Mastodawn

New: "Sticking their heads out above the parapets" — the first qualitative study of researchers' lived experiences of legal risk, by Sunoo Park & Daniel R. Thomas (USENIX Security 2026). 36 researchers, 130 incidents, three decades. The CFAA and UK Computer Misuse Act chill good-faith research; it names disclose.io as part of the fix. Read it + catch the talk:
https://blog.disclose.io/above-the-parapets-the-chilling-effect-finally-has-receipts/
#infosec #CFAA #vulndisclosure

Above the Parapets: The Chilling Effect Finally Has Receipts

The first qualitative study of researchers' lived experiences of legal risk: Sunoo Park and Daniel R. Thomas (USENIX Security 2026) on how overbroad anti-hacking law chills good-faith security research — and why it names disclose.io as part of the fix.

Running With Scissors - The Disclose.io Blog

Ethical Hacker Jun 4

New disclosure: CL.TE HTTP request smuggling in OpenBSD relayd.
Latent in relay_http.c since 2012 (OpenBSD 5.2). The body was parsed as chunked but a co-present Content-Length header wasn't stripped before forwarding to backend, contrary to RFC 9112 §6.1.
Found by a targeted source-review pass against the RFC framing rules. Fixed in -current 2026-06-03 in a single commit.
https://stuart-thomas.com/research/relayd-cl-te-smuggling/
#infosec #OpenBSD #vulndisclosure

RELAYD-001 — OpenBSD relayd: CL.TE HTTP Request Smuggling

relayd parses the body as chunked but does not remove a co-present Content-Length header before passing the message to the backend, contrary to RFC 9112 §6.1. CL.TE request smuggling. Latent since 5.2; fixed 2026-06-03.

Ethical Hacker May 26

New methodology paper: The Calculator Discipline.

A four-class taxonomy of AI-assisted disclosure hallucinations, a pre-send filter that catches the mechanical ones, and two real withdrawals from my own OpenBSD work — including the one Theo de Raadt asked the right question about.

Honest case studies from the sender's end of a problem the field has only described from the receiving end.

DOI: 10.5281/zenodo.20393083
Read: https://stuart-thomas.com/research/calculator-discipline/

#infosec #OpenBSD #vulndisclosure #methodology

The Calculator Discipline — AI-Assisted Disclosure Hallucinations

A four-class taxonomy, a pre-send filter, and two real withdrawals from the author's own OpenBSD work.

Anglian Beowulf May 26

New methodology paper: The Calculator Discipline.

Honest case studies from the sender's end of a problem the field has only described from the receiving end.

CC BY 4.0 · BSD-2-Clause tool.

https://stuart-thomas.com/research/calculator-discipline/

#infosec #OpenBSD #AI #vulndisclosure #methodology

The Calculator Discipline — AI-Assisted Disclosure Hallucinations

A four-class taxonomy, a pre-send filter, and two real withdrawals from the author's own OpenBSD work.

OffSequence Dec 8, 2025

Portugal’s cybercrime law now exempts security researchers from prosecution for good-faith research. HIGH severity (regulatory), not a technical threat. No CVE, but likely more vulnerability disclosures from Portugal ahead. https://radar.offseq.com/threat/portugal-updates-cybercrime-law-to-exempt-security-e1a7abd5 #OffSeq #CyberLaw #VulnDisclosure

TechNadu Oct 25, 2025

NVD Delays Leave Defenders in the Dark — Early Visibility is Key
Tenable’s recent analysis shows a worrying pattern in vulnerability disclosure timing:
- 63,862 CVEs from 2024–2025
- 56% of PoCs released within 7 days
- NVD lagging by ~15 days
- Exploitation confirmed in as little as 5 days
This gap between CVE assignment, PoC publication, and NVD visibility creates exploitable blind spots for enterprises relying on traditional patch cycles.
💬 Security leaders - how do you bridge these gaps? Do you trust vendor advisories, exploit feeds, or telemetry-driven signals more?

👍 Like and follow @technadu for continuous coverage of emerging vulnerability management insights.

#InfoSec #CyberSecurity #VulnerabilityManagement #ThreatIntel #NVD #Exploit #RiskIntel #Tenable #CVEs #CyberDefense #ZeroDay #CVETracking #VulnDisclosure #TechNadu