@wdormann Of course Microsoft used their GitHub ownership to remove the repo instead of fixing both problems (the exploit and the video requirement).
New blog post: I found two authorization bypasses in Zammad's new AI text tools feature, two weeks after 7.0 shipped. Any agent could execute group-restricted tools and pull ticket data from other groups via a single API call.
Patched in 7.0.1, three CVEs from this audit.
https://moltenbit.net/posts/bypassing-zammad-ai-text-tool-authorization-via-rest-api/
#infosec #zammad #cybersecurity #responsibleDisclosure #security
Companies will put up all kinds obstacles to responsible disclosure for researchers to get around to make their own lives easier. But they often forget that in the end it is researcher who calls the shots. It is the researchers vuln and they can do whatever they want with it.
#vulnerability #disclosure #responsibledisclosure #windows #microsoft
Bug bounty SLA transparency:
A Critical-severity account takeover affecting millions of users was submitted via @hackerone on March 11, with complete attack chain and code-level evidence.
28 days: no vendor response.
Mediation requested on day 16: still pending.
Program's published SLA: 2 days.
Sharing this timeline publicly because the internal process has stalled.
RE: https://mastodon.nl/@SIDN/116317873852576082
Security.txt is een relatief nieuwe standaard, die beveiligingsonderzoekers helpt om kwetsbaarheden te melden. Dit draagt bij aan een veiliger internet.
@SIDN heeft haar informatiepagina over deze standaard bijgewerkt: https://www.sidn.nl/moderne-internetstandaarden/security-txt Binnenkort verschijnt ook een Engelse vertaling.
Wil je weten of security.txt op jouw website correct is ingesteld? Test het op https://Internet.nl!
#securitytxt #internetstandards #security #responsibledisclosure
How not to do #ResponsibleDisclosure in a nut shell:
We don't need to hack your AI Agent to hack your AI Agent …and we don't need an AI agent for that either :)
Via a large enterprise's AI assistant, we obtained access to several million Entra identities and all chat logs including attachments — no prompt injection or model tricks required.
For all we know, the poor agent was not at fault and may not have even been able to witness what was happening.
https://srlabs.de/blog/hacking-ai-agent
#AI #AIhacking #VulnerabilityDisclosure #ResponsibleDisclosure
We strolled through an enterprise AI assistant's backend, helped ourselves to full application takeover and access to every chat log, and had a Microsoft Entra ID dump for dessert — no prompt injection, no model tricks, no AI expertise required.
Responsible Disclosure: o que fazer quando você acha um zero-day
Você sabe o que é responsible disclosure e por que ele é ESSENCIAL contra zero-days? 👇
• O que é:
- Responsible disclosure (divulgação responsável) = agir com ética: avisar a empresa antes de expor a vulnerabilidade.
• Passo a passo prático:
- 1️⃣ Você encontra uma vulnerabilidade (zero-day)
- 2️⃣ Contata a empresa em privado e...
#segurança #cybersecurity #ethicalhacking #responsibledisclosure #zeroday #infosec #MorningCrypto
🔐 Public disclosure: CVE-2025-69690 & CVE-2025-69691
Two authenticated RCE vulnerabilities in Netgate pfSense CE:
CVE-2025-69690 (CVSS 8.8): Unsafe deserialization
→ root RCE via backup restore (pfSense 2.7.2)
CVE-2025-69691 (CVSS 9.9): XMLRPC exec_php
→ root RCE via default credentials (pfSense 2.8.0)
Vendor notified Dec 2, 2025. Acknowledged, no patch planned.
Responsible disclosure followed throughout.
Full write-up: https://github.com/privlabs/CVE-2025-69690-CVE-2025-69691
#CVE #pfSense #InfoSec #RCE #SecurityResearch
#ResponsibleDisclosure
sedje
moltenbit
Space Rogue
Jiqiang Feng | Innora AI Security
Internet.nl
BitPirate
Security Research Labs
eddieoz
Der Radiologe 🏳️🌈
Nelson | Security Researcher