#bug-bounty

#bug-bounty

I got a rush from feeling challenged. The computer would say 'No', and I would think, 'Well, we'll see'. In his own words it was more a case of Rage Against the Machine than simply Stayin' Alive.

Axonius has laid off approximately 40 employees, representing less than 4% of its global staff, with the majority of cuts in marketing and sales. Co-founder Dean Sysman has stepped down from his role as CEO to become executive chairman, with company president Joe Diamond appointed as interim CEO. The workforce adjustment aims to refine the company's organizational structure and improve operational efficiency as it prepares for a potential IPO.

HackerOne does not train generative AI models, internally or through third-party providers, on researcher submissions or customer confidential data. Neither, she continued, are researcher submissions used to "train, fine-tune, or otherwise improve generative AI models." And third-party model providers are not permitted to "retain or use researcher or customer data for their own model training." Sprague assured researchers: "You are not inputs to our models... Hai is designed to complement your work, not replace it."

Google on Tuesday announced the release of Chrome 145 to the stable channel with fixes for 11 vulnerabilities, including three high-severity bugs. First in line is CVE-2026-2313, a high-severity use-after-free issue in CSS that earned the reporting researchers an $8,000 bug bounty reward. The two other high-severity defects, tracked as CVE-2026-2314 and CVE-2026-2315, were found and reported by Google and are described as a heap buffer overflow in Codecs and an inappropriate implementation in WebGPU, respectively.

"Smart people are burning out sifting through backlogs of unprioritized, low-value vulnerabilities, while the real critical pathways go unprotected," says Shlomie Liberow, founder and CEO of Aisy (and formerly head of hacker research and development at HackerOne). He doesn't see this changing for mid-tier and larger companies - partly because of the security industry itself. Each vulnerability tool competes with other vulnerability tools, and each one avoids the possibility of a competitor finding more issues than it does itself.

Cloudflare has fixed a flaw in its web application firewall (WAF) that allowed attackers to bypass security rules and directly access origin servers, which could lead to data theft or full server takeover. FearsOff security researchers reported the bug in October through Cloudflare's bug bounty program, and the CDN says it has patched the vulnerability in its ACME (Automatic Certificate Management Environment) validation logic with no action required from its customers.

Under the new model, MSRC will pay researchers who report critical vulnerabilities that have a demonstrable impact on Microsoft's online services. "Regardless of whether the code is owned and managed by Microsoft, a third party, or is open source, we will do whatever it takes to remediate the issue," Gallagher said. "Our goal is to incentivize research on the highest risk areas, especially the areas that threat actors are most likely to exploit."

Anthropic's AI assistant, Claude, appears vulnerable to an attack that allows private data to be sent to an attacker without detection. Anthropic confirms that it is aware of the risk. The company states that users must be vigilant and interrupt the process as soon as they notice suspicious activity. The discovery comes from researcher Johann Rehberger, also known as Wunderwuzzi, who has previously uncovered several vulnerabilities in AI systems, writes The Register.

On Monday, Google security engineering managers Jason Parsons and Zak Bennett said in a blog post that the new program, an extension of the tech giant's existing Abuse Vulnerability Reward Program (VRP), will incentivize researchers and bug bounty hunters to focus on "high-impact abuse issues and security vulnerabilities" in Google products and services.

Daniel Stenberg stated, "does not seem to slow down. On the contrary, it seems that we have recently not only received more AI slop but also more human slop."

Meta has addressed a security vulnerability that allowed users to access private prompts and AI-generated responses of others, revealing major concerns with data authorization.