From building LED bulbs to graduating college and buying a house with money earned from bug bounties.

The post Hacker Conversations: Isira Adithya, the Evolution of an Ethical Hacker appeared first on SecurityWeek.

Anthropic's Mythos is accelerating vulnerability discovery to machine speed, forcing the bug bounty industry and offensive security teams to adapt to a future where finding flaws is no longer the hard part.

The post Will AI Kill the Bug Bounty Industry? appeared first on SecurityWeek.

Microsoft reopened some wounds and has reignited debate over the past couple weeks about vulnerability disclosure and the sometimes adversarial dynamic it creates between security researchers and vendors. 

The latest controversy ensued when Microsoft threatened criminal legal action against a security researcher who publicly disclosed a series of zero-day vulnerabilities with proof-of-concept exploits. Microsoft insisted it received no details about the vulnerabilities prior to release, adding that the defects were not responsibly disclosed and put its customers at unnecessary risk.

The public dispute between Microsoft and the researcher known as “Nightmare Eclipse,” who couldn’t be identified or reached for comment, sparked dismay among some security professionals. Microsoft’s forceful response and the resulting backlash revived a friction point between vendors and researchers who find and report flaws in the software they sell.

“The fight is being argued as coordinated disclosure, but the grievance underneath is personal and specific in a way disclosure shouldn’t be, especially with a vendor that has been at it for so long,” Katie Moussouris, founder and CEO at Luta Security, told CyberScoop.

“Microsoft seemed to get emotional and shouldn’t have publicly said anything, but somehow felt justified in calling out a researcher and involved law enforcement in the same breath,” she said. “That puts them right back in the first stages of vulnerability disclosure grief: denial and anger.”

The former longtime Microsoft employee who ran outreach with the security community, created the company’s first bounty program and has given conference talks on the subject as far back as 2013, said the company doubled down on its lack of responsibility in the whole saga.

Microsoft declined to answer questions in the wake of the fallout.

Nightmare Eclipse hinted at a breakdown and impending battle with the vendor in a series of blog posts leading up to Microsoft’s missive about the vulnerabilities RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma.

Attackers exploited three of the six vulnerabilities Nightmare Eclipse released before they were patched by Microsoft.

The researcher claimed Microsoft refused to communicate, didn’t pay or credit them for discovering and reporting some of the vulnerabilities, deleted the Microsoft Security Response Center account they used to disclose vulnerabilities and flagged their GitHub account for removal. 

“You are proving to everyone that you are actively escalating this conflict,” they wrote, before threatening Microsoft with a release in mid-July that “will make sure your bones are shattered that day.”

Vulnerability disclosure is a two-way street

The characteristics of proper vulnerability disclosure processes are nuanced and often framed in the eyes of the beholder.

Any successful dance between bug hunters and vendors comes down to meeting each other halfway, said Andrew Morris, founder and chief architect of GreyNoise. 

While vendors must fix software defects and prioritize security, Morris noted that irresponsible vulnerability disclosure harms both incident responders and potential victims. 

“Personally, I feel like this researcher is being extremely petty. It seems like they have an ax to grind,” he said.

“You’re not allowed to give somebody something and say it’s out of the kindness of your heart, and then be pissed when they don’t pay you for it.” 

But Morris also made clear that vendors bear responsibility for building trust with researchers.  

“If you actually care about being the first one to know about bugs in your software, not learning about it once harm has happened, or once somebody’s gotten popped, then you want to cultivate that trust with the security community,” Morris said. 

Microsoft said it recognizes that the relationship between security researchers and vendors is critical and, at times, fragile. 

“We deeply value the security community, and will continue to take your feedback seriously,” the company said in its post on X. 

Yet, the company remains steadfast in opposing the circumstances of Nightmare Eclipse’s disclosures, describing their actions as illegal, unjustifiable and irresponsible. 

“When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate,” Microsoft said without naming the researcher by their moniker. “We continue to believe strongly in coordinated vulnerability disclosure as the foundation for protecting customers and improving our products. We know that, given the nature of this work, there will at times be misunderstandings. We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions.”

The cost of pushback

Security researchers seek out defects for various reasons: bounty payouts, recognition, industry credibility, or simply the thrill of the hunt that comes with finding vulnerabilities and getting them fixed.

At its best, this process happens behind the scenes, with patches released and customers warned before exploitation occurs.

This collaborative approach has taken root and improved considerably, but there are still cases where researchers feel slighted. 

“The public has no idea what went on behind the scenes to judge why a researcher that previously coordinated finally had enough and decided to drop a zero-day [vulnerability],” Moussouris said. As such, she’s less inclined to criticize Nightmare Eclipse’s actions, adding that “they come off as someone who needs help.” 

Yet, trust breaks down between vulnerability researchers and vendors often. Earlier this week, security researcher Ammar Askar claimed his last interaction with Microsoft’s security team was so poor that he decided to publicly disclose any bugs he finds in VS Code going forward. He made good on that threat by dropping a vulnerability and exploit code for a defect that allows attackers to steal GitHub tokens. 

While actions like this can sabotage trust and drive a wedge between vendors and vulnerability researchers, recourse to a large extent is limited. Moussouris said most of the time, the legal and ethical boundaries are clear to those involved. Researchers can report bugs, withhold them, sell them, or publish them. “The one red line is crime: using a flaw to extort or attack people,” Moussouris said. 

“Threatening to publish on a set date is a threat to disclose, and disclosure is lawful. You can find the tone ugly. [Nightmare Eclipse] still broke no rule and violated no duty.” 

The timing couldn’t be worse 

Both sides are partly responsible for what happened, but Microsoft made things worse, Morris said. Threatening legal action and taking an aggressive approach have never worked. Building a good relationship between researchers and vendors requires open communication and trust. 

“I thought we were past this. It turns out that we are not,” he said. 

The Nightmare Eclipse incident comes at a fraught time in this space. Vendors and their customers are confronting a deluge of more vulnerabilities, and the rise of artificial intelligence models that discover them is exacerbating this challenge, leaving security experts alarmed about what’s coming.

The prospects for where vulnerabilities will be discovered and exploited next, and to what impact, are unknown and wildly unsettling. 

These signals imply that the classic, CVE-based system with responsibly disclosed processes is probably broken, Morris said. “There’s just so many CVEs. It’s like, is this even working anymore?”

For now and despite all its faults, coordinated vulnerability disclosure programs are widely viewed as the most sensible and scalable approach to this dilemma.

“Coordinated disclosure is what happens when a vendor gets lucky. Someone they did not hire hands them a real bug instead of using it or selling it. That puts the whole burden of keeping coordination alive on the vendor,” Moussouris said. “Silent patching with no CVE and calling out researchers who don’t follow your timeline for disclosure squanders the vendor’s luck.”  

She stressed the stakes: “I hope Microsoft and all vendors learn that coordinated vulnerability disclosure is a gift and a grace from the security researcher community to them, and public disclosure is still better than non-disclosure or crime.”

The alternatives to a deteriorating relationship could wreak havoc and leave every vendor and customer more susceptible to attack. 

“If vendors unlearn how to receive free intellectual property and labor from the security community in the form of vulnerability reports with gratitude, we’re headed for a world where nobody bothers to give vendors any heads up, or they move to a timed disclosure model that gives no grace,” Moussouris said.

She concluded with a direct message: “Product vendors wrote the vulnerable code, own the risk, and they owe it to their users to do everything in their power to reduce that risk.” That includes “keeping their grievances to themselves and learning from introspection on coordinated vulnerability disclosure gone wrong.”

The post Nightmare Eclipse incident shows the researcher-vendor fights may never fully go away appeared first on CyberScoop.

As defenders get their hands on newer AI models with more powerful cybersecurity capabilities like Anthropic’s Mythos and OpenAI’s Daybreak, organizations are being told to prepare for a flood of new vulnerability reports.

But for bug bounty programs across the nation, that day may already be here, as yesterday’s frontier models and today’s open-source AI tools have dramatically increased the volume of bug reports flowing into companies around their own products or on larger bounty platforms online.

GitHub, one of the world’s largest online code repositories, said it is tightening its definition of a “complete” bug report after a significant increase in AI-assisted submissions over the past year.

Although the influx has had some benefits, many reports are submitted without proof of concept, are reliant on unrealistic attack scenarios or cover issues already listed as ineligible. As a result, the company is having difficulty separating signal from noise.

“This isn’t unique to GitHub,” wrote Jarom Brown, senior product security engineer at GitHub. “Programs across the industry are grappling with the same challenge, and some have shut down entirely.”

Brown said GitHub does not want to ban the use of AI generated reports entirely, calling it a “force multiplier” for security in the right context. But in a world where it’s never been easier to use AI to generate theoretical bugs, the company wants researchers to go the extra mile to confirm that their discoveries can actually be exploited in real-world conditions.

What we need is the same standard we’ve always expected: validation,” Brown wrote. “An AI-assisted finding that’s been verified, reproduced, and submitted with a working proof of concept is a great submission. An unvalidated output submitted as-is without reproduction or demonstrated impact is not.”

Grant Bourzikas, chief security officer at Cloudflare, said triaging bugs and proving they can be exploited  has always been one of the hardest parts of vulnerability research, and AI vulnerability scanners and code have “made it worse.”

For instance, code written in C and C++ programming languages are vulnerable to a range of exploits – like buffer overflows and out-of-bounds reading and writing – that don’t exist in memory safe languages like Rust. AI tools scanning software written in memory unsafe programming languages are far more likely to generate false positives.

But one of the biggest flaws continues to be that AI tools are also designed to give the user what they’re asking for, even when it’s not there. This leads to the generation of bug reports filled with speculation and qualifiers around exploitability that require human follow up.

“That’s a reasonable bias for an exploratory tool,” Bourzikas wrote. “It’s a ruinous one for a triage queue, where every speculative finding spends human attention and tokens to dismiss, and that cost compounds across thousands of findings.”

Cloudflare recently shared results from testing Mythos on 50 of its own code repositories, looking for exploits. Bourzikas called Mythos “a different kind of tool doing a different kind of work” from other frontier models, and that it made significant progress in reducing false positives.

For example, he pointed to two Mythos capabilities that stood out compared to other models: chaining exploits together and generating its own proof-of-concept code to confirm exploitability.

Older models could spot many of the same bugs, but they often couldn’t figure out how to exploit them effectively, or show that the issue could be exploited in real world conditions.

Others have argued that the gap in bug hunting capabilities between newer frontier AI models and older ones, or open source models available today is not as large as advertised. 

Swedish software developer Daniel Stenberg, lead developer for curl, an open source file transfer tool used around the world, recently wrote about his experience with Mythos Preview. Like others, he has also seen a higher volume of AI-fueled bug reports over the past year, but said the flood of low-quality reports has tapered off significantly since March as models have improved.

Curl is mature and polished by the standards of most software: Stenberg estimates each line of code has been rewritten or altered at least four times, and he said he has used both human and AI tools in the past to implement hundreds of bug fixes over Curl’s existence.

That makes it a unique testing ground for the enhanced capabilities of Mythos, which was reportedly so powerful at finding vulnerabilities that Anthropic opted not to release it to the general public.

After gaining access to Mythos, Stenberg received the results of a scan of 178,000 lines of curl code. Ultimately, the scan flagged five “confirmed” vulnerabilities. Further exploration by human researchers found that 4 of the bugs were false positives or had no security impact. The one remaining bug Mythos found? A low-severity flaw that will be fixed in a regular June update.

Even as he praised the impact of AI on cybersecurity generally, Stenberg concluded that for all the hype, Mythos is only “a bit better” than previously released models.

“My personal conclusion can however not end up with anything else than that the big hype around this model so far was primarily marketing,” he wrote. “I see no evidence that this setup finds issues to any particular higher or more advanced degree than the other tools have done before Mythos.”

The post AI might cut false positives, but it won’t stop the slop  appeared first on CyberScoop.

The maximum reward for a zero-click Pixel Titan M exploit with persistence has increased to $1.5 million.

The post Google Adjusts Bug Bounties: Chrome Payouts Drop as Android Rewards Rise Amid AI Surge appeared first on SecurityWeek.

Lawrence Hoffmann // So, Apple announced a new bug bounty program at BlackHat, and there are some interesting deviations from the norm in their plan to implement and pay out. […]

The post Lawrence’s List 081216 appeared first on Black Hills Information Security, Inc..