Safeguard
Tag

vulnerability-disclosure

Safeguard articles tagged "vulnerability-disclosure" — guides, analysis, and best practices for software supply chain and application security.

25 articles

Application Security

Inside the Qinglong Scheduler RCE: How Two Auth Bugs Became a Cryptomining Campaign

Two chainable auth-bypass bugs in the Qinglong task scheduler let attackers skip login entirely and mine crypto on victim CPUs — in the wild before a patch existed.

Jul 16, 20265 min read
Compliance & Frameworks

A Practical Guide to EU Cyber Resilience Act Compliance

The CRA's 24-hour vulnerability reporting clock starts 11 September 2026. Here's how to build the SDLC changes now instead of scrambling later.

Jul 9, 20266 min read
Application Security

A practical guide to bug bounty hunting

HackerOne alone has paid hackers over $300M since 2012, but most new researchers earn nothing — duplicates, not skill gaps, are the top reason first reports fail.

Jul 7, 20267 min read
Vulnerability Analysis

Cybersecurity Research Center (CyRC): vulnerability resea...

What is Black Duck's CyRC, how does it research and disclose vulnerabilities, and where do its coverage gaps leave your open source supply chain exposed?

Jun 10, 20267 min read
SBOM & Compliance

Cyber Resilience Act (CRA) Compliance for Software Vendors

CRA reporting duties start Sept 2026; fines reach 2.5% of global turnover. What software vendors must do for SBOMs, vulnerability reporting, and audits.

May 15, 20268 min read
Compliance

Responsible vulnerability disclosure policy comparison

Safeguard and Socket.dev both publish vulnerability disclosure policies—but their SLAs, bounty terms, and scope differ. A sourced, line-by-line comparison for vendor due diligence.

May 12, 20267 min read
Regulation

CRA Article 14: 24-Hour Early Warning and 72-Hour Reporting Explained

Article 14 of the Cyber Resilience Act mandates dual notifications to coordinating CSIRTs and ENISA within 24 hours of awareness. Reporting starts 11 September 2026.

Mar 4, 20266 min read
Regulation

ENISA's CRA Single Reporting Platform Goes Live September 2026

From 11 September 2026, every CRA manufacturer must file a 24-hour early warning of actively exploited vulnerabilities through one ENISA-operated portal — and the platform is being built right now.

Mar 4, 20267 min read
Compliance

What is the EU Cyber Resilience Act

The EU Cyber Resilience Act sets binding cybersecurity rules for digital products, with reporting due by Sept 2026 and full compliance by Dec 2027.

Feb 26, 20266 min read
Best Practices

What is a Bug Bounty Program

A bug bounty program pays researchers to find and report vulnerabilities before attackers do. Here's how they work, what they cost, and their limits.

Feb 14, 20266 min read
Best Practices

What is Responsible Disclosure

What responsible disclosure means, how 45-90 day timelines work in practice, and how coordinated CVE reporting like Log4Shell actually played out.

Feb 14, 20266 min read
SBOM

Medical device firmware SBOM and coordinated vulnerabilit...

How medical device firmware SBOMs, FDA Section 524B, ISO 81001-5-1, and coordinated vulnerability disclosure work together to secure connected IoMT devices.

Jan 1, 20267 min read
vulnerability-disclosure — Safeguard Blog