Oracle's bad faith with security researchers led to publication of a Virtualbox 0-day

In the debate over "responsible disclosure," advocates for corporate power say that companies have to be able to decide who can reveal defects in their products and under which circumstances, lest bad actors reveal their bugs without giving them time to create and promulgate a patch. Read the rest

All versions of Openssh share a critical vulnerability, including embedded code that will never be updated

Every version of the popular Openssh program -- a critical, widely used tool for secure communications -- share a critical vulnerability that was present in the program's initial 1999 release. Read the rest

Antivirus maker Sentinelone uses copyright claims to censor video of security research that revealed defects in its products

At this week's B-Sides Manchester security conference, James Williams gave a talk called "Next-gen AV vs my shitty code," in which he systematically revealed the dramatic shortcomings of anti-virus products that people pay good money for and trust to keep them safe -- making a strong case that these companies were selling defective goods. Read the rest

Truthful security disclosures should always be legal. Period.

After a week of blockbuster security revelations from Defcon it's important to take a step back and address the ongoing battle by companies to seize a veto over who can reveal defects in their products. Read the rest

Blueborne is a newly revealed Bluetooth attack that allows wireless penetration of billions of devices

Security research firm Armis has disclosed eight new Bluetooth vulnerabilities it collectively calls "Blueborne" that take less than 10 seconds to penetrate and take over device with Bluetooth switched on, without the user having to connect to a compromised device or take any other action. Read the rest