The first requires being able to overwrite binaries in the Swift tool directory. Yes, if you overwrite binaries executed by ghidra, you can trigger code execution. This is not a surprise.
The second, idk, I'm not familiar with TraceRMI (but it's probably worth noting that "RMI" stands for Remote Method Invocation).
The third is not a vulnerability in the slightest, they just demonstrate that native 7zip parsing code is reachable. Maybe there is a bug in the 7zip parser, but without that it's meaningless.
The biggest mitigation is that gitea documentation discourages you from using action runners from untrusted users. Not flawless security, but it's something...
This recommendation seems incompatible with third-party collaboration, at least on its face!
> but it's probably worth noting that "RMI" stands for Remote Method Invocation
This reminds me of someone submitting a (clearly vibecoded) vulnerability report claiming to have found a way to execute arbitrary SQL. The project in question? An SQL server... https://github.com/tursodatabase/turso/pull/4322
Does it? Or does it need to be in the same directory you invoked ghidra?
After a bit of research, the Firefox one seems plausible to me. But, I haven't actually tried the POC. The explanation about the private-data and untrusted-input flags is plausible but I'm not an expert on Firefox's internals, maybe that's not actually how it works.
This just sucks, all around. Are we going to need every open source project gawking at the same repo full of stuff that has nothing to do with them, on the off chance that someone discloses a vuln that does have to do with them? Is this some kind of performative complaint about high friction in responsible disclosure? Well great job dickhead, you've just made a system that's even worse. Nobody benefits from this. Yuck yuck yuck.
Disclosures always enable more secure software to theoretically exist,
even if nobody follows through creating it.
They often do.
Maybe I'm projecting my own biases ;-)
The nghttp2 nghttpx one is more interesting, and could potentially be used for phishing, but it's very hard to line up properly because the request queue is non-deterministic so basically impossible to target a specific victim (assuming proxy traffic).
The VLC one is just a straight-up crash/bug. And VLC crashes all the time when using weird codecs, so that's nothing new.
Am I missing something here?
So maybe tweaking your usage (ex. no spaces around them) or using a technically incorrect en-dash might offer the desired effect while subtly signaling that your message isn't AI-generated.
I still use them — mostly for pauses — but I'd like to think my voice sounds distinct enough from an AI that people can tell.
(disclaimer: I feel like this obsession with dashes is special to native English speakers, which I'm obviously not)
However I've only ever used regular dashes. How do you type an em-dash? Is it OS specific? I've taken to using Emacs insert-char with a list of frequently used ones in my scratch buffer. My memory for Unicode is unreliable.
On Linux X11 at least, you can enable the Compose key and then press `<Compose>---` which results in — and `<Compose>--.` which gives you –
On iOS you type it by pressing dash and holding until alternative options come up, same way you type e.g. accented characters.
Why go the extra way to have a slightly elongated dash when a normal one would just as well do the job?
I might be conpletely off here but I've never seen a situation where using a normal dash where a long one should be causes any sort of syntactic trouble.
And if it ever catches on with LLMs ⸻⸻ we just make it longer
> A single archive of public exploit PoCs and vulnerability research writeups. At the time I post these, none have been reported. Feel free to report them yourself and take credit for the CVE if handed out lulz. Please do not abuse these. I do this so to allure people into the field, and I've always found this is the most efficient way.
Which is roughly the definition of zero day. Whether the contents of the repo reflect the above claim is something else entirely.
Reminds me of Jamie Wolf's joke about bestiality laws. Who are those for? What stops most people from bestiality is… not wanting to have sex with animals! For people who do want to, what, they won't because of… the law??
Who will this comment stop??
Regarding the comment, it isn't going to stop anyone. Most people will not do cybercrime because they're honest. Of the remaining, the risk of being sentenced to jail time will instead stop some people, even if not all of them.
The point of beastiality laws are to give society some recourse to punish people who abuse animals.
There was a very famous case back in Washington state back in the early 2000s where a group of men were sexually abusing horses. It was uncovered because one of them died, and the other could only be charged with trespassing because it wasn't illegal at the time to sexually abuse animals.
Others consider law a way of encoding the group’s existing rules and norms.
In that view, making something illegal or mandatory is not a prerequisite for punishment: it’s the actual main point.
The threat of punishment is meant for those not deterred from an act by the simple fact it is illegal (and the threat only works if enforced).
Others put it the other way around, and see law as social engineering, a way to shape the group, either through the encoding itself of the desired behaviours in law, or through deterrence. Or both. If what one is after is either power or legitimacy, they need compliance more than punishment (can’t rule once you’ve chopped everyone’s heads off, or once the mob has put yours on a spike).
It’s also sometimes used as coordination (which side of the road we drive on).
And there’s also law as dispute resolution (if your neighbour’s hen lays an egg in your garden, who does it belong to? Yes, it’s ridiculous. Yes, some places have one or more laws for that). Which, incidentally, both requires and provides legitimacy. Funny, that.
And probably many other kinds / points of view, with many different purposes, intents, and mechanisms.
Anyway, all that to say law is vast, fascinating, and utterly tedious. And apologies for the tangent.
You're thinking of criminal law. And it's not just some group's rules and norms - there already exists familial or social group punishment for that. Criminal law is prosecuted by the State. It's the code of conduct of the society you exist in.
If you want a thought experiment for what life would be like without organised society, read Leviathan
Hence why we accept State governance and law (to a greater or lesser extent, obviously people protest specific laws and injustices and what's on the statute books changes on a regular basis), because the alternative to law is "nature", aka bigger-army diplomacy. Anarchy doesn't free people, it only gives freedom to those with existing power to disempower others. Those with superior power will simply rob, rape, kill or enslave everyone else.
States exist to secure their territory from those sort of external threats, and incubate an economy inside their borders, which aspires to bring wealth and happiness. The criminal law is put in place by those with the monopoly on legitimate violence, often encoding the views of the population, to keep their society running.
The people who want to see the people doing bestiality punished
I really think this characterization is misleading. It's not "getting smart", only more tailored toward a specific usage, better curated dataset, better harness, better prompts, better labeling of results, documentation of failures and success, etc.
The outcome is (hopefully) overall better but this anthropomorphized wording makes it sound like AI itself is somehow changing or evolving. No, both academia doing fundamental research, industry making it available commercially, and finally security researchers making the entire tooling and process packaged as a service are actively shaping it to make it better. There is no "it".
Or are you just defining "fast" as something only horses can do, and considering that a useful insight about cars?
edit: downvotes but no rebuttals. feel free to show me where the agency, reasoning from first principles, world model etc exists. or you can ask an llm and they'll tell you they don't have those.
Every software update introduces and reintroduces them
Seems like we're already in the middle of this phase, but rather than dying down, the 'reports' have just gotten more noisy and obtuse, making it more difficult to establish the actual degree of threat / attack vector.
As a bonus if you find any actual zero-days in your mass-generated ones you don't report it and get a new one to play with.
Assuming, of course, said state agency is operating under sufficiently strategic governance and management…
Didn’t bother submitting since who actually uses tizen?
It’s possible/likely that whomever is running this experiment is keeping the non slop bugs to themselves. It’s probably what I’d do.
Theres a bunch of very specific scenario DoS bugs, buffer over/ underflows, that will get caught by ASLR and whatnot
When I report serious ones, mostly the devs will respond with something like, yeah, thats how we designed it in a dangerous way, so that the layer above or below can solve the issues, and other footgun stuff.
I don't know what methods where used to find these exploits but I am starting to think security through obscurity might not be a bad thing in this day and age, where someone can just let bots loose on your codebase.
> OSS only needs someone to have a strong LLM to check for bugs.
The same applies to propietary, closed-source code. It being closed-source means that the source isn't generally available, but the executable is. Hence, someone with a strong model can still reverse it and find vulns.
something like nginx could arguably be more secure if it was closed source
(I am a proponent of and contributor to open source)
Maybe if it's some server-side software that you only use yourself...
A different way to frame this would be that those bugs would never be surfaced or exploited if the software were proprietary.
I'd love to hear why you think obscurity is bad, if you now think maybe it's good in the LLM age?
I'd also be interested if you could describe exactly what or how you think security through obscurity works, or doesn't?
I've been thinking a lot about how to better teach this concept, so I'm looking to understand exactly how everyone thinks/understands how it currently works, or should work, or what it should do. I don't care about the "correct" answer, (I have ddg too :P) I'm interested in general expectations from SWE's that I might teach at work, instead of opinions of security eng speaking about theory.
In the case of FOSS software, it is generally recognized that the small advantage of keeping the source secret is far outweighted by the contributions and vuln reports you get if you publish the source.
> starting to think security through obscurity might not be a bad thing
The problem ultimately came from not being able to prevent stale pointers. The attack works by figuring out the size of the stale pointer, then spraying memory with data of the same size, and finally achieving RCE (Remote Code Execution). How do people even come up with ideas like this?
Ideally, nothing nefarious should happen if both of them were listed and queryable publicly.
Many French people with crypto money experienced that the hard way recently.
In short, it's a very active and growing activity. Many data leaks helped people to identify wealthy targets. Some just brag about having crypto.
https://www.lemonde.fr/societe/article/2026/04/24/enlevement...
https://www.franceinfo.fr/faits-divers/cryptomonnaies-la-vag...
https://www.lemonde.fr/societe/article/2025/08/19/l-ascensio... (paywall)
https://www.slate.fr/societe/enlevements-lies-cryptomonnaies...
Some random recent ones we know about:
https://france3-regions.franceinfo.fr/grand-est/haut-rhin/mu...
https://www.leparisien.fr/faits-divers/renseignes-par-des-ha...
Banks give you an advantage with transaction security and deposit insurance, but that's dealing with money and not cash.
Then I did some searching and found multiple examples of both definitions in use, making things murky.
So I turned to Merriam-Webster’s dictionary: “ of, relating to, or being a vulnerability (as in a computer or computer system) that is discovered and exploited (as by cybercriminals) before it is known to or addressed by the maker or vendor”
And of course they use an “or” to make it ambiguous as to whether the days start counting when the vulnerability becomes known, or when the vendor has addressed it.
No, the full name was always "zero-day exploit". The number 0 refers to the days between the vulnerability being known by the vendor and the public availability of the exploit. So the vendor has zero days to create a security patch before the release of the exploit.
The term "zero-day vulnerability" is a derived term to refer to a vulnerability affected by a zero-day exploit. Similarly, a "zero-day attack" is a derived term to refer to an attack carried out using a zero-day exploit.
I've been a skiddy, he would have believed this. Thankfully, I've grown a bit, and can see this for the transparent, "I'm angry and want to hurt others so I will feel a little less alone", it actually is.
I'm sorry you're so angry dude (me too), but as someone who's joined the blue side, we'd appreciate it if you gave us some kind of heads up, the bad guys generally have a lot more time to scroll for new payloads than I do. Not all of us deserve the kindness of a heads up, but every single one of our users deserve it. Don't punish them because you're mad at someone else.
You can flex on the idiots you're trying to flex on, without hurting people. Even an email to security@[that_project_domain] saying "hey, I've published these" would move you from the group of people I see making the world worse, into the group making it better. (You don't have to, obviously, but making the whole world worse wont make you less angry.)
Sure you than can do it anonymous and so on but point is : its not like every actor that gets notified will react thankful to it. Some even just ignore it.
I'm equally annoyed and over the alarmist takes. But I don't think it's fair to group mine into it. I'm annoyed at seeing discard respect for others into the same void everyone is happy to toss quality.
Do these tiny things matter? No, not to the default-panic-level everyone adopts when they see 0day, or CVE... but duh, I'm now just repeating exactly what you already said. That no, for the record is mostly because I don't use any of these, not just because they're boring exploits. While I always look, I default assume anything CVE is boring/pointless. But I still read them.
But then, I'm not trying to convince the owner of the repo. I'm trying to discourage the theme among researchers that "no one cares", because I have seen researchers disclose bugs publicly, that we'd be eager to pay out on, because they disagreed with the decision on their last report.
I've fixed bugs being actively exploited against our users, that was found/fixed only after a whitehat report for something adjacent (we pay on those btw, and you should too). I don't wanna live in the world where it's easier for the bad guys, the only way we get there is once "everyone knows", you gotta report the all bugs that you can turn into an exploit. I don't want "the whitehat researcher culture" to move towards, who cares' dump the PoC on github, screw anyone that could be hurt by the bad guys, they deserve to be punished for the incompetence of others. SWE's are shit at security, security researchers are shit at SWE, the only way we get the good outcome, is if they're willing (and encouraged) to work together.