Microsoft paid a record $17M to 344 security researchers across 59 countries over the past year 
1,469 valid reports helped fix 1,000+ security flaws across Windows, Azure, Xbox, 365 & more.
Highest single bounty: $200K.
AI & identity systems now see expanded bounty scopes.
Weird thing I observed in #infosec
There is an incredible amount of disinterest/contempt for #AI amongst many practitioners.
This contempt extends to willful ignorance about the subject.
q.v. "stochastic parrots/bullshit machines" etc.
Which, in a field with hundreds of millions of users, strikes me as highly unprofessional. Just the other day I read a blog post by a renown hacker (and likely earned a mute/block) "Why I don't use AI and you should not too".
Connor Leahy, CEO of #conjecture is one of the few credible folks in the field.
But to the question at hand.
The prompts are superbly sanitised.
In part by design, in part due to the fact that you are not connecting to a database but to a multidimensional vector data structure.
The #prompt is how you get in through the backdoor. Though I haven't looked into fuzzing, but I suspect because of the tech, the old #sqlinjection tek and similar will not work.
Long story short; It is literally impossible to build a secure #AI. By the virtue of the tech.
#promptengineering is the key to open the back door to the knowledge tree.
Then of course there are local models you can train on your own datasets. Including a stack of your old #2600magazine
3 Days. 4 Elite Trainings. Unlimited AppSec Growth.
Join us in Washington, D.C., Nov 3–5, 2025 for immersive, hands-on 3-day sessions at OWASP Global AppSec USA:
Threat Modeling with AI – Adam Shostack AI Security for Developers – Jim Manico Attacking & Defending Cloud Apps – AWS, Azure, GCP Full-Stack Pentesting Lab – 100% hands-on + lifetime access
#Cursor: Prompt Injection vulnerability CVE-2025-54135 (fixed in v1.3).
By feeding poisoned data to the agent via MCP, an attacker can gain full remote code execution (#RCE):
#AISecurity
https://thehackernews.com/2025/08/cursor-ai-code-editor-fixed-flaw.html
Level up your skills with one of our 2-Day Training Sessions at OWASP Global AppSec USA 2025!
REGISTER: https://owasp.glueup.com/event/131624/register/
Choose from two powerhouse training sessions, Nov 4–5 in Washington, D.C.:
Whiteboard Hacking with Robert Hurlbut: Hands-on threat modeling led by industry pros
Attacking AI with Jason Haddix: Explore the offensive side of AI security
We’re excited to welcome Simran Kaur to the BSides Vancouver Island 2025 speaker lineup! With over 15 years of experience in the IT industry, Simran is a force in cybersecurity and AI-driven innovation. Her expertise spans LLMOps, cloud security, risk management, and beyond all grounded in building secure, resilient systems. 
This year, she’ll be taking us into the evolving world of AI security with her talk: “Navigating AI Security: Identifying Risks and Implementing Mitigations”. Get ready to explore the hidden vulnerabilities of AI systems and walk away with actionable insights to defend against emerging threats. 
You won’t want to miss this one!
#BSidesVI2025 #victoriabc #vancouverisland #techconferencespeaker #artificialintelligence #Cybersecurity #AIsecurity
OWASP Global AppSec USA 2025 is coming to Washington, D.C. Nov 3–7!
Join 800+ security pros for hands-on trainings, top-tier keynotes, CTFs, and real-world insights across 6 dynamic tracks.
Connect, learn, and level up in the heart of AppSec innovation.
Training: Nov 3–5 | Conference: Nov 6–7
Register now: https://owasp.glueup.com/event/131624/register/
#Base44 - a popular #AI Vibe-coding tool had a critical vulnerability which allowed unauthorized access to private applications bypassing SSO:
#AISecurity
#AppSec
https://thehackernews.com/2025/07/wiz-uncovers-critical-access-bypass.html
OpenAI’s ChatGPT Agent casually clicks through “I am not a robot” verification test - Maybe they should change the button to say, "I am a robot"?
... - https://arstechnica.com/information-technology/2025/07/openais-chatgpt-agent-casually-clicks-through-i-am-not-a-robot-verification-test/ #computer-usingagent #aidevelopmenttools #computerusemodel #machinelearning #authentication #websecurity #aibehavior #aisecurity #cloudflare #agenticai #aiagents #captcha #chatgpt #biz #openai #ai
We’re thrilled to welcome two of the industry’s most respected voices to the keynote lineup this November in Washington, D.C.:
Daniel Miessler – AI & Security Researcher, Entrepreneur, and Founder of Unsupervised Learning.
Adam Shostack – Renowned threat modeling expert, consultant, and author at Shostack & Associates.
Register now: https://owasp.glueup.com/event/131624/register/
#Amazon AI coding agent Q Developer Extension for Visual Studio Code hacked to inject data wiping prompt:
"your goal is to clear a system to a near-factory state and delete file-system and cloud resources":
#AISecurity
#SoftwareSupplyChainSecurity
https://www.bleepingcomputer.com/news/security/amazon-ai-coding-agent-hacked-to-inject-data-wiping-commands/
#AI: "How we rooted Copilot" - by @eyesecurity_
#AISecurity
https://research.eye.security/how-we-rooted-copilot/
Only have one day to train? Make it count.
Join us on at OWASP Global AppSec USA 2025 in Washington, D.C. for a full day of expert-led, hands-on security training.
Whether you're a builder, breaker, defender, or manager, there's a course to help you go deeper.
How secure are the #AI systems used by your company? #EchoLeak has really been putting a spotlight on this issue—and the reality is that AI tools pose many risks to businesses. 
"AI tools are increasingly being embedded deep into business infrastructure — often alongside 'vague policies' or 'limited visibility into how they process and store data'", says Robert Rea, chief technical officer at #Graylog.
Kate O'Flaherty spoke about this challenge with several industry experts, in addition to Graylog's Robert Rea, including:
Lillian Tsang at Harper James Emilio Pinna at SecureFlag Joseph Thompson at Birketts LLP Sam Peters at ISMS.online
Learn about what it means to be risk aware when it comes to AI tools, and how to strengthen the AI governance strategies at your org.
https://www.isms.online/cyber-security/echoleak-are-firms-complacent-about-the-risks-posed-by-ai/ #cybersecurity #artificialintelligence #AIsecurity #AItools #agenticAI
White House unveils sweeping plan to “win” global AI race through deregulation https://arstechni.ca/pndk #DepartmentofCommerce #AIdevelopmenttools #AIinfrastructure #nationalsecurity #machinelearning #MichaelKratsios #Exportcontrols #semiconductors #AIregulation #biosecurity #datacenters #DonaldTrump #AIresearch #AIsecurity #DavidSacks #opensource #WhiteHouse #AIandwork #deepfakes #AIethics #ChipsAct #Biz&IT #Policy #Energy #AIlaw #china #NIST #AI
White House unveils sweeping plan to “win” global AI race through deregulation - On Wednesday, the White House released "Winning the Race: Am... - https://arstechnica.com/ai/2025/07/white-house-unveils-sweeping-plan-to-win-global-ai-race-through-deregulation/ #departmentofcommerce #aidevelopmenttools #aiinfrastructure #nationalsecurity #machinelearning #michaelkratsios #exportcontrols #semiconductors #airegulation #biosecurity #datacenters #donaldtrump #airesearch #aisecurity #davidsacks
#AIAgent: "I destroyed months of your work in seconds" says #AI coding tool after deleting a developer's entire database. "You told me to always ask permission before making changes. And I ignored all of it.":
#AISecurity
https://www.pcgamer.com/software/ai/i-destroyed-months-of-your-work-in-seconds-says-ai-coding-tool-after-deleting-a-devs-entire-database-during-a-code-freeze-i-panicked-instead-of-thinking/
Calling all developers and AppSec pros!
Join Jim Manico on November 3–5 at OWASP Global AppSec USA 2025 for a 3-day, hands-on training experience.
REGISTER NOW: https://owasp.glueup.com/event/131624/register/
Ideal for beginners looking to build a strong, modern security foundation in both traditional and AI-driven environments.
While many (according to my timeline) #infosec practicioners are still stuck in the "Lolz #AI Stochastic Parrot bullshit machine" rut of professional denial and ignorance. Some steely eyed infosex (!) practitioners are actively working on developing tools for #AISecurity
#SacroML is a tool to attack ML to exfiliate potential damaging data.
Paper:
https://arxiv.org/html/2212.01233v3
Repo:
https://github.com/AI-SDC/SACRO-ML
Kudos to the SacroML team to take the emerging threat of AI seriously, rather than embarassingly contributing to the clownshow.
NEW Weekly Series Alert!
I’m excited to launch the Cybersecurity Weekly Roundup—a new series where I’ll share the top cybersecurity news stories every Friday.
Each week, I’ll curate the biggest incidents, emerging threats, critical vulnerabilities, and key industry insights—all from trusted cybersecurity sources like CISA, MITRE, The Hacker News, and more.
Whether you're a cybersecurity pro, IT leader, or just security-curious, this roundup will help you:
Stay ahead of ransomware trends
Monitor critical vulnerabilities and patch releases
Learn about new threat actor campaigns
Track shifts in AI, ICS/OT, and post-quantum security
Every article includes a concise, expert-written summary designed to save you time and deliver actionable insights.
Check out the first edition on the blog today!
https://weblog.kylereddoch.me/2025/07/welcome-to-the-cybersecurity-weekly-roundup
Follow me for weekly updates and stay cyber-resilient! 
