After Google publicized the flaw seven days after a patch was issued, the Epic Games CEO called out the company for irresponsible disclosure.

The good news is the cost of a data breach is down double-digits, the bad news the size and scope of breaches is creeping up.

The government announced its second bug bounty program called Hack the Army, which will concentrate on finding bugs in recruiting websites and databases.

Microsoft released 14 security bulletins today, six rated critical. Among the fixes is a patch for a Windows kernel zero-day vulnerability disclosed by Google that was being used in attacks by the Sofacy APT gang.

Investigating state-sponsored espionage and counterterrorism is one thing. Writing public reports about these activities is another.

Security and policy experts make another call for additional transparency around the government’s Vulnerabilities Equities Process and the zero days it has in its possession.

Mike Mimoso talks to Katie Moussouris about her newly launched consultancy Luta Security, the Hack the Pentagon bug bounty program, and some ISO news around vulnerability disclosure. Download: Katie_Moussouris_on_Her_New_Consultancy_Hack_the_Pentagon_and_More.mp3 Music by Chris Gonsalves

For the second time in two weeks, researchers have discovered a three-year-old broken patch for a vulnerability in IBM’s Java SDK implementation. The flaw allows for an attacker to execute code outside the Java sandbox, and still affects current versions of IBM SDK, 7 and 8, released in January. Details of the vulnerability and proof-of-concept...