Pinned
Apple patched a 13-year-old bug in WebKit yesterday.
Apex, Cantina's autonomous AppSec agent, found it.
It's one of three Apex findings in the same release. Two are CSP bypasses.
Full writeup: cantina.review/ze5
00:00
Cantina 🪐
4,692 posts
Cantina 🪐
@cantinasecurity
Cantina is an agentic security operating system that handles it all, from detection to remediation, autonomously. Check it out @ cantina.security
Joined February 2023
- Deepfake fraud is now one of the costliest security threats, and it has become much easier to execute. Real-time video deepfakes have moved from demos to criminal operations. Here’s a full breakdown of how to spot them: cantina.review/deepfakes-0cb2…
- Vendors publish their wins. @chrispyprojects, who taught Apex (our AI appsec solution) how to hunt, published its full scorecard against human audits, some costing $500,000+: every critical and high matched, plus live bugs the audits missed. AI security claims should be backedI think it’s very hard to defend that Web3/Blockchain Security Audits are not solved by Autonomous AI Bug Hunters like Cantina’s Apex. Not only are we #1 on the HackerOne US business leaderboard, but we also (a very small team) used Apex to farm nearly $1M in bounties in the
00:00 - Cantina 🪐 reposted
Join the Lido Community Call next Thursday. Catch up on what’s next for the Lido staking modules, Lido's recent Web3SOC certification, and guest sessions on client diversity. Add it to your calendar: luma.com/pmb473ba
- We detected that Pathling, an open-source FHIR analytics server from the e-Health Research Centre, has an $ import-pnp operation that sends the server's OAuth credentials to any URL the caller specifies. Any authenticated user can trigger the chain with a single HTTP request,
- Cantina 🪐 reposted
This is the Fable "vulnerability" the USG claims: ask the model to read a codebase and fix flaws. Anthropic is right: you can't fix this. Cybersecurity is double-edged: the same part of the model's brain that finds exploits also helps write secure software. The only fix is to
I’ve had a number of conversations with folks inside and outside government about the current situation with Anthropic, and here is what I believe to be true: — As we know, Anthropic publicly released its Mythos class models earlier this week under the commercial name Fable. - Cantina threat discovery: Apple's swift-crypto reads memory it shouldn't when a network peer sends a short post-quantum key. That's what we found in Apple's swift-crypto. The X-Wing HPKE decapsulation runs in Swift and forwards its input to a BoringSSL C function that expects
- Two memory-safety bugs in the same Ruby core file, 30 months apart. We found the second in the pthread DNS resolver that byroot at Shopify hit in 2023 and Ruby committers patched within hours. If an attacker can delay DNS responses to a Ruby 4.0.x app, they can crash the
- In the 2026 Verizon DBIR, a stark data point stands out: healthcare’s incident-to-breach conversion rate is now 96% and only 26% of critical vulnerabilities are fully patched. We’re Excited to join the HealthSec panel “Optimizing Cybersecurity Spend in Healthcare: Balancing
- $250,000 bug bounty now live: @3f_xyz is opening its leveraged RWA vault contracts on @Morpho for security research on Cantina. Up for a new challenge? Start the hunt here, researchers: cantina.xyz/bounties/d5586…
