#cloud-bug-bounty
#cloud-bug-bounty

Information security

Cloud development platform Vercel was hacked

Information security

App host Vercel confirms security incident, says customer data was stolen via breach at Context AI | TechCrunch

13 hours ago

Information security

Hackers exploit Vercel's trust in AI integration

18 hours ago

Information security

Next.js developer Vercel warns customer creds compromised

8 hours ago

Vercel Confirms Major Security Incident as Hacker Claims $2M Ransom Demand

Vercel confirmed a security incident involving unauthorized access to internal systems, with a threat actor claiming to sell stolen company data.

fromSiliconANGLE

5 hours ago

Developer tooling provider Vercel discloses breach that exposed some users' data - SiliconANGLE

Vercel experienced a security breach through Context.ai, compromising limited customer data and employee information.

Cloud development platform Vercel was hacked

Vercel experienced a security breach due to a compromised third-party AI tool, leading to the exposure of customer data.

App host Vercel confirms security incident, says customer data was stolen via breach at Context AI | TechCrunch

Vercel experienced a data breach due to a compromised employee account linked to Context AI, exposing customer credentials.

13 hours ago

Hackers exploit Vercel's trust in AI integration

Sensitive secrets should be treated as potentially exposed and rotated as a priority.

18 hours ago

Next.js developer Vercel warns customer creds compromised

Vercel experienced a data leak due to a compromise of Context.ai, affecting customer credentials and prompting immediate action.

Artificial intelligence

The MCP Disclosure Is the AI Era's 'Open Redirect' Moment

AI vendors' response to security flaws: It wasn't me

AI vendors promote AI for security but often dismiss flaws as intended behavior.

fromTNW | Anthropic

Anthropic, Google, and Microsoft paid AI agent bug bounties, then kept quiet about the flaws

Aonan Guan exploited prompt injection attacks to hijack AI agents from Anthropic, Google, and Microsoft, stealing sensitive API keys and tokens.

Anthropic, Google, Microsoft paid AI bug bounties - quietly

Security researchers exploited prompt injection attacks on AI agents to steal sensitive data without vendor disclosure of vulnerabilities.

AI agents on GitHub leak API keys via prompt injection

Three popular AI agents on GitHub Actions are vulnerable to Comment and Control attacks, allowing attackers to steal API keys and access tokens.

Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via Comments

A prompt injection attack method named 'Comment and Control' targets AI code security tools, allowing attackers to hijack AI agents using crafted GitHub comments.

6 hours ago

The MCP Disclosure Is the AI Era's 'Open Redirect' Moment

The Model Context Protocol has a design flaw that enables AI supply chain attacks, posing a significant security risk to enterprise AI systems.

AI vendors' response to security flaws: It wasn't me

AI vendors promote AI for security but often dismiss flaws as intended behavior.

fromTNW | Anthropic

Anthropic, Google, and Microsoft paid AI agent bug bounties, then kept quiet about the flaws

Aonan Guan exploited prompt injection attacks to hijack AI agents from Anthropic, Google, and Microsoft, stealing sensitive API keys and tokens.

Anthropic, Google, Microsoft paid AI bug bounties - quietly

Security researchers exploited prompt injection attacks on AI agents to steal sensitive data without vendor disclosure of vulnerabilities.

AI agents on GitHub leak API keys via prompt injection

Three popular AI agents on GitHub Actions are vulnerable to Comment and Control attacks, allowing attackers to steal API keys and access tokens.

Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via Comments

A prompt injection attack method named 'Comment and Control' targets AI code security tools, allowing attackers to hijack AI agents using crafted GitHub comments.

Privacy professionals

Lovable denies data leak, cites 'intentional behavior'

Privacy professionals

Clothing Retailer Patches Website Flaw Exposing Customer Data

Vercel Breach Originated from an Employee's AI Tool

Vercel confirmed a data breach caused by a third-party AI tool used by an employee, impacting a limited subset of customers.

Information security

McGraw Hill Data Breach Caused by Salesforce Misconfiguration

Information security

Hack at Anodot leaves over a dozen breached companies facing extortion | TechCrunch

Privacy professionals

2 hours ago

Lovable denies data leak, cites 'intentional behavior'

Lovable's platform has a significant security flaw allowing free accounts to access sensitive user information, raising concerns about data protection.

Privacy professionals

Clothing Retailer Patches Website Flaw Exposing Customer Data

A flaw in Express's website allowed unauthorized access to customer data through sequential order IDs in URLs.

Vercel Breach Originated from an Employee's AI Tool

Vercel confirmed a data breach caused by a third-party AI tool used by an employee, impacting a limited subset of customers.

McGraw Hill Data Breach Caused by Salesforce Misconfiguration

McGraw Hill experienced a data breach linked to a Salesforce misconfiguration, with ShinyHunters claiming to have stolen 45 million records.

Hack at Anodot leaves over a dozen breached companies facing extortion | TechCrunch

Hackers stole data from multiple companies after breaching Anodot, exposing customers to extortion and potential data publication.

Careers

Advance Your Cybersecurity Career

Software development

Claude Opus wrote a Chrome exploit for $2,283

Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More

Third-party tools are exploited to gain internal access, highlighting a shift in attack strategies that bend trust rather than break systems.

15 hours ago

Information security

Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain

Hackers are abusing unpatched Windows security flaws to hack into organizations | TechCrunch

Hackers exploited Windows vulnerabilities published by a researcher, affecting Windows Defender and allowing high-level access.

fromLondon Business News | Londonlovesbusiness.com

The rising cost of data breaches: Why backup and cyber protection must go hand in hand - London Business News | Londonlovesbusiness.com

Cyber incidents now lead to significant financial and reputational damage, necessitating a unified strategy for backup and cyber protection.

Careers

Advance Your Cybersecurity Career

Degrees and certifications in cybersecurity indicate foundational knowledge but hands-on experience and skills are more critical for success.

Claude Opus wrote a Chrome exploit for $2,283

Anthropic withheld its Mythos model due to security concerns, while Opus 4.6 was used to create a functional exploit for Chrome's V8 engine.

Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More

Third-party tools are exploited to gain internal access, highlighting a shift in attack strategies that bend trust rather than break systems.

15 hours ago

Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain

A critical vulnerability in the Model Context Protocol allows remote code execution, affecting over 7,000 servers and compromising sensitive data.

Hackers are abusing unpatched Windows security flaws to hack into organizations | TechCrunch

Hackers exploited Windows vulnerabilities published by a researcher, affecting Windows Defender and allowing high-level access.

fromLondon Business News | Londonlovesbusiness.com

The rising cost of data breaches: Why backup and cyber protection must go hand in hand - London Business News | Londonlovesbusiness.com

Cyber incidents now lead to significant financial and reputational damage, necessitating a unified strategy for backup and cyber protection.

Company has more than 2m stolen from account following cyber attack

Future Energy Capital Limited lost over €2m due to a cyber attack last October.

When cloud giants neglect resilience

Cloud outages highlight reliability issues as providers prioritize cost-cutting over service stability, raising questions about acceptable levels of unreliability.

EU data protection

fromComputerWeekly.com

CYBERUK '26: UK lagging on legal protections for cyber pros | Computer Weekly

The outdated Computer Misuse Act hinders UK cyber security innovation and needs urgent reform to protect cyber professionals.

#microsoft

Privacy technologies

Microsoft faces fresh Windows Recall security concerns

Information security

Microsoft Paid Out $2.3 Million at Zero Day Quest 2026 Hacking Contest

Information security

Microsoft closes book on rogue Windows Server 2025 upgrades

fromComputerworld

Information security

Microsoft's Windows Recall still allows silent data extraction

Information security

Microsoft Issues Patches for SharePoint Zero-Day and 168 Other Vulnerabilities

Information security

Microsoft Issues Massive Windows Patch for 160+ Bugs, Including Two Zero-Days

Privacy technologies

Microsoft faces fresh Windows Recall security concerns

A new tool, TotalRecall Reloaded, extracts data from Microsoft's redesigned Recall feature, raising ongoing security and privacy concerns.

Microsoft Paid Out $2.3 Million at Zero Day Quest 2026 Hacking Contest

Microsoft's Zero Day Quest 2026 awarded $2.3 million for discovering 80 high-impact vulnerabilities in cloud and AI services.

Microsoft closes book on rogue Windows Server 2025 upgrades

Microsoft has resolved the Windows Server 2025 upgrade issue, but new problems have emerged with the cumulative update KB5082063.

fromComputerworld

Microsoft's Windows Recall still allows silent data extraction

Microsoft needs to enhance code integrity for AIXHost.exe to prevent injection attacks.

Microsoft Issues Patches for SharePoint Zero-Day and 168 Other Vulnerabilities

Microsoft addressed 169 security flaws, including one actively exploited vulnerability, marking the second largest Patch Tuesday ever.

Microsoft Issues Massive Windows Patch for 160+ Bugs, Including Two Zero-Days

Microsoft released a significant security update addressing 165 vulnerabilities, including two critical zero-days, marking one of the largest updates in its history.

Empower Your Developers: How Open Source Dependencies Risk Management Can Unlock Innovation

Improving security in open-source dependencies is essential for effective risk management and innovation.

2 days ago

Cloudflare can remember it for you wholesale

Agent Memory enhances AI by providing persistent memory for better recall and smarter interactions.

fromInfoQ

Meta Reports 4x Higher Bug Detection with Just-in-Time Testing

JiT testing improves software quality by dynamically generating tests during code review, enhancing bug detection by approximately 4x in AI-assisted environments.

Apple

Security reserchers tricked Apple Intelligence into cursing

Apple Intelligence can be hijacked through prompt injection, exposing millions of users to risk, but a fix was implemented in iOS 26.4 and macOS 26.4.

from24/7 Wall St.

Oracle's New AWS Partnership Just Put It Ahead of Azure and Google Cloud

Multicloud setups are essential for enterprise AI, enabling seamless data movement and integration across different cloud providers.

Careers

fromFortune

This CEO pirated video games as a teen and became a hacker for the Air Force. Now he's built a $3 billion cyber firm | Fortune

Gen Z should trust instincts in career paths, as demonstrated by Kyle Hanslovan's unconventional journey to CEO of a $3 billion cybersecurity firm.

58% of Organizations Spend Over 10 Hours a Month Securing AI-generated Code

31% of organizations using AI-generated code spend 10 hours or less per month on validation and auditing, raising security concerns.

AI Upgrades, Security Breaches, and Industry Shifts Define This Week in Tech - TechRepublic

AI innovation and security threats are reshaping technology and corporate strategies across various platforms and applications.

Scale sets edge platform's software ever more free from hardware constraints

Scale Computing is reducing hardware requirements for its software, allowing more flexibility for partners and customers in choosing hardware platforms.

Democratized Software, Democratized Risk: Who's Accountable When Everyone Codes?

AI-driven coding tools enable non-technical teams to create software, but they introduce vulnerabilities and require clear ownership and governance.

The State of Trusted Open Source Report

AI is reshaping software development and security, influencing container image usage and vulnerability management.

fromZDNET

'Like handing out the blueprint to a bank vault': Why AI led one company to abandon open source

Cal is shifting from open source to proprietary licensing due to security risks posed by modern AI tools.

2 weeks ago

Software development

Internet Bug Bounty program hits pause on payouts

Python

2 weeks ago

The State of Trusted Open Source Report

AI is reshaping software development and security, influencing container image usage and vulnerability management.

fromZDNET

'Like handing out the blueprint to a bank vault': Why AI led one company to abandon open source

Cal is shifting from open source to proprietary licensing due to security risks posed by modern AI tools.

2 weeks ago

Software development

Internet Bug Bounty program hits pause on payouts

more#open-source

fromArs Technica

Mozilla launches Thunderbolt AI client with focus on self-hosted infrastructure

Thunderbolt client by Mozilla supports various AI interfaces and is available for multiple platforms, with enterprise deployment options under development.

Anthropic's Project Glasswing CVE count is still guesswork

Anthropic's Mythos model is under testing by select companies to identify security vulnerabilities, but actual findings remain uncertain.

MCP 'design flaw' puts 200k servers at risk: Researcher

A design flaw in Anthropic's Model Context Protocol puts 200,000 servers at risk, despite repeated requests for a patch from security researchers.

Anthropic's Project Glasswing CVE count is still guesswork

Anthropic's Mythos model is under testing by select companies to identify security vulnerabilities, but actual findings remain uncertain.

MCP 'design flaw' puts 200k servers at risk: Researcher

A design flaw in Anthropic's Model Context Protocol puts 200,000 servers at risk, despite repeated requests for a patch from security researchers.

more#anthropic

fromAzure DevOps Blog

One-click security scanning and org-wide alert triage come to Advanced Security - Azure DevOps Blog

New capabilities in Azure DevOps simplify application security with one-click CodeQL setup and a unified alerts experience for security teams.

Privacy professionals

Hack-for-hire group caught targeting Android devices and iCloud backups | TechCrunch

A hack-for-hire group is targeting journalists and officials in the Middle East and North Africa using phishing and spyware tactics.

Where will developer wisdom come from?

Agentic coding allows software creation without traditional developer wisdom, relying instead on AI like Claude Code for implementation and problem-solving.

14 hours ago

Hackers Abuse QEMU for Defense Evasion

Threat actors are exploiting QEMU for ransomware and remote access tool deployment, with increased activity observed since late 2025.

Microsoft Defender Flaws Exploited on Windows, Two Left Unpatched

Three new security flaws in Microsoft Defender are actively exploited, with only one patched, allowing full SYSTEM-level access to attackers.

Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched

Threat actors are exploiting three vulnerabilities in Microsoft Defender for elevated privileges, with one flaw already addressed by Microsoft.

7 hours ago

Microsoft Defender Flaws Exploited on Windows, Two Left Unpatched

Three new security flaws in Microsoft Defender are actively exploited, with only one patched, allowing full SYSTEM-level access to attackers.

Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched

Threat actors are exploiting three vulnerabilities in Microsoft Defender for elevated privileges, with one flaw already addressed by Microsoft.

more#microsoft-defender

14 hours ago

Aikido Endpoint offers developers additional protection against supply chain attacks

Aikido Endpoint protects developers' endpoints from supply chain attacks by blocking high-risk installations before they reach the system.

fromDevOps.com

The Open Source Trap: Why Trust Isn't a Security Strategy - DevOps.com

The software supply chain is vulnerable due to reliance on under-resourced open source maintainers, requiring active organizational support for security.

Tycoon 2FA Loses Phishing Kit Crown Amid Surge in Attacks

Threat actors have shifted to new phishing platforms after Tycoon 2FA's disruption, reusing its tools and increasing overall phishing attacks.

Attackers are targeting developers via Slack and Google Sites

A targeted phishing campaign exploits trust in the open-source community, tricking developers into providing credentials and installing malicious software.

2 days ago

Tycoon 2FA Loses Phishing Kit Crown Amid Surge in Attacks

Threat actors have shifted to new phishing platforms after Tycoon 2FA's disruption, reusing its tools and increasing overall phishing attacks.

Attackers are targeting developers via Slack and Google Sites

A targeted phishing campaign exploits trust in the open-source community, tricking developers into providing credentials and installing malicious software.

Cursor AI Vulnerability Exposed Developer Devices

A vulnerability in Cursor AI allows attackers to hijack developer machines via malicious repositories without user interaction.

Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution

Cisco has released patches for four critical security vulnerabilities in Identity Services and Webex Services that could allow unauthorized access and code execution.

Cisco Patches Critical Vulnerabilities in Webex, ISE

Cisco patched 15 vulnerabilities, including critical flaws in Webex and Identity Services Engine, allowing potential unauthorized access and command execution.

Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution

Cisco has released patches for four critical security vulnerabilities in Identity Services and Webex Services that could allow unauthorized access and code execution.

Cisco Patches Critical Vulnerabilities in Webex, ISE

Cisco patched 15 vulnerabilities, including critical flaws in Webex and Identity Services Engine, allowing potential unauthorized access and command execution.

more#cisco

fromComputerWeekly.com

Surging CVE disclosures force NIST to shake up workflows | Computer Weekly

NIST is changing its approach to handling CVEs, focusing on those with the greatest potential impact due to increased submissions.

CISA tells feds to patch 13-year-old Apache ActiveMQ bug

CISA warns of a critical Apache ActiveMQ vulnerability requiring federal agencies to patch within two weeks to prevent exploitation.

Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation

A high-severity security flaw in Apache ActiveMQ Classic, CVE-2026-34197, is actively exploited, requiring urgent fixes by April 30, 2026.

Recent Apache ActiveMQ Vulnerability Exploited in the Wild

A vulnerability in Apache ActiveMQ Classic, CVE-2026-34197, is being actively exploited, requiring immediate patching by organizations.

CISA tells feds to patch 13-year-old Apache ActiveMQ bug

CISA warns of a critical Apache ActiveMQ vulnerability requiring federal agencies to patch within two weeks to prevent exploitation.

Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation

A high-severity security flaw in Apache ActiveMQ Classic, CVE-2026-34197, is actively exploited, requiring urgent fixes by April 30, 2026.

Recent Apache ActiveMQ Vulnerability Exploited in the Wild

A vulnerability in Apache ActiveMQ Classic, CVE-2026-34197, is being actively exploited, requiring immediate patching by organizations.

Recent advances push Big Tech closer to the Q-Day danger zone

Organizations are transitioning to new algorithms to replace RSA and elliptic curves due to vulnerabilities exposed by quantum computing threats.

Splunk Enterprise Update Patches Code Execution Vulnerability

Splunk has released fixes for high and medium-severity vulnerabilities in its products, including Splunk Enterprise, Cloud Platform, and MCP Server.

fromComputerworld

Cisco Systems issues three advisories for critical vulnerabilities in Webex, ISE

Identity and access management is crucial for cybersecurity, with a focus on IAM hygiene necessary to mitigate risks from vulnerabilities.

fromComputerWeekly.com

Cyber Essentials closes the MFA loophole but leaves some organisations adrift | Computer Weekly

Multi-factor authentication becomes mandatory under Cyber Essentials v3.3, with no exceptions for organizations failing to implement it.

McGraw-Hill Confirms Data Exposure, Hackers Claim 45M Salesforce Records Leaked

Unauthorized access to limited internal data at McGraw-Hill was linked to a Salesforce misconfiguration, raising concerns about potential identity fraud and harassment.

Server-room lock was nothing but a crock

A security vulnerability allowed unauthorized access to a server room due to a flaw in the two-factor authentication lock.

Critical Fortinet sandbox bugs allow auth bypass and RCE

Two critical vulnerabilities in Fortinet's sandbox allow unauthenticated attackers to bypass authentication or execute unauthorized code.

$10 Domain Could Have Handed Hackers 25k Endpoints, Including in OT and Gov Networks

A sophisticated threat disguised as adware compromised over 25,000 endpoints, allowing silent control through an unregistered domain.

#curl

Software development

Curl shutters bug bounty program to stop AI slop

fromArs Technica

Information security

Overrun with AI slop, cURL scraps bug bounties to ensure "intact mental health"

Software development

Curl shutters bug bounty program to stop AI slop

fromArs Technica

Information security

Overrun with AI slop, cURL scraps bug bounties to ensure "intact mental health"

Exploited Vulnerability Exposes Nginx Servers to Hacking

A critical vulnerability in Nginx UI allows attackers to take full control of servers, affecting numerous deployments worldwide.

April Patch Tuesday Fixes Critical Flaws Across SAP, Adobe, Microsoft, Fortinet, and More

Critical vulnerabilities in Adobe, Fortinet, Microsoft, and SAP products were highlighted in April's Patch Tuesday releases.

Ancient Excel bug comes out of retirement for active attacks

A 17-year-old critical Excel vulnerability is actively being exploited, prompting CISA to issue a patch deadline for federal agencies.

fromFinbold

Kraken insider extortion reveals remote work security blind spot

"Shortly after access was terminated, we began receiving extortion demands. The criminals threatened to distribute materials from both the February 2025 incident and the recent incident to media outlets and on social media if we did not comply. We will not pay these criminals," Percoco stated.

Information security

Organizations Warned of Exploited Windows, Adobe Acrobat Vulnerabilities

CISA expanded its Known Exploited Vulnerabilities catalog with seven new vulnerabilities, including critical Windows and Adobe flaws.

Adobe Issues Emergency Patch for Critical PDF Flaw Exploited For Months

Adobe released an emergency patch for a critical vulnerability in its products, exploited since December 2025, with a CVSS score of 8.6.

Adobe Patches 55 Vulnerabilities Across 11 Products

Adobe's Patch Tuesday updates address 55 vulnerabilities across 11 products, with critical ColdFusion flaws requiring immediate attention.

Adobe fixes PDF zero-day security bug that hackers have exploited for months | TechCrunch

Adobe patched a critical vulnerability in Acrobat DC and Reader DC that allowed hackers to remotely install malware via malicious PDF files.

Adobe Issues Emergency Patch for Critical PDF Flaw Exploited For Months

Adobe released an emergency patch for a critical vulnerability in its products, exploited since December 2025, with a CVSS score of 8.6.

Adobe Patches 55 Vulnerabilities Across 11 Products

Adobe's Patch Tuesday updates address 55 vulnerabilities across 11 products, with critical ColdFusion flaws requiring immediate attention.

Adobe fixes PDF zero-day security bug that hackers have exploited for months | TechCrunch

Adobe patched a critical vulnerability in Acrobat DC and Reader DC that allowed hackers to remotely install malware via malicious PDF files.

more#adobe

ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited on Unpatched Servers

[In] ShowDoc version before 2.8.7, an unrestricted and unauthenticated file upload issue is found and [an] attacker is able to upload a web shell and execute arbitrary code on server.

Information security

fromDeveloper Tech News

AI code scanners halt Internet Bug Bounty payouts

The Internet Bug Bounty program has paused new submissions due to AI-driven vulnerability discovery outpacing human researchers' rewards.

1 month ago

Google Paid Out $17 Million in Bug Bounty Rewards in 2025

Google distributed $17.1 million in bug bounty rewards in 2025, a 40% increase from 2024, bringing its 15-year total to $81.6 million across over 700 security researchers.