All news in category "Vendor and Hyperscaler Watch"

Securing Cloud Identity Infrastructure Through Collaboration

🔒 CISA's Joint Cyber Defense Collaborative (JCDC) is coordinating with major cloud providers and federal partners to strengthen core cloud identity and authentication systems against sophisticated, nation-state affiliated threats. Recent incidents have exposed risks from token forgery, compromised signing keys, stolen credentials, and gaps in secrets management, logging, and governance. On June 25, a technical exchange convened experts from industry and government to share best practices and explore mitigations such as stateful token validation, token binding, improved secrets rotation and storage, hardware security modules, and enhanced logging to better detect and respond to malicious activity.

MSRC Announces 2025 Most Valuable Security Researchers

🏆 The Microsoft Security Response Center (MSRC) announced its 2025 Most Valuable Researchers (MVRs), recognizing security researchers who submitted valid vulnerability reports under Coordinated Vulnerability Disclosure. The Top 10 MVRs were ranked by total points earned for valid reports submitted between July 1, 2024 and June 30, 2025, and MSRC also highlights annual Technical Leaderboards by product area such as Azure, Office, Windows, and Dynamics 365. Awardees receive digital badges and MSRC swag boxes, and badges recognize achievements for Accuracy, Impact, and Volume.

Chrome on Android: Advanced Protection Enhancements

🔒 Android's Advanced Protection extends Google's device-level security and integrates with Chrome on Android, enabling three core protections to guard high-risk users such as journalists and officials. It forces HTTPS via the Always Use Secure Connections mode, turns on full Site Isolation for devices with 4GB+ RAM, and reduces attack surface by disabling V8's higher-level JavaScript optimizers. Settings are available on Android 16 in Chrome 137+, and enterprises can control behaviors via policies while affected users should enable automatic updates and join the Advanced Protection Program for maximum defense. These measures trade some performance for stronger exploitation resistance.

MSRC 2025 Q2 Security Researcher Leaderboard Top Picks

🏆 Congratulations to the researchers recognized on the MSRC 2025 Q2 Leaderboard. The top three overall are wkai, Brad Schlintz (nmdhkr), and 0x140ce, with category leaders across Azure, Office, Windows, and Dynamics. The leaderboard reflects assessments completed April 1–June 30, 2025, and includes cases submitted earlier but assessed in Q2. MSRC also notes that Researcher Recognition points are now visible in the researcher portal to improve transparency.

Google Open-Sources ZKP Libraries for Age Assurance

🛡️ Google has open sourced its Zero-Knowledge Proof (ZKP) libraries to accelerate privacy-preserving digital ID and age-assurance solutions. Developed with Sparkasse, the release enables people to prove attributes (for example, that they are over 18) without sharing any other personal data. By making a performant ZKP codebase available, Google aims to help developers, researchers, businesses, and governments integrate privacy-first flows, including use cases for the European EUDI Wallet.

Sparkasse Partners with Google for EU Age Assurance

🔐 Google and Germany’s Sparkasse announced a wallet-based EU age assurance service that lets customers prove age online without sharing personal data. Using the Credential Manager API, Google Wallet and zero-knowledge cryptography, Sparkasse will issue trusted credentials across its network of 343 regional savings banks serving 50 million customers. Integration with Android and Chrome enables one-click age checks for apps and sites and will roll out in the coming months.

Rising Star: Dylan, MSRC’s Youngest Security Researcher

🔒 At 13, Dylan became the youngest researcher to collaborate with the Microsoft Security Response Center (MSRC), demonstrating notable technical skill, persistence, and professional communication. He progressed from Scratch to HTML and source-code analysis, discovering vulnerabilities in Teams and other services and reporting them responsibly. His findings influenced bug bounty terms to admit younger researchers while he continues to balance school, competitions, and extracurriculars.