Cyberveillecurated by Decio
Nuage de tags
Mur d'images
Quotidien
Flux RSS
  • Flux RSS
  • Daily Feed
  • Weekly Feed
  • Monthly Feed
Filtres

Liens par page

  • 20 links
  • 50 links
  • 100 links

Filtres

Untagged links
12 résultats taggé BugBounty  ✕
Google says its AI-based bug hunter found 20 security vulnerabilities https://techcrunch.com/2025/08/04/google-says-its-ai-based-bug-hunter-found-20-security-vulnerabilities/
05/08/2025 06:44:15
QRCode
archive.org
thumbnail

techcrunch.com - Google’s AI-powered bug hunter has just reported its first batch of security vulnerabilities.

Heather Adkins, Google’s vice president of security, announced Monday that its LLM-based vulnerability researcher Big Sleep found and reported 20 flaws in various popular open source software.

Adkins said that Big Sleep, which is developed by the company’s AI department DeepMind as well as its elite team of hackers Project Zero, reported its first-ever vulnerabilities, mostly in open source software such as audio and video library FFmpeg and image-editing suite ImageMagick.

Given that the vulnerabilities are not fixed yet, we don’t have details of their impact or severity, as Google does not yet want to provide details, which is a standard policy when waiting for bugs to be fixed. But the simple fact that Big Sleep found these vulnerabilities is significant, as it shows these tools are starting to get real results, even if there was a human involved in this case.

“To ensure high quality and actionable reports, we have a human expert in the loop before reporting, but each vulnerability was found and reproduced by the AI agent without human intervention,” Google’s spokesperson Kimberly Samra told TechCrunch.

Royal Hansen, Google’s vice president of engineering, wrote on X that the findings demonstrate “a new frontier in automated vulnerability discovery.”

LLM-powered tools that can look for and find vulnerabilities are already a reality. Other than Big Sleep, there’s RunSybil and XBOW, among others.

techcrunch.com EN 2025 Google BugBounty LLM BigSleep
AI slop and fake reports are coming for your bug bounty programs https://techcrunch.com/2025/07/24/ai-slop-and-fake-reports-are-exhausting-some-security-bug-bounties/?uID=8e71ce9f0d62feda43e6b97db738658f0358bf8874bfa63345d6d3d61266ca54
02/08/2025 10:46:31
QRCode
archive.org
thumbnail

techcrunch.com 24.07 - "We're getting a lot of stuff that looks like gold, but it's actually just crap,” said the founder of one security testing firm. AI-generated security vulnerability reports are already having an effect on bug hunting, for better and worse.

So-called AI slop, meaning LLM-generated low-quality images, videos, and text, has taken over the internet in the last couple of years, polluting websites, social media platforms, at least one newspaper, and even real-world events.

The world of cybersecurity is not immune to this problem, either. In the last year, people across the cybersecurity industry have raised concerns about AI slop bug bounty reports, meaning reports that claim to have found vulnerabilities that do not actually exist, because they were created with a large language model that simply made up the vulnerability, and then packaged it into a professional-looking writeup.

“People are receiving reports that sound reasonable, they look technically correct. And then you end up digging into them, trying to figure out, ‘oh no, where is this vulnerability?’,” Vlad Ionescu, the co-founder and CTO of RunSybil, a startup that develops AI-powered bug hunters, told TechCrunch.

“It turns out it was just a hallucination all along. The technical details were just made up by the LLM,” said Ionescu.

Ionescu, who used to work at Meta’s red team tasked with hacking the company from the inside, explained that one of the issues is that LLMs are designed to be helpful and give positive responses. “If you ask it for a report, it’s going to give you a report. And then people will copy and paste these into the bug bounty platforms and overwhelm the platforms themselves, overwhelm the customers, and you get into this frustrating situation,” said Ionescu.

“That’s the problem people are running into, is we’re getting a lot of stuff that looks like gold, but it’s actually just crap,” said Ionescu.

Just in the last year, there have been real-world examples of this. Harry Sintonen, a security researcher, revealed that the open source security project Curl received a fake report. “The attacker miscalculated badly,” Sintonen wrote in a post on Mastodon. “Curl can smell AI slop from miles away.”

In response to Sintonen’s post, Benjamin Piouffle of Open Collective, a tech platform for nonprofits, said that they have the same problem: that their inbox is “flooded with AI garbage.”

One open source developer, who maintains the CycloneDX project on GitHub, pulled their bug bounty down entirely earlier this year after receiving “almost entirely AI slop reports.”

The leading bug bounty platforms, which essentially work as intermediaries between bug bounty hackers and companies who are willing to pay and reward them for finding flaws in their products and software, are also seeing a spike in AI-generated reports, TechCrunch has learned.

techcrunch.com EN 2025 IA AI-slop LLM BugBounty
Hackers exploit VMware ESXi, Microsoft SharePoint zero-days at Pwn2Own https://www.bleepingcomputer.com/news/security/hackers-exploit-vmware-esxi-microsoft-sharepoint-zero-days-at-pwn2own/
18/05/2025 12:15:10
QRCode
archive.org
thumbnail

During the second day of Pwn2Own Berlin 2025, competitors earned $435,000 after exploiting zero-day bugs in multiple products, including Microsoft SharePoint, VMware ESXi, Oracle VirtualBox, Red Hat Enterprise Linux, and Mozilla Firefox.
The highlight was a successful attempt from Nguyen Hoang Thach of STARLabs SG against the VMware ESXi, which earned him $150,000 for an integer overflow exploit.

Dinh Ho Anh Khoa of Viettel Cyber Security was awarded $100,000 for hacking Microsoft SharePoint by leveraging an exploit chain combining an auth bypass and an insecure deserialization flaw.

Palo Alto Networks' Edouard Bochin and Tao Yan also demoed an out-of-bounds write zero-day in Mozilla Firefox, while Gerrard Tai of STAR Labs SG escalated privileges to root on Red Hat Enterprise Linux using a use-after-free bug, and Viettel Cyber Security used another out-of-bounds write for an Oracle VirtualBox guest-to-host escape.

In the AI category, Wiz Research security researchers used a use-after-free zero-day to exploit Redis and Qrious Secure chained four security flaws to hack Nvidia's Triton Inference Server.

On the first day, competitors were awarded $260,000 after successfully exploiting zero-day vulnerabilities in Windows 11, Red Hat Linux, and Oracle VirtualBox, reaching a total of $695,000 earned over the first two days of the contest after demonstrating 20 unique 0-days.

​​​The Pwn2Own Berlin 2025 hacking competition focuses on enterprise technologies, introduces an AI category for the first time, and takes place during the OffensiveCon conference between May 15 and May 17.

bleepingcomputer EN 2025 Firefox NVIDIA Pwn2Own Red-Hat Redis SharePoint VirtualBox Vmware-ESXi Zero-Day BugBounty
Keeping GenAI technologies secure is a shared responsibility https://blog.mozilla.org/en/mozilla/keeping-genai-technologies-secure-is-a-shared-responsibility/
09/06/2024 14:49:08
QRCode
archive.org
thumbnail

Today, we are investing in the next generation of GenAI security with the 0Day Investigative Network (0Din) by Mozilla, a bug bounty program for large language models (LLMs) and other deep learning technologies. 0Din expands the scope to identify and fix GenAI security by delving beyond the application layer with a focus on emerging classes of vulnerabilities and weaknesses in these new generations of models.

mozilla EN BugBounty LLMs 0Din GenAI
Google Paid Out $10 Million via Bug Bounty Programs in 2023 https://www.securityweek.com/google-paid-out-10-million-via-bug-bounty-programs-in-2023
17/03/2024 16:58:48
QRCode
archive.org

Google on Tuesday announced that it paid out a total of $10 million through its bug bounty programs in 2023, bringing the total amount awarded by the tech giant for vulnerabilities found in its products since 2010 to $59 million.

The total paid out in 2023 is less than the $12 million handed out in 2022, but it’s still a significant amount. The money was earned last year by 632 researchers from 68 countries. The highest single reward was $113,337.

securityweek EN 2024 Google bugbounty 2023 paid
How I Hacked the Dutch Government: Exploiting an Innocent Image for Remote Code Execution | by Mukund Bhuva https://medium.com/@mukundbhuva/how-i-hacked-the-dutch-government-exploiting-an-innocent-image-for-remote-code-execution-df1fa936e46a
20/02/2024 08:26:03
QRCode
archive.org

I began my search for opportunities and stumbled upon a list of eligible websites for bug hunting at https://gist.github.com/R0X4R/81e6c50c091a20b060afe5c259b58cfa. This list became my starting…

mukundbhuva EN 2024 redteam howto CVE-2022–24816 hack bugbounty Netherlands hack-description
Google Online Security Blog: Expanding our exploit reward program to Chrome and Cloud https://security.googleblog.com/2023/10/expanding-our-exploit-reward-program-to.html?m=1
08/10/2023 11:35:26
QRCode
archive.org

In 2020, we launched a novel format for our vulnerability reward program (VRP) with the kCTF VRP and its continuation kernelCTF. For the first time, security researchers could get bounties for n-day exploits even if they didn’t find the vulnerability themselves. This format proved valuable in improving our understanding of the most widely exploited parts of the linux kernel. Its success motivated us to expand it to new areas and we're now excited to announce that we're extending it to two new targets: v8CTF and kvmCTF.

googleblog EN 2023 exploit reward program bugbounty
CVD, EU-DSGVO and revDSG - A personal responsible disclosure experience of a data breach in the Swiss cyber landscape in 2022/23 https://andreaskuster.ch/blog/2023/CVD-Swiss-Cyber/?s=09
12/02/2023 14:52:38
QRCode
archive.org

n late November 2022, a few days after ETH Alumni launched their new feature “Who is who” which allows them to look up and connect to other members, I came across a severe access control vulnerability. Without any authorization over the internet, it allowed extracting at least 35418 member profiles, including full name, postal address, nationality, title, graduation field, study start year, gender, profile picture and hashed passwords.

andreaskuster EN 2023 ETHZ Zurich bugbounty blog vulnerability disclosure CH
Turning Google smart speakers into wiretaps for $100k https://downrightnifty.me/blog/2022/12/26/hacking-google-home.html
30/12/2022 11:47:19
QRCode
archive.org

I was recently rewarded a total of $107,500 by Google for responsibly disclosing security issues in the Google Home smart speaker that allowed an attacker within wireless proximity to install a “backdoor” account on the device, enabling them to send commands to it remotely over the Internet, access its microphone feed, and make arbitrary HTTP requests within the victim’s LAN (which could potentially expose the Wi-Fi password or provide the attacker direct access to the victim’s other devices). These issues have since been fixed.

downrightnifty bugbounty Google Home smart-speaker responsible-disclosure wiretaps
Safari Flaws Exposed Webcams, Online Accounts, and More https://www.wired.com/story/safari-flaws-webcam-online-accounts-mic/
15/02/2022 10:39:40
QRCode
archive.org
thumbnail

Apple awarded a $100,500 bug bounty to the researcher who discovered the latest major vulnerability in its browser.

apple safari vulnerabilities bugbounty WIRED webcam
Webcam Hacking (again) - Safari UXSS https://www.ryanpickren.com/safari-uxss
15/02/2022 10:38:37
QRCode
archive.org
thumbnail

$100,500 Apple Bug Bounty for hacking the webcam via a Safari Universal Cross-Site Scripting (UXSS) bug. CVE-2021-30861, CVE-2021-30975

GeorgiaTechHacker Pickren Safari UXSS Apple bugbounty CVE-2021-30861 CVE-2021-30975
Google Online Security Blog: Vulnerability Reward Program: 2021 Year in Review https://security.googleblog.com/2022/02/vulnerability-reward-program-2021-year.html
14/02/2022 08:13:47
QRCode
archive.org
thumbnail

Last year was another record setter for our Vulnerability Reward Programs (VRPs). Throughout 2021, we partnered with the security researcher community to identify and fix thousands of vulnerabilities – helping keep our users and the internet safe.

Google reward bugbounty 2021 vulnerabilities data report EN
4737 links
Shaarli - The personal, minimalist, super-fast, database free, bookmarking service par la communauté Shaarli - Theme by kalvn - Curated by Decio