Well when you report a bug to ms and they respond with disabing your account and you then release the 0day the ms responds with a public blog post saying people who release 0 days are breaking the law and liable for legal action of cause you then drop a second 0day and ms responds by retracing the legal threat so you you now drop a third one while your account to report these bugs is still disabled. What else would you do?
I cannot trust bitlocker, my IT team installed an update and it never came on when it restarted. When I raised it they said they bypass it for updates. I thought it was unbypassable by design
This is not about that. This is about a security researcher that wasn’t paid by Microsoft’s bug bounty program when they found a security bug.
Bug bounty programs exist to prevent this exact scenario. To give people a reward for privately disclosing the vulnerability with the devs instead of publicly/to a bad actor.
AMD fucked up recently about that as well. It seems big tech is getting so arrogant and so far up its own ass that they can’t even admit to bugs anymore, which is problematic considering their sloppy AI slop never had so many bugs as it does now.
That’s overblown. Yes, people are finding security bugs with AI, you will always get that when adding new tests with a different perspective. But the “having a hard time keeping up” come from the AI constantly spamming devs with duplicate issues.
This change is driven by a surge in CVE * submissions *, which increased 263% between 2020 and 2025.
Emphasis mine.
Your link doesn’t refute what I said. I acknowledged that there is an increase in bugs being found. That’s inevitable when you add a new tool.
My argument is that the framing is overblown. Sure, the submissions increased 263%, but how many of those are duplicate issues? Is it more like a 22% increase in actual bugs being found, with each being duplicated a dozen times of average? Big numbers are what get attention, but when you only frame an argument around the big number you lose a lot of the context.
I recall either Lutris or Heroic games launcher actually seeing a (probably temporary) spike in bugs being found due to AI, but they were getting swamped by the same bugs being reported over and over in a short timespan. Each of those reports need to be looked over with the same amount of scrutiny, so flooding a repository with duplicate issues becomes a major drain on dev resources.
Also, working in software myself, you always see a spike in issues when you first add a new test or check to your code. Then as you resolve those issues they drop back down. That’s not that different from what we’re seeing here with AI bug reporting
This is not surprising.
The industry knowledge had by the thousands of engineers laid off has to go somewhere.
Well when you report a bug to ms and they respond with disabing your account and you then release the 0day the ms responds with a public blog post saying people who release 0 days are breaking the law and liable for legal action of cause you then drop a second 0day and ms responds by retracing the legal threat so you you now drop a third one while your account to report these bugs is still disabled. What else would you do?
Drop a 4th one?
They did this is the 7th with more to come.
2nd bitlocker backdoor
I cannot trust bitlocker, my IT team installed an update and it never came on when it restarted. When I raised it they said they bypass it for updates. I thought it was unbypassable by design
I look forward to it.
lol is this cheaper than just paying the fucking bounty? I’m beginning to wonder.
How could it be? Any news is good news.
Companies who use Microsoft don’t care about security
This is not about that. This is about a security researcher that wasn’t paid by Microsoft’s bug bounty program when they found a security bug.
Bug bounty programs exist to prevent this exact scenario. To give people a reward for privately disclosing the vulnerability with the devs instead of publicly/to a bad actor.
AMD fucked up recently about that as well. It seems big tech is getting so arrogant and so far up its own ass that they can’t even admit to bugs anymore, which is problematic considering their sloppy AI slop never had so many bugs as it does now.
That’s why they don’t wanna hear about them
Honestly, it’s the opposite: AI is exposing so many bad security bugs that they are having a hard time keeping up.
That’s overblown. Yes, people are finding security bugs with AI, you will always get that when adding new tests with a different perspective. But the “having a hard time keeping up” come from the AI constantly spamming devs with duplicate issues.
NIST has already updated their CVE policies because of “record CVE growth”.
Hmmmm, I wonder wtf happened during those years?
Emphasis mine.
Your link doesn’t refute what I said. I acknowledged that there is an increase in bugs being found. That’s inevitable when you add a new tool.
My argument is that the framing is overblown. Sure, the submissions increased 263%, but how many of those are duplicate issues? Is it more like a 22% increase in actual bugs being found, with each being duplicated a dozen times of average? Big numbers are what get attention, but when you only frame an argument around the big number you lose a lot of the context.
I recall either Lutris or Heroic games launcher actually seeing a (probably temporary) spike in bugs being found due to AI, but they were getting swamped by the same bugs being reported over and over in a short timespan. Each of those reports need to be looked over with the same amount of scrutiny, so flooding a repository with duplicate issues becomes a major drain on dev resources.
Also, working in software myself, you always see a spike in issues when you first add a new test or check to your code. Then as you resolve those issues they drop back down. That’s not that different from what we’re seeing here with AI bug reporting
https://depthfirst.com/research/21-zero-days-in-ffmpeg
All of these legit. Some of these from decades ago.