serisec

Category: disclosure

  • Vulnerability Disclosure in the Age of AI

    Vulnerability Disclosure in the Age of AI New article: “Responsible Disclosure in the Age of AI: A Call for Urgent Action,” by Melissa Hathaway. Abstract: Artificial intelligence is fundamentally reshaping the balance between vulnerability discovery and remediation. Frontier AI models are now capable of autonomously identifying exploitable software vulnerabilities at unprecedented speed and scale. This…

  • Legal Restrictions on Vulnerability Disclosure

    Legal Restrictions on Vulnerability Disclosure Kendra Albert gave an excellent talk at USENIX Security this year, pointing out that the legal agreements surrounding vulnerability disclosure muzzle researchers while allowing companies to not fix the vulnerabilities—exactly the opposite of what the responsible disclosure movement of the early 2000s was supposed to prevent. This is the talk.…

  • Serious F5 Breach

    Serious F5 Breach This is bad: F5, a Seattle-based maker of networking software, disclosed the breach on Wednesday. F5 said a “sophisticated” threat group working for an undisclosed nation-state government had surreptitiously and persistently dwelled in its network over a “long-term.” Security researchers who have responded to similar intrusions in the past took the language…

  • Hacking Electronic Safes

    Hacking Electronic Safes Vulnerabilities in electronic safes that use Securam Prologic locks: While both their techniques represent glaring security vulnerabilities, Omo says it’s the one that exploits a feature intended as a legitimate unlock method for locksmiths that’s the more widespread and dangerous. “This attack is something where, if you had a safe with this…

  • A Cyberattack Victim Notification Framework

    A Cyberattack Victim Notification Framework Interesting analysis: When cyber incidents occur, victims should be notified in a timely manner so they have the opportunity to assess and remediate any harm. However, providing notifications has proven a challenge across industry. When making notifications, companies often do not know the true identity of victims and may only…

  • Google Project Zero Changes Its Disclosure Policy

    Google Project Zero Changes Its Disclosure Policy Google’s vulnerability finding team is again pushing the envelope of responsible disclosure: Google’s Project Zero team will retain its existing 90+30 policy regarding vulnerability disclosures, in which it provides vendors with 90 days before full disclosure takes place, with a 30-day period allowed for patch adoption if the…

  • Australia Requires Ransomware Victims to Declare Payments

    Australia Requires Ransomware Victims to Declare Payments A new Australian law requires larger companies to declare any ransomware payments they have made. Bruce Schneier Go to bruce schneier