“We still have not seen a single valid security report done with AI help,” was the unequivocal conclusion to a LinkedIn post bemoaning the deluge of AI slop by Daniel Stenberg, original author and lead of the curl project. 🤖 A clearly exasperated Stenberg said he would “now ban every reporter INSTANTLY who submits reports we deem AI slop”. Speaking to Ars Technica, Stenberg said AI-generated reports were invariably “friendly phrased, perfect English, polite, with nice bullet-points” – and useless from a security point of view. Similarly, a software engineer at Open Collective, which manages its own program, recently complained that “our inbox is flooded with AI garbage”, suggesting the inundation might ultimately force them to migrate to a Bug Bounty platform that can triage reports on their behalf. 🤔
Bug Bounty win for OpenPGP.js
The second story on our monthly roundup (first published as a LinkedIn newsletter) involves a big win for human bug hunters (go, humanity!). A pair of researchers from Codean Labs discovered a significant vulnerability in OpenPGP.js that could have allowed attackers to spoof signature verification😮 The flaw, which was reported to the OpenPGP.js Bug Bounty Program on YesWeHack, recently hit the headlines – attesting to the rarity, technical sophistication and impact of such cryptographic bypasses. It also reflected the wide deployment of OpenPGP.js and the potential impact on popular downstream applications. We invited researchers Edoardo Geraci and Thomas Rinsma from Codean Labs, plus OpenPGP.js maintainer Daniel Huigens, to comment on the discovery and disclosure process. 💬 For an in-depth analysis of the discovery process and proof-of-concept, also read Thomas Rinsma’s newly published writeup that documents his and Edoardo Geraci’s discovery.
Speaking of prioritising vulnerabilities, “defending against zero-day exploitation continues to be a race of strategy and prioritisation,” according to an analysis of zero days exploited in the wild by the Google Threat Intelligence Group. The quartet of Google researchers who penned the blog post said zero-day vulnerabilities are “becoming easier to procure” and that “attackers finding use in new types of technology may strain less experienced vendors”.🚨The writers warn of a shift beyond a “historic focus on the exploitation of popular end-user technologies […] toward increased targeting of enterprise-focused products [which] will require a wider and more diverse set of vendors to increase proactive security measures in order to reduce future zero-day exploitation attempts.”🛡️
CISO stumbling blocks
Before we round up our own recent CISO-focused content, here’s a few other notable stories of interest we’ve spotted elsewhere:
🔒 CISOs bet big on AI tools to reduce mounting cost pressures – an ITPro examination of Wipro’s State of Cybersecurity Report 2025
🔒 How to survive as a CISO aka ‘chief scapegoat officer’ – The Register reviews a recent RSA Conference panel on CISO whistleblowing
🔒 Will AI agent-fueled attacks force CISOs to fast-track passwordless projects? – feature by CSO
🔒 ‘Secure email’: A losing battle CISOs must give up– CSO opinion piece by Keith Lawson, CISO at the London Health Sciences Centre
Prioritisation the watchword
How do you decide which vulnerabilities to fix first? Should CVSS scores be the overriding metric? 🤔 Instalment #2 in our series on continuous threat exposure management (CTEM) – which Gartner believes could lead to a two-thirds reduction in breaches – focuses on the model’s prioritisation and validation phases.🧐 Learn how automated priority scores can facilitate risk-based remediation, and the benefits of consolidating multiple sources for vulnerability discovery into a single, unified interface.💡
Developers typically spent nearly two hours extra per week on security tasks in 2024 compared to the previous year, according to an IDC report.🧑💻They were even spending an average of more than three hours a week addressing unexpected security issues outside of normal working hours ⏰Suggestive of a reactive rather than proactive security culture, this context suggests two solutions to the rising cost of DevSecOps: streamlining remediation and upskilling devs to prevent vulnerabilities from appearing in the first place without disrupting their workflows.✅ Read our take on the IDC report findings.
🤘 Meet the YesWeHack team
Our next upcoming event is Congrès du CoTer Numérique, taking place at Clermont-Ferrand in France, between 17-18 June. You can find our team and bag some swag on booth 125. Hope to see you there!
After that comes one of our most important events of the year. Taking place in Paris between 27-29 June, LeHACK sees us, as usual, host a live Bug Bounty event with a mystery target unveiled on-site. The marathon live hacking event will run from 10am on 28 June in ‘Le Loft’ and run until the early hours of the following morning. You can also find our team on booth 41 to talk Bug Bounty and vulnerability management. Finally, prizes will be up for grabs in relation to the successful completion of a CTF challenge crafted by our Tech Ambassador, BitK. 🏆
More conferences and live hacking events will be announced soon! 📅
Read this monthly roundup even sooner by subscribing to CrowdSecWisdom – our LinkedIn newsletter curating news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.
Are you a bug hunter or do you have an interest in ethical hacking? Check out our ethical hacking-focused sister newsletter, Bug Bounty Bulletin – offering hunting advice, interviews with hunters and CTF-style challenges, among other things.