Disclosure

Vulnerability Disclosure in the Age of AI

| | academic papers, AI, Disclosure, Uncategorized, Vulnerabilities
New article: “Responsible Disclosure in the Age of AI: A Call for Urgent Action,” by Melissa Hathaway. Abstract: Artificial intelligence is fundamentally reshaping the balance between vulnerability discovery and remediation. Frontier AI ...
Schneier on Security
USENIX Security '25 (Enigma Track) - Everything Old Is New Again: Legal Restrictions on...

Legal Restrictions on Vulnerability Disclosure

| | courts, Disclosure, Uncategorized, video, Vulnerabilities
Kendra Albert gave an excellent talk at USENIX Security this year, pointing out that the legal agreements surrounding vulnerability disclosure muzzle researchers while allowing companies to not fix the vulnerabilities—exactly the opposite ...
Schneier on Security

Serious F5 Breach

| | breaches, Disclosure, Network Security, Uncategorized, Vulnerabilities
This is bad: F5, a Seattle-based maker of networking software, disclosed the breach on Wednesday. F5 said a “sophisticated” threat group working for an undisclosed nation-state government had surreptitiously and persistently dwelled ...
Schneier on Security

Hacking Electronic Safes

| | backdoors, Disclosure, locks, patching, safes, Uncategorized, Vulnerabilities
Vulnerabilities in electronic safes that use Securam Prologic locks: While both their techniques represent glaring security vulnerabilities, Omo says it’s the one that exploits a feature intended as a legitimate unlock method ...
Schneier on Security

A Cyberattack Victim Notification Framework

| | cyberattack, Disclosure, Uncategorized
Interesting analysis: When cyber incidents occur, victims should be notified in a timely manner so they have the opportunity to assess and remediate any harm. However, providing notifications has proven a challenge ...
Schneier on Security
data breach

Getting Ahead of Cybersecurity Materiality Mayhem

| | Breach, Cybersecurity, Disclosure, Incident Response, materiality, SEC
Cybersecurity leaders must differentiate between strategic (material) and tactical threats in a cross-functional manner and determine 'materiality.' ...
Security Boulevard
SEC incident response C-Suite-Data-Breach

SEC Cyber Incident Reporting Rules Pressure IT Security Leaders

| | Breach, Compliance, Data breach, Disclosure, Incident Response, SEC
As the SEC gets tough on businesses' cybersecurity posture, IT security leaders will need to beef up incident response plans ...
Security Boulevard

Responsible Disclosure for Cryptocurrency Security

| | blockchain, cryptocurrency, Disclosure, patching, Uncategorized, Vulnerabilities
Stewart Baker discusses why the industry-norm responsible disclosure for software vulnerabilities fails for cryptocurrency software. Why can’t the cryptocurrency industry solve the problem the way the software and hardware industries do, by ...
Schneier on Security

Missouri Governor Doesn’t Understand Responsible Disclosure

| | courts, Disclosure, overreactions, Uncategorized
The Missouri governor wants to prosecute the reporter who discovered a security vulnerability in a state’s website, and then reported it to the state. The newspaper agreed to hold off publishing any ...
Schneier on Security

Bug Bounty Programs Are Being Used to Buy Silence

| | bribes, coverups, Disclosure, Reports
Investigative report on how commercial bug-bounty programs like HackerOne, Bugcrowd, and SynAck are being used to silence researchers: Used properly, bug bounty platforms connect security researchers with organizations wanting extra scrutiny. In ...
Schneier on Security
Load more