Since 2012, Trail of Bits has been the premier place for security experts to boldly advance security and address technology’s newest and most challenging risks.
External link for Trail of Bits
228 Park Ave S
STE 80688
New York, NY 10003, US
Trail of Bits reposted this
Two new security audits of Obsidian Sync by Cure53 and Trail of Bits are now available on our Security page. All findings have been addressed via remediations and disclosures validated by the respective auditors. Read more: https://lnkd.in/gnVN5wVM
We were one of four initial grant recipients in OpenAI's Trusted Access for Cyber program. Daybreak matters because frontier models now find bugs faster than maintainers can triage them, and that gap is about to get worse. Next-gen models can bury open-source maintainers in reports. While working with frontier labs this year, we have seen the bottleneck shift. Bug finding is easy, but triaging, disclosing, and fixing them takes disproportionate time and effort. Each finding still needs a human to confirm the bug, a static or dynamic check to reproduce it, a working proof-of-concept, and a minimal patch. That work is heavy, and right now it falls on the maintainer. On the OSS engagements we ran this year, we prioritized minimizing maintainer workload and keeping noise out of their inboxes. Every report we sent included a PoC, a fix patch, and a regression test. Anything that did not clear that bar did not get sent. Commonly used software has never been short of bugs. Cyber-tier models will surface them at machine speed with little human effort, and the volume will overwhelm OSS projects without clear processes for disclosure, triage, and remediation. If you maintain an OSS project, do four things: 1. Publish a SECURITY.md. If you already have one, verify the reporting flow still works end to end. 2. Set a high bar for submissions. Require a PoC, a fix patch, and a regression test wherever possible. 3. Build validation harnesses that quickly answer three questions: is the bug real, does the fix work, and does anything else break? 4. Sandbox those harnesses. Malicious reports are a credible threat once the cost of generating them drops to near zero. Bug finding is getting faster. Triage, verification, disclosure, and patching have to catch up.
Today we’re announcing Daybreak, our vision for a new era of cyber defense. AI is changing what defenders can do. Teams can now reason across massive codebases, identify subtle vulnerabilities, validate fixes, analyze unfamiliar systems, and move to remediation faster than ever before. But these capabilities need to be paired with trust, verification, safeguards, and accountability. That’s why we launched Daybreak. Daybreak brings together OpenAI models, Codex, and our security partners to help defenders find issues, validate fixes, and move from discovery to remediation faster. Learn more about Daybreak in the comments. We’re also offering companies a guided vulnerability assessment. Fill out the form on the Daybreak site if you’re interested in learning more.
Go's built-in fuzzer is one of the easiest in the industry to use, but it stands far behind what Rust, C, and C++ researchers get with LibAFL and AFL++. gosentry, our fork of the Go toolchain, solves this. It's a fuzzing-oriented Go that keeps the standard `testing.F` workflow and `go test -fuzz` interface, but routes execution through a LibAFL-based engine in Rust. Point existing harnesses at gosentry's binary to get coverage-guided fuzzing, struct-aware mutation, Nautilus grammar fuzzing, race and goroutine leak detection, and one-command coverage reports. We've already used it to disclose 4 bugs in Optimism and Revm via grammar-based differential fuzzing. https://lnkd.in/eAgrctX6
Trail of Bits reposted this
After four years in blockchain security, I'm ready for the full security stack. Thrilled to share that I joined Trail of Bits as Partnerships & Business Development Manager. Modern attacks are sophisticated, multi-vector, and don't respect vertical boundaries. Trail of Bits addresses these threats across every layer, with dedicated practices across application security, AI/ML, blockchain and cryptography that seamlessly come together to tackle the most complex security challenges. Some of the world's most targeted organizations trust Trail of Bits, including Google, Meta, Airbnb, GitHub, Linux, Offchain Labs, Uniswap, Franklin Templeton, Perplexity, Hugging Face and many others. If you're working in blockchain, AI/ML, AppSec, cryptography, or at the intersection of all four, let's talk. My DMs are open, coffee is always a good idea, and I'm genuinely excited to connect. Thank you to John Mudry, Chris Dahlheimer, Colby Ring, Karsten Cross and John Arnold for a fantastic process and warm welcome! P.S. If you're at Proof of Talk in Paris in June, I would love to meet in person.
We submitted SequenceHash to the Community Cryptography Specification Project (C2SP). It's a new spec that prevents a common class of bugs by safely combining multiple inputs into a single hash with any hash function. Think TupleHash, generalized so it works on top of SHA-256, BLAKE2, or any underlying hash function. Useful anywhere a protocol hashes a tuple of inputs: signatures, commitments, transcripts. The draft is open for review on C2SP, part of our ongoing contributions to open cryptographic standards. https://lnkd.in/ex-8YpdJ
Trail of Bits reposted this
Last Saturday, NYU CSE welcomed alumni, faculty, students, and industry leaders for the Alumni Summit: Engineering, Technology & What’s Next — a day dedicated to exploring the future of engineering, cybersecurity, emerging technologies, and the evolving impact of the CSE community beyond NYU. The summit brought together voices from across industries for conversations on innovation, leadership, and the rapidly changing technology landscape, while also celebrating the alumni whose work continues to make a meaningful impact both within and beyond our department. We were especially proud to recognize Channi Greenwall, recipient of the Service to the Department Award. Following her time at NYU, Channi went on to found and serve as CEO of Olympix, building an impressive career in smart contract and Web3 security. Beyond her professional accomplishments, she has remained deeply engaged with the CSE community by mentoring students, helping connect them with internship opportunities, returning as a guest speaker, and supporting departmental outreach efforts. Her continued involvement has provided students with valuable industry insight while strengthening the connection between our department and its alumni network. We also honored Daniel Guido with the Professional Achievement Award for his exceptional leadership and contributions to the field of cybersecurity. As CEO and co-founder of Trail of Bits, Daniel has helped shape some of the industry’s most important advances in security research, software assurance, cryptography, AI, and blockchain security. Thank you to everyone who joined us for a day of thoughtful discussions, reconnecting with our alumni network, and reflecting on what’s next for engineering and technology. The future of CSE continues to be driven by the incredible community behind it.
30 readers took our C/C++ challenge. Some solved the Linux warmup, but nobody cracked the Windows driver bug. LLM-assisted answers consistently flagged the SSRF concern in the Linux code but missed the actual command injection. The walkthrough breaks down both challenges and shows how the Windows registry type confusion escalates from local denial of service to kernel-level code execution. Best 10 submissions are still getting swag. If you won, we'll be in contact. https://lnkd.in/eURFqHuy
Trail of Bits reposted this
📚 tl;dr sec 326 - AI Auto Exploiting Vulnerabilities GitHub RCE Autonomous Cloud Hacking Agent ✨ Highlights 👨💻 AppSec 👨💻 - A tool for embedding XXE/XML exploits into different filetypes - Willis Vandevanter - Trailmark turns code into graphs - Trail of Bits - Wiz Research uncovers Remote Code Execution in - Sagi Tzadik ☁️ Cloud Security ☁️ - CloudTrail for AI Agents - Alex Smolen - Can AI Attack the Cloud? Lessons From Building an Autonomous Cloud Offensive Multi-Agent System - Yahav Festinger, Chen Doytshman ⛓ Supply Chain ⛓ - The case for dependency cooldowns in a post-axios world - Kennedy Toomey - cooldowns.dev - Martin Prpič 🛡 Blue Team 🛡 - rustinel: Open-source endpoint detection for Windows and Linux - Théo Foucher - Tracking Adversaries: EvilCorp, the RansomHub affiliate - Will Thomas - Why a Decade of Writing Detection Logic Makes the Mythos Exploit Numbers Less Scary - David Burkett 🤖 AI + Security 🤖 - redai: A terminal workbench for AI-driven vulnerability discovery and live validation - Kyle Polley - MOAK - Mother of All KEVs - Niv Hoffman, Yair Saban - GPT-5.5: Mythos-Like Hacking, Open to All - Albert Ziegler, Steve Buckley - CTFs in the AI Era - Laurence Tennant and more! 🚀 https://lnkd.in/gG-R44Pf #cybersecurity #infosec #security #ciso #ai
libVLC powers VLC media player, which has been downloaded more than 6 billion times. Our audit produced structural improvements, not just bug fixes. HTTPS for self-update and build dependencies, three new fuzzing harnesses for URL, CSS, and JSON parsing. More in the report.
Today we proudly share the results of our security audit of LibVLC. With auditing by Trail of Bits and funding provided by the Sovereign Tech Agency, LibVLC received scoped security work, custom tools and fixes, and documentation for future security development. Read more about the work performed on the open source core engine and foundation of VLC media player on our blog: https://lnkd.in/gMb7_tH9 A special thank you to Jean-Baptiste Kempf and Thomas Guillem for their their efforts specifically on this engagement and generally for the LibVLC project. #OSTIF #libVLC #TrailofBIts #SovereignTechAgency
Trail of Bits reposted this
Last August, some of the best cybersecurity teams in the business gathered in Las Vegas to demonstrate the strength of their AI bug-finding systems at the Defense Advanced Research Projects Agency (DARPA)’s Artificial Intelligence Cyber Challenge (AIxCC). The tools had scanned 54 million lines of actual software code that DARPA had injected with artificial flaws. The teams were capable enough to identify most of the artificial bugs, but their automated tools went beyond that — they found more than a dozen bugs that DARPA hadn’t inserted at all. Even before the security earthquake that Anthropic delivered this month with Claude Mythos — the new AI model that seems to find vulnerabilities in every piece of software it’s pointed at — automated systems were growing increasingly capable of finding coding flaws. And fears are growing that not only can AI detect these flaws, but also be used to exploit them, putting hacking skills into the hands of everyone across the planet. This isn’t an empty threat. For decades, this type of no-skill hacker, known as a script kiddie, has wreaked havoc, running scripts they ripped from the internet or copied from exploit tool kits. They didn’t fully understand or have the technical know-how to write these scripts themselves. And yet they were still able to deface websites and propagate viruses. What’s happening now represents a major escalation, where people without technical backgrounds are able to use AI to enhance their capabilities in a way that wasn’t possible with simple scripts. It is likely to have far more wide-reaching repercussions. “There’s a tidal wave coming. You can see it. We can all see it,” said Dan Guido, CEO and cofounder of cybersecurity firm Trail of Bits, which was a runner-up in the challenge. “Are you going to lay down and die, or are you going to do something about it?” Even beyond Project Glasswing, Anthropic is trying to prevent the misuse of its software by criminals. A week after announcing Mythos, the company released Claude Opus 4.7, which for the first time built in safeguards meant to block malicious cybersecurity requests. (Security professionals who want to use the model defensively can apply to the company’s Cyber Verification Program.) Anthropic’s announcement of Mythos sent shockwaves throughout the industry, but there were warning signs of AI’s cybersecurity prowess prior to it. In June 2025, the autonomous offensive security platform XBOW beat out human hackers to top the leaderboard of HackerOne, a bug bounty platform, indicating big leaps in the ability of AI models to find bugs. By the time AIxCC rolled around, “there were already 10 to 20 different bug-finding systems that could find orders of multitude more bugs than we could patch,” Guido said. “This is actually not a new problem.” https://lnkd.in/gZzynYyK