🥳🥳🥳

‼️ After the MSRC blog post about Nightmare-Eclipse, researchers are coming forward with their own MSRC horror stories. The response from the security community isn't going Microsoft's way. As they’re not backing Microsoft. Gabriel Landau, a well-known Windows security researcher, says he reported a Device Guard bypass with a 90-day window. MSRC told him it met their bar and they'd fix it, then asked him to hold disclosure for extra months. He agreed on the condition they issue a CVE. They patched it silently, decided after the fact it "didn't meet the bar," and never issued the CVE. In his words: "MSRC strung me along for a few extra months to keep me quiet, then broke their word." Another researcher, rootsecdev, says he responsibly disclosed a legacy-auth flaw that allowed password spraying while avoiding smart lockout. Five months later, MSRC replied that it "doesn't meet the bar for servicing," silently fixed it, and closed the case. Microsoft's post was meant to defend their coordinated disclosure policy. Instead it became a thread of researchers explaining why they've stopped trusting their process.

🇬🇧 EN WSO2 products run banking, insurance and government infra worldwide. Ambionics Security researchers found 12 critical 0-days and chained 7 N-days into a single unauthenticated request for RCE. Live demo included. Friday 16:15 #leHACK billetweb.fr/lehack-2026-bra…

0e11c4aa285dffe95d2d7e90d974ad0e72336549b0dd2161dec606ba4955e2e1 qemu.c

Confirmed! Orange Tsai (@orange_8361) of DEVCORE Research Team (@d3vc0r3) chained 4 logic bugs to achieve a sandbox escape on Microsoft Edge, earning $175,000 and 17.5 Master of Pwn points. Full win! #Pwn2Own #P2OBerlin

guy who cant tell the difference between mp4 and exe

i saw a mouse with an X-shaped battery compartment. first thought: this is stupid - who designed it? 5 seconds later: oh. 10 seconds later: OHHH! the X slot fits an AA or an AAA battery - whichever you've got lying around. the part most people miss is that the shape also makes it physically impossible to load both at once. there is no warning label, no instructions and no way to screw it up. the geometry does the thinking for you. japanese has a word for this. poka-yoke = "mistake-proofing." the product refuses your stupidity before you can offer it. i wish more things worked like this.

Multiple security vulnerabilities affecting React Server Components and Next.js have been disclosed. We strongly recommend updating your applications immediately. Cloudflare WAF managed rules already mitigate the disclosed denial-of-service vulnerabilities, and we are investigating additional coverage for several other CVEs. developers.cloudflare.com/ch…

Fortinet is part of @OpenAI’s Trusted Access for Cyber program, helping explore how frontier #AI models can be safely and effectively applied to cybersecurity workflows. As cyber threats become more sophisticated, #Fortinet continues to integrate AI into security testing and analysis in a governed, structured manner. OpenAI’s newly released model represents an advancement in cyber reasoning, supporting agentic workflows that can help strengthen defensive capabilities while maintaining rigorous human oversight. Read more: ftnt.net/6013BBYn9F