vulnerability disclosure3 articles
Microsoft Threatened a Security Researcher With Criminal Charges. It Did Not Go Well.
An anonymous security researcher known as "Nightmare-Eclipse" published six zero-day exploits for unpatched Windows vulnerabilities after claiming Microsoft failed to address the reported bugs, prompting Microsoft's Security Response Center to condemn the actions and hint at potential criminal prosecution. This sparked widespread backlash from the cybersecurity community, with prominent researchers arguing that threatening legal action against security researchers discourages responsible disclosure and pushes researchers toward selling vulnerabilities to malicious actors instead. Microsoft subsequently walked back its position, clarifying it had no intention of pursuing action against researchers conducting legitimate security research.
Anthropic Quietly Fixed a Claude Code Sandbox Bypass Nobody Told You About
Anthropic quietly fixed two vulnerabilities in Claude Code's network sandbox that could have allowed attackers to bypass network restrictions and exfiltrate sensitive data. The second flaw, discovered by researcher Aonan Guan, involved a SOCKS5 null-byte injection trick that could fool the allowlist filter into permitting connections to unauthorized hosts. Guan has criticized Anthropic for lacking transparency, noting no CVE was assigned to his finding and no public disclosure or release notes warned users — though Anthropic states the fix was deployed before his bug bounty report was submitted.
AI Bug-Hunting Is Breaking Patch Records Across the Industry
Microsoft's May 2026 Patch Tuesday addressed 118 security vulnerabilities, including 16 critical flaws, but notably contained no zero-day exploits — a rare occurrence in nearly two years. The surge in patching activity across major tech companies, including Apple, Google, Mozilla, and Oracle, is largely attributed to "Project Glasswing," an AI vulnerability-detection tool developed by Anthropic that has proven highly effective at identifying security flaws in code. The tool has dramatically increased the volume and pace of security patches industry-wide, with Mozilla fixing 271 vulnerabilities in Firefox 150 and Google patching 127 Chrome flaws in a single update.