vulnerability-disclosure
Safeguard articles tagged "vulnerability-disclosure" — guides, analysis, and best practices for software supply chain and application security.
25 articles
Inside the Qinglong Scheduler RCE: How Two Auth Bugs Became a Cryptomining Campaign
Two chainable auth-bypass bugs in the Qinglong task scheduler let attackers skip login entirely and mine crypto on victim CPUs — in the wild before a patch existed.
A Practical Guide to EU Cyber Resilience Act Compliance
The CRA's 24-hour vulnerability reporting clock starts 11 September 2026. Here's how to build the SDLC changes now instead of scrambling later.
A practical guide to bug bounty hunting
HackerOne alone has paid hackers over $300M since 2012, but most new researchers earn nothing — duplicates, not skill gaps, are the top reason first reports fail.
Cybersecurity Research Center (CyRC): vulnerability resea...
What is Black Duck's CyRC, how does it research and disclose vulnerabilities, and where do its coverage gaps leave your open source supply chain exposed?
Cyber Resilience Act (CRA) Compliance for Software Vendors
CRA reporting duties start Sept 2026; fines reach 2.5% of global turnover. What software vendors must do for SBOMs, vulnerability reporting, and audits.
Responsible vulnerability disclosure policy comparison
Safeguard and Socket.dev both publish vulnerability disclosure policies—but their SLAs, bounty terms, and scope differ. A sourced, line-by-line comparison for vendor due diligence.
CRA Article 14: 24-Hour Early Warning and 72-Hour Reporting Explained
Article 14 of the Cyber Resilience Act mandates dual notifications to coordinating CSIRTs and ENISA within 24 hours of awareness. Reporting starts 11 September 2026.
ENISA's CRA Single Reporting Platform Goes Live September 2026
From 11 September 2026, every CRA manufacturer must file a 24-hour early warning of actively exploited vulnerabilities through one ENISA-operated portal — and the platform is being built right now.
What is the EU Cyber Resilience Act
The EU Cyber Resilience Act sets binding cybersecurity rules for digital products, with reporting due by Sept 2026 and full compliance by Dec 2027.
What is a Bug Bounty Program
A bug bounty program pays researchers to find and report vulnerabilities before attackers do. Here's how they work, what they cost, and their limits.
What is Responsible Disclosure
What responsible disclosure means, how 45-90 day timelines work in practice, and how coordinated CVE reporting like Log4Shell actually played out.
Medical device firmware SBOM and coordinated vulnerabilit...
How medical device firmware SBOMs, FDA Section 524B, ISO 81001-5-1, and coordinated vulnerability disclosure work together to secure connected IoMT devices.