Harry Sintonen

I understand #curl project decision to stop the #bugbounty and leave #hackerone. The torrent of #AIslop has become unbearable.

GitHub

BUG-BOUNTY.md: we stop the bug-bounty end of Jan 2026 by bagder · Pull Request #20312 · curl/curl

Remove mentions of the bounty and hackerone. There will be more mentions, blog posts, timings etc in the coming weeks.

I will continue to report vulnerabilities to the project whether it has a bug bounty or not.

No, there's no major security vulnerability in zlib. There's a stack buffer overflow in the contrib/untgz tool. However, these tools are unsupported as described by the README.contrib file:

GitHub

zlib/contrib/README.contrib at develop · madler/zlib

A massively spiffy yet delicately unobtrusive compression library. - madler/zlib

" All files under this contrib directory are UNSUPPORTED. They were provided by users of zlib and were not tested by the authors of zlib. Use at your own risk. Please contact the authors of the contributions for help about these, not the zlib authors. Thanks. " #infosec #cybersecurity

#curl 8.18.0 has been released. This release fixes 1 medium and 5 low level vulnerabilities: - CVE-2025-14017: broken TLS options for threaded LDAPS

curl - broken TLS options for threaded LDAPS - CVE-2025-14017

- CVE-2025-14524: bearer token leak on cross-protocol redirect

curl - bearer token leak on cross-protocol redirect - CVE-2025-14524

- CVE-2025-14819: OpenSSL partial chain store policy bypass

curl - OpenSSL partial chain store policy bypass - CVE-2025-14819

- CVE-2025-15079: libssh global knownhost override

curl - libssh global known_hosts override - CVE-2025-15079

- CVE-2025-15224: libssh key passphrase bypass without agent set

curl - libssh key passphrase bypass without agent set - CVE-2025-15224

I discovered the last 2 vulnerabilities. Download curl 8.18.0 from

curl - Download

#vulnerabilityresearch #vulnerability #cybersecurity #infosec

It's good to see at least some challenges to the Anthropic claims that "AI-assisted attack was 90% autonomous".

Ars Technica

Researchers question Anthropic claim that AI-assisted attack was 90% autonomous

The results of AI-assisted hacking aren't as impressive as many might have us believe.

- Unfortunately majority of media outlets are parroting these #cyberslop claims unchallenged. The report by Anthropic makes some fantastical claims and conclusions based on those claims. In the end while the threats are there, they’re mostly unrelated to AI or LLM use. Pouring more money into AI companies isn't a magic solution. There's better use for this budget: Invest it in doing what you have been doing all along - Maintain good visibility and understanding of your environments and associated software solutions, patch your systems in a timely manner, perform periodic security assessments (internal or external), detect and respond to threats. AI or LLM are not magic and can't exploit vulnerabilities that are not there.

This is a reminder to everyone that security is more than just memory safety.

sudo-rs Affected By Multiple Security Vulnerabilities - Impacting Ubuntu 25.10 - Phoronix

The Ubuntu 25.10 transition to using some Rust system utilities continues proving quite rocky

#rust #vulnerability #sudo_rs

If you have ever wondered why #Facebook seems either to ignore or fail to remove obvious scammers when you report them - well, there's a reason for it: They make a huge profit for Facebook. If you believe Facebook has now stopped or will in future stop this practice now that they've been exposed, you're way too trusting.

Ars Technica

Bombshell report exposes how Meta relied on scam ad profits to fund AI

Meta goosed its revenue by targeting users likely to click on scam ads, docs show.

"Bombshell report exposes how Meta relied on scam ad profits to fund AI" #scams #fraud #scammers

Humans make mistakes all the time, yet nuclear power is extremely safe. A wide range of precautions and protocols are in place to ensure nuclear safety, starting from the work culture. This interesting video by Smarter Every Day shows the refueling process of a nuclear reactor: While seeing insides of a nuclear reactors and how they're refueled is interesting, I find the safety&security processes and practices around the process even more interesting. This video gives you some idea why nuclear power-related accidents are so rare. People do make mistakes, but the overlapping and multilayered safety&security processes catch the mistakes before they can lead to bigger problems. There are things to learn here for even the world outside of the nuclear industry: - Having a work culture that encourages reporting mistakes without reprisal and reprimand helps catch issues early, as they are more likely to be reported. - Identifying the critical systems and having layered safety&security is important. Not everything needs to be super tight. Applying the super tight rules everywhere would likely just make people ignore the rules, at least in part. - Training is important. Understanding the reason why tight safety/security is in place in a system is crucial. With this understanding, it is more likely that the rules are obeyed. #security #safety #nuclearsafety #nuclearpower

#Microsoft is clearly becoming desperate due to low adoption rates of #Copilot. Apparently, Microsoft is now pushing Copilot to all #Microsoft365 personal subscribers and calling it a "subscription price increase". Only when you decide to cancel your subscription are you presented with the option to switch to "Microsoft 365 Personal Classic" without Copilot (and nearly the old price). The classic plan is not presented as an option unless you try to cancel your subscription. This is a classic scammy trick: Modify the existing plan and add the feature no one wants and hide the old plan from view. Presto, now you have an insane adoption rate you can present to investors as a great success. I personally don't use Microsoft subscription services, so I don't know if they tried this bullshit in the EU, but if they did, they're asking for trouble. They got sued in Australia over this already:

Australian Competition and Consumer Commission

Microsoft in court for allegedly misleading millions of Australians over Microsoft 365 subscriptions

The ACCC has commenced proceedings in the Federal Court against Microsoft Australia and its US-based parent company Microsoft Corporation for alleg...

"Microsoft in court for allegedly misleading millions of Australians over Microsoft 365 subscriptions"

Several months ago, I found a #vulnerability from #MantisBT - Authentication bypass for some passwords due to PHP type juggling (CVE-2025-47776). Any account that has a password that results in a hash that matches ^0+[Ee][0-9]+$ can be logged in with a password that matches that regex as well. For example, password comito5 can be used to log in to the affected accounts and thus gain unauthorised access. The root cause of this bug is the incorrect use of == to match the password hash: if( auth_process_plain_password( $p_test_password, $t_password, $t_login_method ) == $t_password ) The fix is to use === for the comparison. This vulnerability has existed in MantisBT ever since hashed password support was added (read: decades). MantisBT 2.27.2 and later include a fix to this vulnerability.

Mantis Bug Tracker

MantisBT is a popular free web-based bug tracking system. It is written in PHP works with MySQL, MS SQL, and PostgreSQL databases. MantisBT has bee...

#CVE_2025_47776 #infosec #cybersecurity

I would be glad to donate to the #Python project, but doing so requires me to divulge my name and contact information as per their 501(c)(3) charitable organisation status: "Contact information is required for tax reporting purposes and will be shared only with the US government." Considering the current status of the US government, I don't feel comfortable doing this. Are there some other ways to donate to Python project without getting the US government involved? -

Python Software Foundation Blog

The PSF has withdrawn a $1.5 million proposal to US government grant program

In January 2025, the PSF submitted a proposal to the US government National Science Foundation under the Safety, Security, and Privacy of Op...

-

Donation for the PSF – Python Software Foundation

@npub1vv84...6fhk