actae0n

@yo_yo_yo_jbo hell yeah dood

My remote session deserialization heap OOB in wolfSSL is finally public (CVE-2026-2646). Thanks so much wolfSSL for the collaboration! Would folks be interested in a short writeup?

New Qualys blog is, once again, excellent: cdn2.qualys.com/advisory/2026/…

@yo_yo_yo_jbo There's CVEs that I filed years ago that never received a reply at all, and most of the ones I've filed in recent time have taken months to get first reply on (and the descriptions were still incorrect, despite me giving them a nice detailed correct one). 🤷🏻‍♂️

Who do I know at #MITRE CVE assignment team? I think 2 weeks for a remote buffer overflow is too long...

Get your macOS 26.3 xnu Library, CodeQL DB (and compile_commands.json) here! 👩‍ github.com/blacktop/darwi…

@_Evan_Boyle ship that shit

Tonight's mini hack: self modifying code Copilot CLI can build and hot reload it's own typescript extensions. Should we ship it?

@rez0__ @Hacker0x01 Same experience recently. Adjusted severity down, I asked for an explanation (since previously their severity rating and mine matched). Closed the report with no additional response.

The past few days have been the worst triager experience of my life with @Hacker0x01. It legitimately feels like they are intentionally downgrading reports, ignoring reasons for the severity, and not explaining their decisions at all. The last part is the most infuriating.

🎥 QEMU Dev Starter guide, Part 1 The QEMU codebase can be quite daunting for new developers, Anton with this talk aims to give an overview of both the major APIs one might encounter as well as the high control flow of user-mode emulation.

Pwndbg 2026.02.18 is out! We visualize branches in nearpc, sync ur decompiler (IDA/Binja/Ghidra) via decomp2dbg, annotate stack vars from dbgsyms/decomp, added new cmds for tracing kernel allocs/frees, dump task info: github.com/pwndbg/pwndbg/… Sponsor us: github.com/sponsors/pwndb…

Okay the Codex mac app is actually pretty nice.

@kaepora I've been pushed to my wits end dealing with vendors that think like this. It's like there's no object permanence in their head. They think the vulnerability literally doesn't exist until someone finds it, like researchers are "creating" bugs. Frustrating to no end.

*Publishes cryptography code with a critical vulnerability that goes unpatched for years, gets it merged into Signal* *Random researcher finds the vulnerability* “HOW DARE YOU PUT THE COMMUNITY AT RISK BY FINDING THE VULNERABILITY IN OUR CRYPTOGRAPHY CODE AND PUSHING A FIX”

"I'm sorry, we're not accepting your free fixes to five security vulnerabilities, which you reported with professional, working pull requests, because we think you suck and also you didn't email us privately about them first. Thank you, we are scientists with a high level of scientific integrity"

@itszn13 @OpenAI @daveaitel whoa, congrats!

A big change of pace for my security research: I'm now working @OpenAI to build on and improve GPT's ability to detect and remediate complex vulnerabilities @daveaitel and a lot of other brilliant people Excited to see where this goes, lots of ideas to try...

@_JeremyMoseley @DemetriusZhomir You context wipe before swapping into autopilot?

@DemetriusZhomir My workflow typically is to use plan mode to do a long planning session, then flip to autopilot mode to implement it

trying Autopilot mode in GitHub Copilot now seeing it spent 30+ mins making no edits yet, just reading files, skills... and even running lint & checks for no obvious reasons have no fkin idea when it's gonna finish & what it's gonna ship (if anything) wish me luck

Tracking Signal Identifiers Signal groups, the "ICE tracker" channels, are under FBI investigation. Members rapidly change display aliases, usernames, and channels. But users can track others through changes and the FBI can ID them all. Here's how: scriptjunkie.us/2026/01/tracki…

pray 4 me

@patniko This is great man, thanks for sharing with the community.

Go get those agentic gains in Word, PowerPoint and Excel. GitHub Copilot CLI and add-in required. github.com/patniko/github…

@patniko This is sick. Are you releasing this later on, or is this from the personal stash?

Feel like I should just stop holding out on sharing these plugins publicly now that the Copilot SDK is available.

Was poking at the new Cowork feature in Claude Desktop, found a way to piggyback on its TCC grants. Internal app APIs accessed via Chromium debugging. Disclosed to the vendor and marked as Informative / WontFix. You may as well be informed 😉 0day.gg/blog/claude-de…

@_JeremyMoseley @nfa1379 What context management techniques does this actually refer to? What expectations do we need to have when interacting with the agent? Is it something more sophisticated than conventional compaction as you hit the token limit?

@nfa1379 With our new context window management features, you don't need to worry about context windows. I use this every day.

Copilot CLI superpower: "my tests are failing in CI. Check the logs, make a fix, push, sleep for a few minutes, then check again. Do this in a loop until it's green"

@patniko @xiaoxxchan @AmpCode I would really prefer this as well. The "vendorization" of features that are supposed to be standards has been kinda frustrating.

@xiaoxxchan @AmpCode I’ll make this happen at GitHub if people really want it. I would prefer it.

"Agent skills should not need vendor-specific directory layouts, duplicate copies, or symlink hacks to be usable across clients." So Kimi CLI uses - ~/.config/agents/skills/ (user level) - .agents/skills/ (project level) btw, @AmpCode uses the same convention. Hope we can have a less chaotic future...

@kdaigle Been trying to drive my main work with it recently. Pretty happy with the experience so far, and looks like you guys are making quick strides while adding your own touches. Looking forward to see where the project goes. Very happy it's not just a bad claude clone.

@actae0n You can define custom agents: docs.github.com/en/copilot/how… Context management, skills, plan mode, and more: github.blog/changelog/2026… BYOK is available in Copilot for Business and Enterprise, at the moment. Not all the way there, but the team is moving fast to meet the needs.

The Copilot CLI has been on an absolute tear. • Delegate to the cloud • Instruct which model to use • Memory • Modes like explore, plan, review Give it a try with 5.2-codex, Opus, and more. Let us know what youneed We’ll use CLI to build the next CLI ships.