#bug-bounty

#bug-bounty

HackerOne does not train generative AI models, internally or through third-party providers, on researcher submissions or customer confidential data. Neither, she continued, are researcher submissions used to "train, fine-tune, or otherwise improve generative AI models." And third-party model providers are not permitted to "retain or use researcher or customer data for their own model training." Sprague assured researchers: "You are not inputs to our models... Hai is designed to complement your work, not replace it."

"Smart people are burning out sifting through backlogs of unprioritized, low-value vulnerabilities, while the real critical pathways go unprotected," says Shlomie Liberow, founder and CEO of Aisy (and formerly head of hacker research and development at HackerOne). He doesn't see this changing for mid-tier and larger companies - partly because of the security industry itself. Each vulnerability tool competes with other vulnerability tools, and each one avoids the possibility of a competitor finding more issues than it does itself.

Cloudflare has fixed a flaw in its web application firewall (WAF) that allowed attackers to bypass security rules and directly access origin servers, which could lead to data theft or full server takeover. FearsOff security researchers reported the bug in October through Cloudflare's bug bounty program, and the CDN says it has patched the vulnerability in its ACME (Automatic Certificate Management Environment) validation logic with no action required from its customers.

Under the new model, MSRC will pay researchers who report critical vulnerabilities that have a demonstrable impact on Microsoft's online services. "Regardless of whether the code is owned and managed by Microsoft, a third party, or is open source, we will do whatever it takes to remediate the issue," Gallagher said. "Our goal is to incentivize research on the highest risk areas, especially the areas that threat actors are most likely to exploit."

Anthropic's AI assistant, Claude, appears vulnerable to an attack that allows private data to be sent to an attacker without detection. Anthropic confirms that it is aware of the risk. The company states that users must be vigilant and interrupt the process as soon as they notice suspicious activity. The discovery comes from researcher Johann Rehberger, also known as Wunderwuzzi, who has previously uncovered several vulnerabilities in AI systems, writes The Register.

On Monday, Google security engineering managers Jason Parsons and Zak Bennett said in a blog post that the new program, an extension of the tech giant's existing Abuse Vulnerability Reward Program (VRP), will incentivize researchers and bug bounty hunters to focus on "high-impact abuse issues and security vulnerabilities" in Google products and services.

Daniel Stenberg stated, "does not seem to slow down. On the contrary, it seems that we have recently not only received more AI slop but also more human slop."

Meta has addressed a security vulnerability that allowed users to access private prompts and AI-generated responses of others, revealing major concerns with data authorization.