RE: https://mastodon.nl/@SIDN/116317873852576082

Security.txt is een relatief nieuwe standaard, die beveiligingsonderzoekers helpt om kwetsbaarheden te melden. Dit draagt bij aan een veiliger internet.

@SIDN heeft haar informatiepagina over deze standaard bijgewerkt: https://www.sidn.nl/moderne-internetstandaarden/security-txt Binnenkort verschijnt ook een Engelse vertaling.

Wil je weten of security.txt op jouw website correct is ingesteld? Test het op https://Internet.nl!

#securitytxt #internetstandards #security #responsibledisclosure

How not to do #ResponsibleDisclosure in a nut shell:

https://github.com/rustdesk/rustdesk/issues/14576

#RustDesk #security

We don't need to hack your AI Agent to hack your AI Agent …and we don't need an AI agent for that either :)

Via a large enterprise's AI assistant, we obtained access to several million Entra identities and all chat logs including attachments — no prompt injection or model tricks required.

For all we know, the poor agent was not at fault and may not have even been able to witness what was happening.

https://srlabs.de/blog/hacking-ai-agent

#AI #AIhacking #VulnerabilityDisclosure #ResponsibleDisclosure

Responsible Disclosure: o que fazer quando você acha um zero-day

Você sabe o que é responsible disclosure e por que ele é ESSENCIAL contra zero-days? 👇

• O que é:
- Responsible disclosure (divulgação responsável) = agir com ética: avisar a empresa antes de expor a vulnerabilidade.

• Passo a passo prático:
- 1️⃣ Você encontra uma vulnerabilidade (zero-day)
- 2️⃣ Contata a empresa em privado e...

#segurança #cybersecurity #ethicalhacking #responsibledisclosure #zeroday #infosec #MorningCrypto

🔐 Public disclosure: CVE-2025-69690 & CVE-2025-69691
Two authenticated RCE vulnerabilities in Netgate pfSense CE:

CVE-2025-69690 (CVSS 8.8): Unsafe deserialization
→ root RCE via backup restore (pfSense 2.7.2)
CVE-2025-69691 (CVSS 9.9): XMLRPC exec_php
→ root RCE via default credentials (pfSense 2.8.0)

Vendor notified Dec 2, 2025. Acknowledged, no patch planned.
Responsible disclosure followed throughout.

Full write-up: https://github.com/privlabs/CVE-2025-69690-CVE-2025-69691

#CVE #pfSense #InfoSec #RCE #SecurityResearch
#ResponsibleDisclosure

For researchers and those trying to disclose incidents responsibly or get help:

There is an international organization called FIRST.

From the FIRST Teams website:

"This is a list of the contact information for incident response teams participating in FIRST, the Forum of Incident Response and Security Teams. The teams are responsible for providing FIRST with their latest contact information for this page. The list is alphabetized by team name. All telephone numbers are preceded with the appropriate country code."

There are 829 teams listed. Some are government CERT teams, some are corporate incident response teams.

You might want to bookmark the site to speed up your attempt to contact these teams:

https://www.first.org/members/teams/#

#responsibledisclosure #incidentresponse #CERT

I once talked about bug bounty platforms and warned the community about them.

There are deeper issues with these platforms:

https://www.linkedin.com/pulse/transparency-vs-silence-advisories-dont-exist-systems-johannes-greil-ufzpf/

Platforms are paid by vendors, so they listen to vendors. A lot of these vendors abuse the platform to silence offensive researchers and the platforms don't care.

➡️ My recommendation remains ⬅️

• contact vendors directly via email
• use your national CERT for escalations

If you're in Europe: you're in luck, from 2027 the Cyber Resilience Act (CRA) will make it mandatory to have a responsible disclosure process, so European vendors have to answer to the national CERT (or get fined).

#PenerationTesting #pentesting #responsibledisclosure #infosec #cybersecurity #CRA #CyberResilienceAct

Tesla was among the systems successfully exploited at Pwn2Own Automotive 2026, where researchers demonstrated chained zero-day vulnerabilities against IVI systems and EV charging hardware.

All findings fall under coordinated disclosure, reinforcing the importance of independent testing, patch timelines, and supply-chain visibility as vehicles evolve into software-defined platforms.

Source: https://www.bleepingcomputer.com/news/security/tesla-hacked-37-zero-days-demoed-at-pwn2own-automotive-2026/

Measured discussion welcome. Follow TechNadu for neutral automotive security coverage.

#Tesla #AutomotiveInfosec #ZeroDay #Pwn2Own #EVSecurity #ResponsibleDisclosure

🇧🇩 Today I'm going to talk about Bondstein Technologies Limited, a company based in Dhaka, Bangladesh. One of their servers was found to be completely open and unprotected.

Bondstein Technologies Limited is a Dhaka-based technology company specializing in Internet of Things (IoT) solutions and frontier technologies. Founded in 2014, it has established itself as a leading player in Bangladesh for vehicle tracking, industrial automation, and smart connectivity.

What data was exposed?

On December 26, 2025, I discovered that the server was exposing a 22 GB SQL backup file. According to the file timestamps and metadata, this backup appears to have been publicly accessible since at least July 2025.Among the files in the backup was users.sql, which contained the following sensitive fields:

username, customer_name, First_name, Last_name, Phone_number, Additional_contact-number, email, password.

*I was able to confirm that some of the employee names were real.

Additional findings:

The exposed server's IP resolved to a properly certified HTTPS server using a subdomain under .bondstein.net. The same IP also hosted a login portal (which I did not attempt to access).With this information, we were able to accurately identify the owner and submit a responsible disclosure.

Notification:

All of this was detailed in the email I sent to several Bondstein employees on December 26, 2025. When I checked again on January 5, 2026, the exposure had been fully closed. I followed up via email to inquire about any possible reward. On January 6, they replied with the following message:

Hi Chum1ng0,

Thank you for your responsible and detailed disclosure regarding the open directory issue on our server. We sincerely appreciate you taking the time and effort to notify us of this vulnerability, which allowed us to address it quickly. Your commitment to ethical research is truly valued. We want to confirm that the issue has been fixed and access has been restricted. We would also like to clarify that the server you identified is a staging server kept for internal purposes, and not a production environment. Regarding your request for a reward, we currently do not have an official bug bounty program in place. However, we are grateful for your help in securing our infrastructure.

We appreciate your patience and look forward to potentially collaborating in the future should we establish a formal program.

Sincerely
Bondstein

-NOT REWARD-

#VDP #responsibleDisclosure #misconfigurations #Bangladesh #cybersecurity #bondstein