I hacked Microsoft's AI bot for healthcare on a Friday night Within hours I could access data of multiple healthcare organizations, but it didn't stop there Microsoft fixed the issue, and then I did it again, and again, and again.. Here's the story of Lethal Injection: 💉

A friendly reminder that CVD is an industry standard that is usually not for the benefit of the researcher. I’ve personally had it used against me as a threat.

Linus, this week: "the continued flood of AI reports has basically made the security list almost entirely unmanageable". At this pace, vulnerability triage at scale is about to become one of the most valuable categories in security infrastructure, and the reason is what AI has done to the economics of vulnerability research. For context: curl ended its bug bounty in January after they got buried in AI submissions. @Hacker0x01 paused the Internet Bug Bounty in March, which forced Node.js to suspend bounty payouts shortly after. @Google stopped accepting AI submissions to its open-source VRP, then raised Android top payouts to $1.5M while cutting Chrome bonus categories that AI tools now produce almost routinely. So, every disclosure channel that mattered five years ago is in some state of restructure, pause, or shutdown. Anyone with an LLM and a few hours can produce a finding, a CVSS score, and a suggested fix, and that whole layer is now commodity output. Now, more than ever, the valuable step is proving the bug is actually exploitable against a specific system with the right preconditions. This is why I think vulnerability triage at scale is about to be a major business. The disclosure mess is just the most visible symptom, but the same pressure exists in every pipeline where security data lands, whether it's internal scanner output, pentest deliverables, attack surface monitoring, or code review backlogs. A finding nobody has proven exploitable against a specific system is a hypothesis, not a vulnerability. Meaning, every security team now has a pile of hypotheses with no scalable way to disprove them. My take if you're running a security program right now: stop ranking findings by CVSS. Rank them by whether someone has actually proven they're exploitable on your system.

ASLR bypasses for those are pointless. There are no real Nginx instances vulnerable because that configuration pattern never exists. Let alone “chaining LFI”; if you can read files on the host you’ve already won. Cut the FUD for no reason.