Discussion
Loading...

#Tag

  • About
  • Code of conduct
  • Privacy
  • Users
  • Instances
  • About Bonfire
just small circles 🕊
just small circles 🕊 boosted
julian
@julian@activitypub.space  ·  activity timestamp 5 days ago

"Security" category

Just a thought as I work through some bugs reported to NodeBB... would there be interest in ActivityPub.space hosting a "security" category for discussion around vulnerabilities, CVEs, and such that are related to ActivityPub?

For example, if NodeBB were to receive a bug bounty report and responsibly disclose the details, it would be ideal to have it archived in a place where it won't just disappear off the feed in a matter of minutes.

  • Copy link
  • Flag this post
  • Block
julian
@julian@activitypub.space  ·  activity timestamp 5 days ago

"Security" category

Just a thought as I work through some bugs reported to NodeBB... would there be interest in ActivityPub.space hosting a "security" category for discussion around vulnerabilities, CVEs, and such that are related to ActivityPub?

For example, if NodeBB were to receive a bug bounty report and responsibly disclose the details, it would be ideal to have it archived in a place where it won't just disappear off the feed in a matter of minutes.

  • Copy link
  • Flag this post
  • Block
Matt "msw" Wilson
Matt "msw" Wilson boosted
Matt "msw" Wilson
@msw@mstdn.social  ·  activity timestamp 2 weeks ago

@jacques @bagder @gregkh

ICYMI, here's a paper that was trying to answer this research question in the context of #OpenSource #Java projects on GitHub: "What do open-source maintainers think about integrating #VEX into their existing SBOMs?"

TL;DR: "In most cases, our augmented SBOMs were not directly accepted because developers required a continuous SBOM update."

https://dl.acm.org/doi/pdf/10.1145/3696630.3728513

#SBOM #CVE #InfoSec

  • Copy link
  • Flag this post
  • Block
Jacques Chester
@jacques@mastodon.chester.id.au  ·  activity timestamp 4 weeks ago
@bagder@gregkh isn’t this what VEX is meant for?
Matt "msw" Wilson
@msw@mstdn.social (and 1 other) recently replied  ·  activity timestamp 2 weeks ago

@jacques @bagder @gregkh

ICYMI, here's a paper that was trying to answer this research question in the context of #OpenSource #Java projects on GitHub: "What do open-source maintainers think about integrating #VEX into their existing SBOMs?"

TL;DR: "In most cases, our augmented SBOMs were not directly accepted because developers required a continuous SBOM update."

https://dl.acm.org/doi/pdf/10.1145/3696630.3728513

#SBOM #CVE #InfoSec

  • Copy link
  • Flag this comment
  • Block
Daniel Appelquist
Daniel Appelquist boosted
daniel:// stenberg://
@bagder@mastodon.social  ·  activity timestamp 3 weeks ago

From suspicion to published #curl #CVE. The process.

https://daniel.haxx.se/blog/2025/09/18/from-suspicion-to-published-curl-cve/

  • Copy link
  • Flag this post
  • Block
daniel:// stenberg://
@bagder@mastodon.social  ·  activity timestamp 3 weeks ago

From suspicion to published #curl #CVE. The process.

https://daniel.haxx.se/blog/2025/09/18/from-suspicion-to-published-curl-cve/

  • Copy link
  • Flag this post
  • Block
Matt "msw" Wilson
@msw@mstdn.social  ·  activity timestamp last month

I definitely recommend folks read the paper linked in the first post. Here's a TL;DR summary in the form of Figure 1: " "A hypothetical graph of risks of loss from penetration and from application of a bad patch. The optimal time to apply a patch is where the risk lines cross."

#CVE#OSS #FOSS #FLOSS #OpenSource #FreeSoftware #InfoSec

@smb @adamshostack

A graph showing Time along the X axis and Risk of Loss along the Y axis. Two curves are on the graph, one is the "bad patch risk" which decreases over time, and the other is "penetration risk" which increases over time. Where the two lines cross, a circle is drawn representing "Optimal Time to Patch".

Caption: "Figure 1: A hypothetical graph of risks of loss from penetration and from application of a bad patch. The optimal time to apply a patch is where the risk lines cross."
A graph showing Time along the X axis and Risk of Loss along the Y axis. Two curves are on the graph, one is the "bad patch risk" which decreases over time, and the other is "penetration risk" which increases over time. Where the two lines cross, a circle is drawn representing "Optimal Time to Patch". Caption: "Figure 1: A hypothetical graph of risks of loss from penetration and from application of a bad patch. The optimal time to apply a patch is where the risk lines cross."
A graph showing Time along the X axis and Risk of Loss along the Y axis. Two curves are on the graph, one is the "bad patch risk" which decreases over time, and the other is "penetration risk" which increases over time. Where the two lines cross, a circle is drawn representing "Optimal Time to Patch". Caption: "Figure 1: A hypothetical graph of risks of loss from penetration and from application of a bad patch. The optimal time to apply a patch is where the risk lines cross."
Matt "msw" Wilson
@msw@mstdn.social replied  ·  activity timestamp last month
@smb @adamshostack

Folks who like that paper may light this one as well.

It studies Microsoft "Patch Tuesday" updates in particular, which are much different (in my opinion) than your typical open source software updates that are labeled with a CVE.

#CVE#PatchTuesday #InfoSec

https://arxiv.org/abs/2307.03609

  • Copy link
  • Flag this comment
  • Block
Matt "msw" Wilson
@msw@mstdn.social  ·  activity timestamp last month

While many things have not changed since this paper was published in 2002, the landscape around #CVE and open source software has, in my opinion.

This paper mainly contemplates official patches and bulletins from commercial vendors, or at least a CVE that was reviewed by a panel of editors. It rightly calls out that the quality of fixes varies widely.

However, today a CVE in a FOSS package may mean little to nothing in context of a production product or system.
#FOSS
@smb @adamshostack

Matt "msw" Wilson
@msw@mstdn.social replied  ·  activity timestamp last month

I definitely recommend folks read the paper linked in the first post. Here's a TL;DR summary in the form of Figure 1: " "A hypothetical graph of risks of loss from penetration and from application of a bad patch. The optimal time to apply a patch is where the risk lines cross."

#CVE#OSS #FOSS #FLOSS #OpenSource #FreeSoftware #InfoSec

@smb @adamshostack

A graph showing Time along the X axis and Risk of Loss along the Y axis. Two curves are on the graph, one is the "bad patch risk" which decreases over time, and the other is "penetration risk" which increases over time. Where the two lines cross, a circle is drawn representing "Optimal Time to Patch".

Caption: "Figure 1: A hypothetical graph of risks of loss from penetration and from application of a bad patch. The optimal time to apply a patch is where the risk lines cross."
A graph showing Time along the X axis and Risk of Loss along the Y axis. Two curves are on the graph, one is the "bad patch risk" which decreases over time, and the other is "penetration risk" which increases over time. Where the two lines cross, a circle is drawn representing "Optimal Time to Patch". Caption: "Figure 1: A hypothetical graph of risks of loss from penetration and from application of a bad patch. The optimal time to apply a patch is where the risk lines cross."
A graph showing Time along the X axis and Risk of Loss along the Y axis. Two curves are on the graph, one is the "bad patch risk" which decreases over time, and the other is "penetration risk" which increases over time. Where the two lines cross, a circle is drawn representing "Optimal Time to Patch". Caption: "Figure 1: A hypothetical graph of risks of loss from penetration and from application of a bad patch. The optimal time to apply a patch is where the risk lines cross."
  • Copy link
  • Flag this comment
  • Block
Matt "msw" Wilson
@msw@mstdn.social  ·  activity timestamp last month

Indeed, this strategy is more effective when bravehearts deploy changes with ambition and report real-world problems, as we know that it is difficult to exhaustively test a change to the point of eliminating all possible new defective behaviors.

@smb @adamshostack

Matt "msw" Wilson
@msw@mstdn.social replied  ·  activity timestamp last month

While many things have not changed since this paper was published in 2002, the landscape around #CVE and open source software has, in my opinion.

This paper mainly contemplates official patches and bulletins from commercial vendors, or at least a CVE that was reviewed by a panel of editors. It rightly calls out that the quality of fixes varies widely.

However, today a CVE in a FOSS package may mean little to nothing in context of a production product or system.
#FOSS
@smb @adamshostack

  • Copy link
  • Flag this comment
  • Block
Matt "msw" Wilson
@msw@mstdn.social  ·  activity timestamp last month

"As a perhaps amusing aside, if everyone were to follow our suggested delay practice, it would become much less effective. Fortunately, we have no expectation that everyone will listen to us."

Unpopular opinion: more people should follow this advice.

Unfortunately, many feel they have no choice but to deploy patches with a "security fix" label on them more quickly than they normally would make changes to complex systems.

@smb @adamshostack

#CVE #InfoSec
https://shostack.org/files/papers/time-to-patch-usenix-lisa02.pdf

  • Copy link
  • Flag this post
  • Block
Edbro
@edbro@swecyb.com  ·  activity timestamp 2 months ago

Did you know SaaS now has its own CVE tag?

For years, vulnerabilities in SaaS services were hard to track – often without a CVE ID at all. That’s finally changing.

👉 The new exclusively-hosted-service tag tells you:

This issue affects only the hosted service (not on-prem).

In many cases, the provider has already fixed it – no customer patch needed.

Microsoft and Google are already using it. That means SaaS CVEs are now easier to find, easier to interpret, and easier to act on.

Why it matters:
Less noise. Better transparency. Smarter triage.

SaaS is the default – it’s about time our vulnerability management caught up. 🌥️🔐

#cybersecurity#SaaS#CVE

  • Copy link
  • Flag this post
  • Block
Joel 🔪 May-Kill 🔪
Joel 🔪 May-Kill 🔪 boosted
kriware :verified:
@kriware@infosec.exchange  ·  activity timestamp 2 months ago

GitHub Copilot: RCE via Prompt Injection

A prompt-injection attack enables Copilot to auto-approve via chat.tools.autoApprove, triggering YOLO mode and run arbitrary code

https://embracethered.com/blog/posts/2025/github-copilot-remote-code-execution-via-prompt-injection/

#promptinjection #cve

  • Copy link
  • Flag this post
  • Block
kriware :verified:
@kriware@infosec.exchange  ·  activity timestamp 2 months ago

GitHub Copilot: RCE via Prompt Injection

A prompt-injection attack enables Copilot to auto-approve via chat.tools.autoApprove, triggering YOLO mode and run arbitrary code

https://embracethered.com/blog/posts/2025/github-copilot-remote-code-execution-via-prompt-injection/

#promptinjection #cve

  • Copy link
  • Flag this post
  • Block
Matt "msw" Wilson
@msw@mstdn.social  ·  activity timestamp 2 months ago

"SUSE Multi-Linux Manager provides automated patching, content lifecycle management, and realtime monitoring to keep your mixed Linux environment secure"

#CVE#RCE #InfoSec

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-46811

  • Copy link
  • Flag this post
  • Block
Bill
@Sempf@infosec.exchange  ·  activity timestamp 2 months ago

Another WordPress plugin injection vuln. The original supply chain vulnerability. (Well, no, but you can smell what I'm cooking right?)

Critical Flaws in WordPress Plugin Leave 10,000 Sites Vulnerable

https://www.infosecurity-magazine.com/news/flaws-wordpress-plugin-expose/

#wordpress #cve

  • Copy link
  • Flag this post
  • Block
Pascal
Pascal boosted
Thinking Elixir
@ThinkingElixir@genserver.social  ·  activity timestamp 3 months ago

News includes EEF's first #CVE release, Supabase's Multigres for scaling #postgres, new #MCP servers for Phoenix, #Erlang surviving extreme load tests, LiveDebugger v0.3.0 preview, and more! @elixirlang#ElixirLanghttps://www.youtube.com/watch?v=DsVyY4XHVm8

  • Copy link
  • Flag this post
  • Block
Thinking Elixir
@ThinkingElixir@genserver.social  ·  activity timestamp 3 months ago

News includes EEF's first #CVE release, Supabase's Multigres for scaling #postgres, new #MCP servers for Phoenix, #Erlang surviving extreme load tests, LiveDebugger v0.3.0 preview, and more! @elixirlang#ElixirLanghttps://www.youtube.com/watch?v=DsVyY4XHVm8

  • Copy link
  • Flag this post
  • Block
Jan Wildeboer 😷:krulorange:
@jwildeboer@social.wildeboer.net  ·  activity timestamp 3 months ago

Dear @Gargron — Can we take another, fresh look at https://github.com/mastodon/mastodon/issues/20694 ? Hashtags should ultimately support full UTF8, IMHO, but adding at the very least the dash would be very helpful. It's not just band or artist names. CVEs are a better example. It would be really helpful when I can use #CVE-2025-6019 instead of #CVE20256019 as I am forced to do now. I guess hashtags are not in scope of the ActivityPub protocol, @evan ?

  • Copy link
  • Flag this post
  • Block
Eva Winterschön
@winterschon@mastodon.bsd.cafe  ·  activity timestamp 4 months ago

CVE-2025-5689 😂🙃

Fire up your "anyone we don't know gets root!" account SSH sessions to gain unmitigated control over Ubuntu systems running "Systemd AuthD"

Clown shoes over there, ffs how is this even a real CVE 🤦🏼‍♀️

- https://nvd.nist.gov/vuln/detail/CVE-2025-5689
- https://github.com/ubuntu/authd/security/advisories/GHSA-g8qw-mgjx-rwjr

#systemd #uhuhuhubuntu #ubuntu #infosec #cve #noreally #linux #authd

  • Copy link
  • Flag this post
  • Block
Log in

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances
Bonfire social · 1.0.0-rc.3.1 no JS en
Automatic federation enabled
  • Explore
  • About
  • Members
  • Code of Conduct
Home
Login