While most vendors ship timely patches for vulnerabilities reported by Project Zero, they don’t always reach users. Today, we’re announcing Reporting Transparency, a new policy to encourage downstream fixes

https://googleprojectzero.blogspot.com/2025/07/reporting-transparency.html

The CHERI Alliance has released an experimental prototype of CHERI support in seL4 and Microkit, accompanied by tutorials to help you get started. This release is now available for you to reproduce, explore, and build upon.

For those who are unfamiliar with CHERI, CHERI support in seL4 enables memory-safe C/C++ user-level projects and applications without having to (re)write code in languages like Rust. This complement's seL4's strong isolation between different components, enforced by the MMU and seL4's software capabilities.

We welcome your feedback and contributions.

Learn more: https://cheri-alliance.org/cheri-sel4-and-cheri-microkit-released/

One obvious thing from fuzzing the CPython JIT with the lafleur fuzzer is that finding crashes is much lower probability than fuzzing CPython with fusil.

Whenever fusil found a crash, it would find hits for it again and again pretty quickly.

With lafleur, we only got 3 hits (2 issues) in thousands of fuzzing hours.

I'm throwing more compute at it, but maybe we'll need to improve the core ideas to get better results.

https://github.com/devdanzin/lafleur

#Python #CPython #fuzzer #fuzzing #fusil #lafleur

The opposite of AI slop reports is a detailed, well written and qualified report that takes many hours of mind-wrestling until we know what to do about it.

Like this: https://hackerone.com/reports/3261310

"we observe that in most ecosystems, the average vulnerability lifespan has increased in recent years. The average lifespan of vulnerabilities across all platforms has grown from 1,056 days to 1,956 days - an increase of approximately 85%." (from 2017 to 2024)

https://www.semanticscholar.org/paper/Open-Source%2C-Open-Threats-Investigating-Security-in-Akhavani-Ousat/5d4450085cce995b38dfd97dc8d668a9221e1477

I found this great samsung spyware (I assume), I present to you : Samsung news!!
https://galaxystore.samsung.com/detail/com.samsung.android.app.spage?cId=000006738177

For an app that's just supposed to tell you the news :
- It comes bundled with the phone
- It auto connects you to your samsung account
- You can't uninstall it, or even disable it (usually only critical system apps that break your phone if disabled do this)
- In the app info the only permission it shows is notification
- However looking at the app package's info shows it also has permissions to see all installed apps, read and edit settings, run on phone startup and start stuff in the background
- Uninstalled it with root, my phone works flawlessly

Well, that's just 1 app I took a look at. There can be many more simillar ones! I really should install a custom OS
@soatok @xanthe @sebsauvage
#privacy #android #samsung

To me programming is more than an important practical art. It is also a gigantic undertaking in the foundations of knowledge.

— Grace Hopper

#programming

💻Have you read our recent publication?

A critical double-free vulnerability has been discovered in the pipapo set module of the Linux kernel’s NFT subsystem. An unprivileged attacker can exploit this vulnerability by sending a specially crafted netlink message, triggering a double-free error with high stability. This can then be leveraged to achieve local privilege escalation: https://ssd-disclosure.com/ssd-advisory-linux-kernel-pipapo-set-double-free-lpe/

So, this is a funny thread about a gag Tom Lehrer left in an old NSA internal publications, and it’s funny, but I have to tell you that I find the idea of sixty year old math papers staying classified is somehow alarming.

https://bsky.app/profile/opalescentopal.bsky.social/post/3luxxx27nos23

Alarming as it is, the article below is still not alarming enough! Microsoft France here claims they've never seen a CLOUD ACT request for French government data. Perhaps true. However, under the FISA section 702 & EO 12333, Microsoft is still mandated to deliver such data to the NSA, and Europeans will never learn of that request. US spies do not need to ask Europeans for permission to spy on European governments! #sigint https://www.theregister.com/2025/07/25/microsoft_admits_it_cannot_guarantee/

The European union is developing an age verification app for EU citizens which relies on Google for verifying the integrity of the app.

This means users who run a custom ROM (e.g #lineageos, #grapheneos) won't access some EU resources.

Read the complete explanation on Reddit: https://www.reddit.com/r/BuyFromEU/s/yO3njXfX1x