I'm inviting you to participate in a brief (approx. 10 minutes) online survey to explore how trust in a consortium influences information sharing behaviour.

Introducing 3TOFU -- a Harm-Reduction process to Supply Chain Security when downloading software that cannot be verified cryptographically

The past handful of years I’ve been really interested in static analysis but not from the traditional appsec program perspective of shifting left and catching bugs before they get merged. Instead I use it for code exploration, vulnerability discovery, and…

Apache Airflow is an open-source platform for programmatically authoring, scheduling, and monitoring workflows. While it offers robust features for managing complex workflows, it has experienced...

Homebrew had a security audit performed in 2023. This audit was funded by the Open Technology Fund and conducted by Trail of Bits. Trail of Bits’ report contained 25 items, of which 16 were fixed, 3 are in progress, and 6 are acknowledged by Homebrew’s maintainers.…

Get ready to discover the power of osquery and osctrl, your dynamic duo for advanced system monitoring and security.

During research on the Vestaboard web platform, the Rhino Security Labs research team identified three vulnerable instances of Broken Access Controls.

515K subscribers in the netsec community. /r/netsec is a community-curated aggregator of technical information security content. Our mission is to…

Introduction Several times in my enterprise security career I experienced challenges when it came to security defect/vulnerability handling and management. When I joined eBay in 2006, the security team was fairly small and I recall filing a cross-site noscripting…

I recently received my ZimaCube: a NAS from IceWhale, the same company behind the ZimaBlade, ZimaBoard and most notably CasaOS, a UI to manage docker applications.

Why write this?

Oligo Security's research team recently disclosed the “0.0.0.0 Day” vulnerability. This vulnerability allows malicious websites to bypass browser security and interact with services running on an organization’s local network

About WordPress As of 2024, WordPress powers 43% of all websites in the internet. 474 million websites run WordPress software and one or more out of 70 000 plugins. Unfortunately, as history shows, many WordPress plugins, even popular ones, often contain…

Tony Hawk's Pro Strcpy: A game save and RCE exploit for the Tony Hawk game series that can be used to hack Xbox, Playstation 2, Gamecube, and Xbox 360 consoles.

Claroty Team82 is publishing details of our research into Unitronics' integrated PLCs/HMIs, which began on the heels of numerous critical infrastructure attacks that were disclosed last fall, in particular at water treatment facilities in the United States…

This blog post takes a look at the years where eBPF was one of the kernel subsystems that grabbed the attention of a lot of security researchers. We will tell the story of how we discovered CVE-2023-2163, what our root-cause analysis process looked like,…

Websites are riddled with timing oracles eager to divulge their innermost secrets. It's time we started listening to them. In this paper, I'll unleash novel attack concepts to coax out server secrets

VPN exploitations traditionally has been primarily for initial access. Ori David shows just how much more can be done maliciously post-exploit.