, not smaller. There’s more code to audit, more attack surface to cover, more companies shipping faster than their security teams can keep up with. The demand for people who can actually find and understand vulnerabilities is going up, not down. AI is a force multiplier. It always needs a human guiding it, and I think it always will. The future is human researchers with AI tools, not AI researchers with no humans. And honestly, given the quality of code AI is helping produce, security researchers should be thanking it for the job security.
Much needed quote from Simon Koeck.
While to be very fair, the content of the blogpost are not something new. Just a regular reassurance we needed.
I need to add additional things that I think most reassurance post has not been said.
**SECURITY RESEARCH IS NOT JUST ABOUT FINDING 0DAYS**
We have unnecessary censorships to fight, educating, creating better frameworks, creating better tools, AND MANY MANY MORE.
It won't go away just because Glasswing finding zero days.
https://simonkoeck.com/blog/ai-is-not-replacing-security-researchers
-
The pentest professionals at #usdHeroLab identified a vulnerability in #EntraID during a cloud #pentest that allows the circumvention of conditional access policies for privileged identities.
Two additional vulnerabilities were identified during a web application pentest of #Tenable Nessus Manager, which allow low-privileged users to read arbitrary files at the operating system level.
All #vulnerabilities were reported to the vendors as part of our Responsible Disclosure policy.
🔎 You can find detailed information on the #SecurityAdvisories here: https://www.usd.de/en/security-advisories-entra-id-tenable-nessus-manager/
#SecurityResearch #SecurityAdvisory #moresecurity #NessusManager #Pentesting #Hacking #CVE_2026_3493 #AppSec #InfoSec #CyberSecurity
-
I don't know enough about security research. For a project like Node.js does stopping bug bounties drastically impact anything?
On the face of it, no money means people may be less incentivised to help or report, which feels bad.
But Node.js is a massive concern, so is there enough goodwill and surface area that people will help and report anyway? Simply because big orgs rely on it?
https://nodejs.org/en/blog/announcements/discontinuing-security-bug-bounties
-
https://winbuzzer.com/2026/04/09/windows-zero-day-published-on-github-after-msrc-silence-xcxwbn/
Windows Zero-Day Published on Github as Microsoft Fails to Act
#Microsoft #Windows #WindowsSecurity #Cybersecurity #ZeroDayVulnerabilities #Exploits #Vulnerability #VulnerabilityDisclosure #SecurityResearch #Windows11 #BigTech
-
Anthropic pointed Claude Code at Linux kernel source files one at a time, framed as a security puzzle. It found a heap overflow in NFS code hiding since March 2003. Four more kernel bugs followed. 500+ validated vulnerabilities in weeks. Linux Foundation set aside $12.5M to help maintainers cope. Nobody found a volunteer to maintain a Google Drive library for 3.5 years. The bottleneck was never the bugs.