Braden Russell, CTO at Bugcrowd, says security teams are drowning in noise, not lacking detection.
🧑‍💻 "The LLMs and the AI models that are coming out now are just dumping thousands of vulnerabilities."
🧑‍💻 Broken access control remains one of the fastest-growing risks.
🧑‍💻 External researchers often identify weaknesses internal teams normalize.

Read more:
https://www.technadu.com/external-bug-hunters-are-a-critical-human-layer-in-ai-accelerated-security-operations/628538/

#BugBounty #AppSec #CyberSecurity #ThreatIntel #DevSecOps #Bugcrowd

🛡️ WINTERGATE INTELLIGENCE COLLECTIVE - TRUSTPILOT UPDATE

Current status: Trustpilot has been silent for over 48 hours.

Timeline update:
- May 29, 12:00 PM: Cloudzy flags legitimate review as "defamatory"
- May 29, 4:13 PM: Trustpilot asks for proof of genuine experience
- May 29, 5:19 PM & 5:22 PM: Evidence provided (receipt, transcripts, 6 security sources, GitHub disclosure)
- May 29, evening: BBB complaint filed. Capterra/SiteJabber reviews posted. infosec.exchange account approved.
- May 30, 8:47 AM: Follow-up email documenting 15+ hours of silence
- May 30, 9:06 AM: Legal notice sent (criminal liability, OFAC sanctions)
- May 30, 9:XX AM: Policy violation notice sent (6 documented violations)
- May 31, 10:05 AM: Final notice sent with 4-day deadline. Identity established as AnonCatalyst, verified security researcher.

Actions taken during Trustpilot's silence:
✅ BBB complaint filed
✅ Capterra review submitted
✅ SiteJabber review live
✅ GitHub disclosure: 118 clones, 68 cloners, 3 documents
✅ Legal notice delivered to [email protected]
✅ Policy notice delivered to [email protected]
✅ Final notice with 4-day deadline delivered to [email protected]

Trustpilot has now violated at least six of their own policies:
1. Removing a genuine review (receipt provided)
2. Removing based on business disagreement (no evidence from Cloudzy)
3. Tolerating flagging tool misuse (Cloudzy's false "defamation" claim)
4. Failing to investigate in a timely manner (48+ hours)
5. No action against Cloudzy for false flagging
6. No transparency, no communication, no decision

Cloudzy remains documented as:
- A front for abrNOC based in Tehran, Iran
- Host of 17+ APT groups (Iran, North Korea, China, Russia)
- Provider to ransomware gangs and US-sanctioned spyware vendors
- Recommended for blocking by Security Risk Advisors

4-day deadline started May 31. If review not restored by June 4, I go fully public:

- Major tech publications (TechCrunch, Ars Technica, The Register, BleepingComputer)
- Formal complaints (FTC, OFAC, NY State Attorney General)
- Public warning: "Trustpilot cannot be trusted"

The security community is watching. The evidence is public. Trustpilot's silence is a choice.

Full documentation:
github.com/WinterGate-IC/cloudzy-upstream-filter-vulnerability

@WinterGateIC
#Trustpilot #Cloudzy #Infosec #ThreatIntel #APT #OFAC #Bugcrowd #VulnerabilityDisclosure

🛡️ WINTERGATE INTELLIGENCE COLLECTIVE - MILESTONE

Not just a review dispute. Not just a disclosure. A full infrastructure takedown.

Cloudzy flagged our Trustpilot review as "defamatory." Trustpilot asked for a receipt.

We gave them:
- Receipt (proof of customer)
- Support transcripts (Cloudzy admitted the issue)
- Conditional refund offer in writing
- Six independent security sources
- Complete GitHub disclosure (118 clones, 68 cloners)

Trustpilot went silent for over 18 hours. So we:
- Filed BBB complaint
- Posted on Capterra and SiteJabber
- Joined infosec.exchange (security community notified)
- Sent legal notice (criminal liability, OFAC sanctions)
- Sent policy violation notice (6 documented violations)

Now submitting the upstream SSH filtering vulnerability to Bugcrowd today or tomorrow.

Professional validation. Potential reward. Permanent record.

Cloudzy thought flagging a review would silence us.

They were wrong.

Full documentation: github.com/WinterGate-IC/cloudzy-upstream-filter-vulnerability

@WinterGateIC
#Bugcrowd #Cloudzy #Trustpilot #Infosec #ThreatIntel #APT #VulnerabilityDisclosure

undefined | The 'Vulnpocalypse': Why experts fear AI could tip the scales toward hackers by Kevin Collier

The rise of advanced artificial‑intelligence models that can automatically locate and exploit software flaws has sparked alarm among security researchers, who warn of a looming “Vulnpocalypse.” As AI becomes capable of finding vulnerabilities faster than human analysts, hackers could use these tools to launch far more sophisticated attacks, turning everyday code defects into powerful weaponry. Anthropic’s decision to withhold its newest model, Mythos Preview, from public release reflects the fear that such technology could quickly fall into malicious hands and amplify the scale and speed of cyber‑intrusions.

Industry experts say the threat is not speculative. Casey Ellis of Bugcrowd notes that AI will put vulnerability‑discovery tools in the hands of a much broader pool of adversaries, while Anthropic’s own offensive‑research lead, Logan Graham, predicts that comparable models will be widely available within a year, regardless of Anthropic’s restraint. These models can not only pinpoint single flaws but also chain multiple weaknesses together into complex exploits, raising the possibility of large‑scale outages in cloud services, financial systems, hospitals, and manufacturing plants. Security leaders such as Katie Moussouris and Cynthia Kaiser warn that even “wannabe” hackers could now wield a superweapon, targeting critical sectors where downtime is intolerable.

The consequences could extend to state‑backed cyber warfare. Iran’s hackers have so far achieved limited destructive impact, but AI‑driven tools could enable them—and other nation‑state actors—to automate the reconnaissance and intrusion of industrial control systems, including water and energy infrastructure. While some analysts caution that the most extreme doomsday scenarios remain unlikely, the consensus is clear: without swift defensive preparations, AI‑enhanced hacking capabilities could dramatically reshape the cybersecurity landscape within months, demanding urgent attention from governments, corporations, and security teams alike.

Read more: https://www.nbcnews.com/tech/security/anthropic-claude-mythos-ai-hackers-cybersecurity-vulnerabilities-rcna273673

#bugcrowd

BugCrowd Bug Bounty Disclosure: P4 - Publicly accessible phpinfo() exposes detailed server configuration - MattKingst - https://www.redpacketsecurity.com/bugcrowd-bugbounty-disclosure-publicly-accessible-phpinfo-exposes-detailed-server-configuration/

#BugCrowd #BugBounty #Vulnerability #OSINT #ThreatIntel #Cyber

BugCrowd Bug Bounty Disclosure: P2 - IDOR that allows disclosing Username,Email,PIN,FirstName,LastName,UEI,FirmName,Address,PhoneNumbers etc of PROSAMS application users. - - https://www.redpacketsecurity.com/bugcrowd-bugbounty-disclosure-idor-that-allows-disclosing-username-email-pin-firstname-lastname-uei-firmname-address-phonenumbers-etc-of-prosams-application-users/

#BugCrowd #BugBounty #Vulnerability #OSINT #ThreatIntel #Cyber

BugCrowd Bug Bounty Disclosure: P3 - Internal scan through SSRF in NASA Worldwind API - - https://www.redpacketsecurity.com/bugcrowd-bugbounty-disclosure-internal-scan-through-ssrf-in-nasa-worldwind-api/

#BugCrowd #BugBounty #Vulnerability #OSINT #ThreatIntel #Cyber

BugCrowd Bug Bounty Disclosure: P4 - Unauthenticated Metrics Endpoint Exposes Sensitive Internal Grafana & NASA Infrastructure Data - whitebear_0one - https://www.redpacketsecurity.com/bugcrowd-bugbounty-disclosure-unauthenticated-metrics-endpoint-exposes-sensitive-internal-grafana-nasa-infrastructure-data/

#BugCrowd #BugBounty #Vulnerability #OSINT #ThreatIntel #Cyber

BugCrowd Bug Bounty Disclosure: P4 - NASA NLSP API discloses internal usernames and system role mappings to unauthenticated users - c3L0Mu1d3R - https://www.redpacketsecurity.com/bugcrowd-bugbounty-disclosure-nasa-nlsp-api-discloses-internal-usernames-and-system-role-mappings-to-unauthenticated-users/

#BugCrowd #BugBounty #Vulnerability #OSINT #ThreatIntel #Cyber