Companies will put up all kinds obstacles to responsible disclosure for researchers to get around to make their own lives easier. But they often forget that in the end it is researcher who calls the shots. It is the researchers vuln and they can do whatever they want with it.

https://www.bleepingcomputer.com/news/security/disgruntled-researcher-leaks-bluehammer-windows-zero-day-exploit/#comments

#vulnerability #disclosure #responsibledisclosure #windows #microsoft

Bug bounty SLA transparency:

A Critical-severity account takeover affecting millions of users was submitted via @hackerone on March 11, with complete attack chain and code-level evidence.

28 days: no vendor response.
Mediation requested on day 16: still pending.
Program's published SLA: 2 days.

Sharing this timeline publicly because the internal process has stalled.

#InfoSec #BugBounty #ResponsibleDisclosure 1/3

RE: https://mastodon.nl/@SIDN/116317873852576082

Security.txt is een relatief nieuwe standaard, die beveiligingsonderzoekers helpt om kwetsbaarheden te melden. Dit draagt bij aan een veiliger internet.

@SIDN heeft haar informatiepagina over deze standaard bijgewerkt: https://www.sidn.nl/moderne-internetstandaarden/security-txt Binnenkort verschijnt ook een Engelse vertaling.

Wil je weten of security.txt op jouw website correct is ingesteld? Test het op https://Internet.nl!

#securitytxt #internetstandards #security #responsibledisclosure

How not to do #ResponsibleDisclosure in a nut shell:

https://github.com/rustdesk/rustdesk/issues/14576

#RustDesk #security

We don't need to hack your AI Agent to hack your AI Agent …and we don't need an AI agent for that either :)

Via a large enterprise's AI assistant, we obtained access to several million Entra identities and all chat logs including attachments — no prompt injection or model tricks required.

For all we know, the poor agent was not at fault and may not have even been able to witness what was happening.

https://srlabs.de/blog/hacking-ai-agent

#AI #AIhacking #VulnerabilityDisclosure #ResponsibleDisclosure

Responsible Disclosure: o que fazer quando você acha um zero-day

Você sabe o que é responsible disclosure e por que ele é ESSENCIAL contra zero-days? 👇

• O que é:
- Responsible disclosure (divulgação responsável) = agir com ética: avisar a empresa antes de expor a vulnerabilidade.

• Passo a passo prático:
- 1️⃣ Você encontra uma vulnerabilidade (zero-day)
- 2️⃣ Contata a empresa em privado e...

#segurança #cybersecurity #ethicalhacking #responsibledisclosure #zeroday #infosec #MorningCrypto

🔐 Public disclosure: CVE-2025-69690 & CVE-2025-69691
Two authenticated RCE vulnerabilities in Netgate pfSense CE:

CVE-2025-69690 (CVSS 8.8): Unsafe deserialization
→ root RCE via backup restore (pfSense 2.7.2)
CVE-2025-69691 (CVSS 9.9): XMLRPC exec_php
→ root RCE via default credentials (pfSense 2.8.0)

Vendor notified Dec 2, 2025. Acknowledged, no patch planned.
Responsible disclosure followed throughout.

Full write-up: https://github.com/privlabs/CVE-2025-69690-CVE-2025-69691

#CVE #pfSense #InfoSec #RCE #SecurityResearch
#ResponsibleDisclosure

For researchers and those trying to disclose incidents responsibly or get help:

There is an international organization called FIRST.

From the FIRST Teams website:

"This is a list of the contact information for incident response teams participating in FIRST, the Forum of Incident Response and Security Teams. The teams are responsible for providing FIRST with their latest contact information for this page. The list is alphabetized by team name. All telephone numbers are preceded with the appropriate country code."

There are 829 teams listed. Some are government CERT teams, some are corporate incident response teams.

You might want to bookmark the site to speed up your attempt to contact these teams:

https://www.first.org/members/teams/#

#responsibledisclosure #incidentresponse #CERT

I once talked about bug bounty platforms and warned the community about them.

There are deeper issues with these platforms:

https://www.linkedin.com/pulse/transparency-vs-silence-advisories-dont-exist-systems-johannes-greil-ufzpf/

Platforms are paid by vendors, so they listen to vendors. A lot of these vendors abuse the platform to silence offensive researchers and the platforms don't care.

➡️ My recommendation remains ⬅️

• contact vendors directly via email
• use your national CERT for escalations

If you're in Europe: you're in luck, from 2027 the Cyber Resilience Act (CRA) will make it mandatory to have a responsible disclosure process, so European vendors have to answer to the national CERT (or get fined).

#PenerationTesting #pentesting #responsibledisclosure #infosec #cybersecurity #CRA #CyberResilienceAct