#vulnerabilitydisclosure — Public Fediverse posts

https://winbuzzer.com/2026/04/09/windows-zero-day-published-on-github-after-msrc-silence-xcxwbn/

Windows Zero-Day Published on Github as Microsoft Fails to Act

#Microsoft #Windows #WindowsSecurity #Cybersecurity #ZeroDayVulnerabilities #Exploits #Vulnerability #VulnerabilityDisclosure #SecurityResearch #Windows11 #BigTech

https://winbuzzer.com/2026/04/09/windows-zero-day-published-on-github-after-msrc-silence-xcxwbn/

Windows Zero-Day Published on Github as Microsoft Fails to Act

#Microsoft #Windows #WindowsSecurity #Cybersecurity #ZeroDayVulnerabilities #Exploits #Vulnerability #VulnerabilityDisclosure #SecurityResearch #Windows11 #BigTech

https://winbuzzer.com/2026/04/09/windows-zero-day-published-on-github-after-msrc-silence-xcxwbn/

Windows Zero-Day Published on Github as Microsoft Fails to Act

#Microsoft #Windows #WindowsSecurity #Cybersecurity #ZeroDayVulnerabilities #Exploits #Vulnerability #VulnerabilityDisclosure #SecurityResearch #Windows11 #BigTech

https://winbuzzer.com/2026/04/09/windows-zero-day-published-on-github-after-msrc-silence-xcxwbn/

Windows Zero-Day Published on Github as Microsoft Fails to Act

#Microsoft #Windows #WindowsSecurity #Cybersecurity #ZeroDayVulnerabilities #Exploits #Vulnerability #VulnerabilityDisclosure #SecurityResearch #Windows11 #BigTech

https://winbuzzer.com/2026/04/09/windows-zero-day-published-on-github-after-msrc-silence-xcxwbn/

Windows Zero-Day Published on Github as Microsoft Fails to Act

#Microsoft #Windows #WindowsSecurity #Cybersecurity #ZeroDayVulnerabilities #Exploits #Vulnerability #VulnerabilityDisclosure #SecurityResearch #Windows11 #BigTech

Acknowledging Reality in Vulnerability Disclosure.

Every few years, vulnerability disclosure is declared settled. We are told that the ecosystem has matured, that coordinated disclosure is the answer, and that whatever remains outside this model is either irresponsible, obsolete, or simply irrelevant.

🔗 https://www.foo.be/2026/02/Acknowledging-Reality-in-Vulnerability-Disclosure

#vulnerabilitymanagement #gcve #cve #cybersecurity #cvd #vulnerabilitydisclosure #open

This is my bloody personal blog, not an official statement. .

PoC exploits are now public for CVE-2025-69258 in Trend Micro Apex Central (on-premise), a vulnerability that could allow unauthenticated RCE on affected systems.

A patch is available, and there are no confirmed exploitation reports so far. Public PoCs, however, tend to accelerate attacker interest.

Follow @technadu for objective and technically grounded infosec updates.

Source: https://www.helpnetsecurity.com/2026/01/08/trend-micro-apex-central-cve-2025-69258-rce-poc/

#Infosec #VulnerabilityDisclosure #PatchManagement #RCE #EnterpriseSecurity #ThreatLandscape

PoC exploits are now public for CVE-2025-69258 in Trend Micro Apex Central (on-premise), a vulnerability that could allow unauthenticated RCE on affected systems.

A patch is available, and there are no confirmed exploitation reports so far. Public PoCs, however, tend to accelerate attacker interest.

Follow @technadu for objective and technically grounded infosec updates.

Source: https://www.helpnetsecurity.com/2026/01/08/trend-micro-apex-central-cve-2025-69258-rce-poc/

#Infosec #VulnerabilityDisclosure #PatchManagement #RCE #EnterpriseSecurity #ThreatLandscape

PoC exploits are now public for CVE-2025-69258 in Trend Micro Apex Central (on-premise), a vulnerability that could allow unauthenticated RCE on affected systems.

A patch is available, and there are no confirmed exploitation reports so far. Public PoCs, however, tend to accelerate attacker interest.

Follow @technadu for objective and technically grounded infosec updates.

Source: https://www.helpnetsecurity.com/2026/01/08/trend-micro-apex-central-cve-2025-69258-rce-poc/

#Infosec #VulnerabilityDisclosure #PatchManagement #RCE #EnterpriseSecurity #ThreatLandscape

PoC exploits are now public for CVE-2025-69258 in Trend Micro Apex Central (on-premise), a vulnerability that could allow unauthenticated RCE on affected systems.

A patch is available, and there are no confirmed exploitation reports so far. Public PoCs, however, tend to accelerate attacker interest.

Follow @technadu for objective and technically grounded infosec updates.

Source: https://www.helpnetsecurity.com/2026/01/08/trend-micro-apex-central-cve-2025-69258-rce-poc/

#Infosec #VulnerabilityDisclosure #PatchManagement #RCE #EnterpriseSecurity #ThreatLandscape

Check out ˗ˏˋ ⭒ https://lnkd.in/gE2wUqgc ⭒ ˎˊ˗ to see my intro whilst you listen.

I'm thus re-naming this work as "CVE Keeper - Security at x+1; rethinking vulnerability management beyond CVSS & scanners". I must also thank @andrewpollock for reviewing several of my verbose drafts. 🫡

So, Security at x+1; rethinking vulnerability management beyond CVSS & scanners -

Most vulnerability tooling today is optimized for disclosure and alert volume, not for making correct decisions on real systems. CVEs arrive faster than teams can evaluate them, scores are generic, context arrives late, and we still struggle to answer the only question that matters: does this actually put my system at risk right now?

Over the last few years working close to CVE lifecycle automation, I’ve been designing an open architecture that treats vulnerability management as a continuous, system-specific reasoning problem rather than a static scoring task. The goal is to assess impact on the same day for 0-days using minimal upstream data, refine accuracy over time as context improves, reason across dependencies and compound vulnerabilities, and couple automation with explicit human verification instead of replacing it.

This work explores:

⤇ 1• Same-day triage of newly disclosed and 0-day vulnerabilities
⤇ 2• Dependency-aware and compound vulnerability impact assessment
⤇ 3• Correlating classical CVSS with AI-specific threat vectors
⤇ 4• Reducing operational noise, unnecessary reboots, and security burnout
⤇ 5• Making high-quality vulnerability intelligence accessible beyond enterprise teams

The core belief is simple: most security failures come from misjudged impact, not missed vulnerabilities. Accuracy, context, and accountability matter more than volume.

I’m sharing this to invite feedback from folks working in CVE, OSV, vulnerability disclosure, AI security, infra, and systems research. Disagreement and critique are welcome. This problem affects everyone, and I don’t think incremental tooling alone will solve it.

P.S.

• Super appreciate everyone that's spent time reviewing my drafts and reading all my essays lol. I owe you 🫶🏻
• ... and GoogleLM. These slides would have taken me forever to make otherwise.

Take my CVE-data User Survey to allow me to tailor your needs into my design - lnkd.in/gcyvnZeE
See more at - lnkd.in/gGWQfBW5
lnkd.in/gE2wUqgc

#VulnerabilityManagement #Risk #ThreatModeling #CVE #CyberSecurity #Infosec #VulnerabilityManagement #ThreatIntelligence #ApplicationSecurity #SecurityOperations #ZeroDay #RiskManagement #DevSecOps #CVE #CVEAnalysis #VulnerabilityDisclosure #SecurityData #CVSS #VulnerabilityAssessment #PatchManagement #AI #AIML #AISecurity #MachineLearning #AIThreats #AIinSecurity #SecureAI #OSS #Rust #ZeroTrust #Security

https://www.linkedin.com/feed/update/urn:li:activity:7409399623087370240

Why vulnerability reports stall inside shared hosting companies https://www.helpnetsecurity.com/2025/12/17/hosting-provider-vulnerability-notifications-remediation/ #vulnerabilitydisclosure #vulnerabilitymanagement #cybersecurity #Don'tmiss #Features #Hotstuff #research #strategy #News #tips

OIG Audit Finds Commerce Department Failing to Fully Secure Public-Facing Systems https://thecyberexpress.com/vdp-oig-audit-cybersecurity/ #VulnerabilityDisclosure #TheCyberExpressNews #Vulnerabilities #TheCyberExpress #FirewallDaily #CyberNews #CISA #OIG #VDP

100th post, as fine a time as any to do the traditional #introduction before nobody on #mastodon does them anymore.
I’m a #hacker , a parent, a founder & CEO, government advisory board member, cat food servant, defender and participant in democracy, & an arm wrestling and karaoke enthusiast — not necessarily at the same time, but not opposed to trying it all at once either.
Carpe brachium karaoke as they say. 💪🏼🎤
Here we go. Get a snack & some water, this is long. 🍪 🥛
My professional passions include #SystemDynamics & #security with my #focus on helping organizations & governments develop healthy sustainable #VulnerabilityDisclosure programs that may end up growing into a #BugBounty program, or helping existing programs mature & evolve.
🌺🏝️ 🌺🏝️ 🌺🏝️ 🌺🏝️
🌺I founded & run https://www.Lutasecurity.com & we employ dozens of people, mostly in the US, to help some of our customers manage their #VDPs and #BugBounties as internally-placed personnel.
📜Services: https://www.lutasecurity.com/services
💻Hiring: https://www.lutasecurity.com/careers
💵Referral bounties: https://www.lutasecurity.com/referralbounty
🌺🏝️ 🌺🏝️ 🌺🏝️ 🌺🏝️
👩🏻‍💻💰🛡️ 👩🏻‍💻💰🛡️ 👩🏻‍💻💰🛡️
I helped launch #HackThePentagon in 2016, which was the first bug bounty of the US government & the first time it was legal to hack the USG.
👩🏻‍💻💰🛡️ 👩🏻‍💻💰🛡️ 👩🏻‍💻💰🛡️
This was after I created Microsoft’s first bug bounty programs in 2013, paying out the most at the time for brand new exploitation techniques, which would later lead to me directly helping the US renegotiate the #Wassenaar Arrangement to clarify “intrusion software” and “intrusion software technology” export control exemptions to more easily allow for hassle-free exchange of 0day & malware samples across borders for vulnerability disclosure & incident response.
🛠️💻 🛠️💻 🛠️💻 🛠️💻
I also started two vulnerability research programs, Symantec Vulnerability Research & Microsoft Vulnerability Research. The latter was also the first formal major vendor multiparty #SupplyChain vulnerability coordination & disclosure program.
🛠️💻 🛠️💻 🛠️💻 🛠️💻
I now serve on 3 Federal advisory boards in cyber.
⚖️NIST ISPAB: https://csrc.nist.gov/Projects/ispab/members
💱Commerce ISTAC: https://tac.bis.doc.gov/index.php/documents/members-listing/422-istac-website-listing/file
🚨DHS CSRB: https://www.dhs.gov/news/2022/02/03/dhs-launches-first-ever-cyber-safety-review-board
🎙️Fun fact: Despite mainstream media lip service about getting diverse voices on TV, and my extensive direct experience in US domestic & foreign cyber policy & norm-setting, I have *never* been invited to be on broadcast news to talk about it. Not one time. But there are the same dudes with none of my experience showing up on TV all the time.
📺 Email [email protected] if you can change that.
📺📺📺📺📺📺📺📺
⚖️💸 ⚖️💸 ⚖️💸 ⚖️💸
👩🏻‍⚖️ Speaking of gender equity, I was the lead plaintiff in the attempted class action gender pay and promotion discrimination lawsuit against Microsoft.
💵💪🏼 https://www.theverge.com/22331972/pay-equity-now-pledge-katie-moussouris-microsoft-lawsuit
When it failed to get class certified due to some legal gotchas, NOT because of lack of data and evidence, I decided to drop my case and founded https://www.payequitynowfoundation.org/blog & created
https://www.manglonalab.org/ to fight for #PayEquity in our lifetime.
⚖️💸 ⚖️💸 ⚖️💸 ⚖️💸
🌸Another fun fact: I’m asked about the gender stuff way more often than any of my professional work or national security work. I view this as The Lady Tax & I’m all paid up thanks.
🙅🏻‍♀️Don’t ask me about how to attract more diverse candidates, don’t ask me to mentor your mentee, and don’t ask me for any more free labor. Don’t ask any historically marginalized people to do free labor, especially to solve your diversity puzzle.
👏🏼I highly recommend https://blacktechpipeline.com/ if you are serious about not just hiring but welcoming more black workers into your company. There are specialty recruiters out there for you to pay, so don’t ask every woman or person of color you know to help you with that unless they are being paid to do it.
👏🏼💰👏🏼💰👏🏼💰👏🏼💰
🧩 Miscellaneous bits if you’ve made it this far is that I studied molecular biology, biochemistry & mathematics but dropped out to become a systems administrator, a professional Linux developer, then a hacker for hire.
🔐 I still hack by accident (because hacksidents happen), and nobody should have to be the coauthor/coeditor of the International Standards on how to do Vulnerability Disclosure to get an organization’s attention.
👩🏻‍🏫 ISO standards overview: https://m.youtube.com/watch?v=-L3DNZtK8lc

📲 Clubhouse hack: https://www.wired.com/story/clubhouse-bug-lurkers-ghost/
🔐🔐🔐🔐🔐🔐🔐
💸💸💸💸💸💸💸
🙄 Despite my entire career being technical, when my company tried for venture capital funding to build something cool, we were met with sexism & lack of imagination & I was hilariously asked more than once if I had a technical cofounder.
It’s cool, joke’s on them. We’re #profitable and growing.
🤨https://www.vice.com/en/article/xgyvza/this-hacker-is-trying-to-close-the-gender-pay-gap-in-cybersecurity
💸💸💸💸💸💸💸
🏛️🏛️🏛️🏛️🏛️🏛️🏛️
I participate in Democracy with more than voting. Anyone with the bandwidth should look into doing it too.
1. Google “find my Legislative district”
2. Go to your State website & search by your address
3. Look up your Legislative District’s (LD) website to find out how to join
4. Attend monthly LD meetings
5. Run for Delegate per LD or be appointed like me when not enough people do 1-4
🏛️🏛️🏛️🏛️🏛️🏛️🏛️
👋🏼✌🏼👋🏼✌🏼👋🏼✌🏼👋🏼✌🏼
🛑Ending abruptly is on brand for me as a neuroatypical person, so I’ll leave you with this thought:
🐈 I named my 17 year old cat Scapy (rhymes with happy) after the Python tool of the same name. Because he is dumb & fuzzy.
😸If you get that joke, you pretty much get me.
🤙🏽🤙🏽🤙🏽🤙🏽🤙🏽🤙🏽🤙🏽🤙🏽
✌🏼Be kind, drink water, touch grass, save the planet, save Democracy, pet cute animals. ✌🏼