I'm now GNA 119 under CIRCL's GCVE system. I have authority to assign vulnerability IDs to my own cloud security findings starting today. I'm choosing not to. Cloud finding validation shouldn't be one person's judgment. Forming a consensus panel of practitioners per cloud platform. Charter coming. olearysec.com/gcve/

AI’s deadliest feature isn’t intelligence. It’s the certainty it lends to people who’ve stopped thinking.

Microsoft ridiculed a researcher reporting very serious bugs to them, deleted his account, and no bug bounties were paid. These should be high payouts. Now $MSFT is threatening legal action and speaking as if a researcher’s proof of concept code is illegal. This is because the unappreciated researcher released more zero-day vulnerabilities on his own and had those GitHub/Lab accounts banned. They were serious enough that Microsoft is scrambling to fix them but wasn’t serious enough to be paid or recognized, instead was ridiculed. News of the Nightmare Eclipse exploits are everywhere but read the personal blog of the researcher, Nightmare Eclipse: deadeclipse666.blogspot.com/…

MSRC silently rolled out a custom, cluster-wide code modification specifically tailored to break my exact exploit primitive, all while insisting "no product changes were made". Bespoke customer service right there.

Schrödinger's vulnerability: simultaneously not a bug and quietly patched.

No CVE? No problem. @MSFTSecResponse won't give it a CVE but @BleepinComputer will give it a headline. Article: bleepingcomputer.com/news/se… Video: youtube.com/watch?v=qvd_xSVV… cc @Ax_Sharma