https://winbuzzer.com/2026/05/14/microsoft-launches-mdash-after-finding-16-windows-flaws-xcxwbn/
Microsoft has launched the MDASH agentic security system beating OpenAI and Anthropic on the CyberGym benchmark.
#AI #Microsoft #Cybersecurity #MDASH #AgenticAI #AIAgents #Cybersecurity #SecurityResearch
I’ve published a new case study on BASE System, a multi-tenant ticketing platform from Poland used - according to the operator’s own claims - by more than 50 venues in Poland.
The article documents customer email exposed in a redirect URL, nginx/1.10.3 on Ubuntu 16.04, broken CORS, cookies without the Secure flag, and a sales layer running under homelinux.net... DynDNS from Oracle.
https://dadalo.pl/en/tech/anatomy-risks-multi-tenant-ticketing-platform-orientarium-zoo-lodz/
#privacy #cybersecurity #infosec #gdpr #appsec #securityresearch #privacy #phishing
Case study of the BASE multi-tenant ticketing platform serving 50+ tourist facilities in Poland - technical analysis based on the ticket purchase process at Orientarium Zoo Łódź. Four basic architectural flaws: DynDNS infrastructure in the homelinux.net domain, EOL nginx 1.10.3, problematic CORS configuration, passing personal data in URL parameters to the payment operator. Extended version of the notification submitted to the President of UODO on April 23, 2026, with point verification of the status on the day of publication.
https://winbuzzer.com/2026/05/10/openai-opens-gpt-5-5-cyber-to-vetted-security-researchers-xcxwbn/
OpenAI Opens GPT-5.5-Cyber to Vetted Cybersecurity Researchers
#AI #GPT55 #GPT54Cyber #OpenAI #GPT5 #AISecurity #AISafety #AIModels #ClaudeMythos #SecurityResearch
Lukasz Olejnik (@lukOlejnik)
LLM이 사이버보안에서 모든 취약점을 찾아줄 것이라는 기대에 반박하는 내용이다. 최근 LLM으로 취약점을 찾는 사례가 늘었지만, 실제로는 한계가 있으며 AI가 보안 문제를 전부 해결하지는 못한다는 점을 강조한다.
⚡ Fresh Talk Alert for BSides Luxembourg 2026!
“Confound and Delay: Honeypot Chronicles from the Digital Battlefield” – Kat Fitzgerald ( @rnbwkat )
Talk (40 minutes)
Step into a 40-minute talk that takes you across the globe through real-world honeypot deployments, uncovering how attackers behave when they think no one is watching. From unexpected attack patterns to cultural quirks and operational chaos, this session blends storytelling with practical insights drawn from running deception systems in diverse and high-risk environments.
Through vivid field experiences, you’ll learn how honeypots can be tailored, maintained, and leveraged to strengthen detection and response strategies. Beyond the humor and war stories, the talk delivers actionable lessons on cyber deception, resilience, and turning attacker behavior into defensive advantage.
Kat Fitzgerald ( @rnbwkat ) a Chicago-based security engineer known for blending technical depth with humor and storytelling. With extensive experience running honeypots across global environments, she brings unique insights into attacker behavior, cyber deception strategies, and real-world operational challenges.
📅 Conference Dates: 6–8 May 2026 | 09:00–18:00
🎟️ Tickets: https://2026.bsides.lu/tickets/
📅 Schedule: https://pretalx.com/bsidesluxembourg-2026/schedule/
📲 Want to navigate the event easily? Check out the full schedule on Hacker Tracker:
https://hackertracker.app/schedule?conf=BSIDESLUX2026
# BSidesLuxembourg2026 #CyberSecurity #Honeypots #ThreatIntelligence #BlueTeam #SecurityResearch
>The security industry is going to get bigger because of AI, not smaller. There’s more code to audit, more attack surface to cover, more companies shipping faster than their security teams can keep up with. The demand for people who can actually find and understand vulnerabilities is going up, not down. AI is a force multiplier. It always needs a human guiding it, and I think it always will. The future is human researchers with AI tools, not AI researchers with no humans. And honestly, given the quality of code AI is helping produce, security researchers should be thanking it for the job security.
Much needed quote from Simon Koeck.
While to be very fair, the content of the blogpost are not something new. Just a regular reassurance we needed.
I need to add additional things that I think most reassurance post has not been said.
**SECURITY RESEARCH IS NOT JUST ABOUT FINDING 0DAYS**
We have unnecessary censorships to fight, educating, creating better frameworks, creating better tools, AND MANY MANY MORE.
It won't go away just because Glasswing finding zero days.
https://simonkoeck.com/blog/ai-is-not-replacing-security-researchers
The pentest professionals at #usdHeroLab identified a vulnerability in #EntraID during a cloud #pentest that allows the circumvention of conditional access policies for privileged identities.
Two additional vulnerabilities were identified during a web application pentest of #Tenable Nessus Manager, which allow low-privileged users to read arbitrary files at the operating system level.
All #vulnerabilities were reported to the vendors as part of our Responsible Disclosure policy.
🔎 You can find detailed information on the #SecurityAdvisories here: https://www.usd.de/en/security-advisories-entra-id-tenable-nessus-manager/
#SecurityResearch #SecurityAdvisory #moresecurity #NessusManager #Pentesting #Hacking #CVE_2026_3493 #AppSec #InfoSec #CyberSecurity
I don't know enough about security research. For a project like Node.js does stopping bug bounties drastically impact anything?
On the face of it, no money means people may be less incentivised to help or report, which feels bad.
But Node.js is a massive concern, so is there enough goodwill and surface area that people will help and report anyway? Simply because big orgs rely on it?
https://nodejs.org/en/blog/announcements/discontinuing-security-bug-bounties
Winbuzzer
github.com/ghostwriter
signal ≋ dadalo media
sayzard
Gregg Jaskiewicz
BSidesLuxembourg
AmmarSpaces
usd AG
Toby