January 19, 2024 at 12:24PM Members of the Huntr bug bounty platform discovered critical vulnerabilities in MLflow and Hugging Face. The vulnerabilities in MLflow, with a CVSS score of 10, enabled attackers to delete files, access sensitive information, or execute remote code. Hugging Face also had a flaw allowing the injection of malicious code. ClearML … Read more
January 16, 2024 at 07:36AM The definition of a hacker is explored in an interview with HD Moore, who highlights the distinctions between moral, amoral, and immoral hacking based on intent and actions. He recounts his upbringing, early experiences of exploring technology, and the ethical dilemmas faced. The interview delves into the legal implications and … Read more
January 12, 2024 at 12:11AM Trend Micro’s Zero Day Initiative (ZDI) disclosed 1,913 bugs in 2023 with 74% rated as Critical/High risk. The program identified vulnerabilities in attacks using zero-day exploits and provided early virtual patches to protect customers. ZDI also contributed 20% of bugs to Microsoft and 78% to Adobe, supporting both vendors in … Read more
January 4, 2024 at 10:13AM Google announced the first Chrome security update of 2024, resolving six vulnerabilities, including high-severity memory safety flaws reported by external researchers. Bug bounty rewards were handed out for some of the reported flaws. The update strengthens Chrome’s defenses against exploitation and is available for macOS, Linux, and Windows. No current … Read more
January 3, 2024 at 10:39AM Cybersecurity researcher Runa Sandvik, known for her ‘situative’ approach, emphasizes the need for contextual understanding in cybersecurity. She believes curiosity, stubbornness, and an interest in the topic are vital for aspiring researchers. Sandvik discusses revenue sources for researchers, the ethics of bug bounties, responsible disclosure, and its legal implications. She … Read more
December 20, 2023 at 08:21AM Bugcrowd has updated its Vulnerability Rating Taxonomy with a new system for categorizing and prioritizing vulnerabilities in large language models. The open-source VRT initiative, launched in 2016, aids Bugcrowd and its customer organizations in standardizing vulnerability classification and assessing cybersecurity risks. The update was influenced by the OWASP Top 10 … Read more
December 18, 2023 at 03:42PM Zoom developed the Vulnerability Impact Scoring System (VISS) as a more objective approach to assess the severity of vulnerabilities found during bug bounty programs. This system, providing a transparent and defensible way to calculate potential rewards for vulnerabilities, aims to prioritize critical and high-severity issues. VISS received positive feedback from … Read more
December 15, 2023 at 06:16PM Google has expanded its Bug Hunters program to include third-party discovery and reporting of issues and vulnerabilities specific to its AI systems. The program includes rewards for various attacks, model manipulations, adversarial perturbations, and model theft/exfiltration. Rewards are based on severity and target affected. To report a qualifying issue, visit … Read more
December 15, 2023 at 08:36AM Zoom unveiled an open source Vulnerability Impact Scoring System (VISS) to help organizations assess and prioritize vulnerabilities based on actual exploitation. The system, designed to complement the Common Vulnerability Scoring System, led to increased reports of critical vulnerabilities during testing and analyzes vulnerabilities based on 13 impact aspects. It remains … Read more
December 14, 2023 at 09:03AM Zoom has introduced a new Vulnerability Impact Scoring System (VISS) to help cybersecurity teams prioritize threats. It analyzes 13 impact aspects, produces a 0-100 score, and can be adjusted using compensating controls. In testing, critical vulnerabilities increased by 28%, while medium-severity ones decreased by 57%. Zoom aims to enhance security … Read more