<ciso brief/>
Cybersecurity Brief

Google OSS Rebuild, Zero Day Quest, and NGO Tabletop Exercises

Coverage: 04 Aug 2025 (UTC)
< view all daily briefs >

Platforms

Google Blog introduced OSS Rebuild, an open-source project that rebuilds packages from popular registries and publishes verifiable build metadata. The goal is to raise trust in open-source supply chains by comparing rebuilt artifacts to what users actually download, and by issuing SLSA provenance attestations that meet Build Level 3—without requiring any action from package publishers.

OSS Rebuild targets widely used ecosystems—PyPI, npm, and Crates.io—by deriving declarative build definitions, running instrumented builds, and normalizing expected instabilities before comparing results to upstream artifacts. The process is designed to surface issues such as missing or unsubmitted source code in published packages, compromised build environments, and stealthy backdoors that simple static checks can miss. When automation falls short, maintainers or users can supply manual build specifications.

Beyond detecting divergences, the project enriches existing software metadata. It can add build observability to SBOMs, help teams respond faster by enabling reproducible re-hosting or patched rebuilds, and retrofit historical packages with attestations to improve legacy trust. The announcement also notes experiments with AI to extract build and release guidance from human-facing documentation, aiming to expand automation coverage. Consumers can fetch attestations with a provided Go CLI or deploy their own instance using the published infrastructure, making the system suitable for integration into verification and vulnerability management workflows. The effort is positioned as a tool for security teams and consumers rather than a replacement for upstream maintainers, and contributions are invited via the project repository.

Policies

MSRC announced the return of Zero Day Quest, a public research challenge running 4 August to 4 October 2025 with up to $5 million in total bounty awards focused on cloud and AI security. The program is open to all researchers and builds on the prior year’s event.

Microsoft highlights targeted scenarios across Azure, Copilot, Dynamics 365 and Power Platform, Identity, and M365. A +50% bounty multiplier applies to Critical severity vulnerabilities and other high-impact findings that align with Microsoft’s bounty programs; when multiple multipliers might apply, only the highest value is used.

High-performing participants may qualify for an invite-only live hacking event at the Redmond campus in Spring 2026, working directly with product teams and MSRC engineers. Microsoft will offer training and recorded sessions from the AI Red Team, MSRC, and Dynamics teams to help researchers prepare. In line with Coordinated Vulnerability Disclosure and the Secure Future Initiative, Microsoft commits to transparently publish and assign CVEs for critical issues—even when no customer action is required—and to support public reporting once mitigations are in place. The initiative aims to strengthen cloud and AI security through collaboration and responsible disclosure.

Research

Talos detailed a collaboration with NetHope and Cisco Crisis Response to produce a tailored expansion deck for the Backdoors & Breaches tabletop exercise, focused on international humanitarian NGOs. The 2023 effort responds to a persistent cybersecurity “poverty line” in the sector, where limited resources and challenging operating conditions intersect with targeting by state actors, mercenary spyware groups, and other adversaries.

The NGO-centric deck models real incidents and conditions such as forced relocations, intermittent or low-bandwidth connectivity, and severely constrained technical resources. Presented at the 2023 NetHope Global Summit, the expansion generated practical discussions and hands-on learning; hundreds of physical copies were distributed and supporting materials were published online to broaden access.

Talos subsequently partnered with NGO-ISAC on a U.S. domestic edition tailored to civil society and distributed teams, including options to run sessions virtually from a simple local web server. The project emphasizes low barriers to entry and scalability so smaller organizations can rehearse worst-case scenarios without significant expense. By making sector-specific scenarios available, the initiative aims to strengthen preparedness, improve cross-team coordination, and reduce operational risks during humanitarian missions. Feedback from NGO participants has been positive, and Talos continues to distribute copies and support trainers as NGOs integrate the exercises into routine preparedness activities.

These and other news items from the day:

Mon, August 4, 2025

OSS Rebuild: Reproducible Builds to Harden Open Source

#CI/CD Security #Content Provenance #Crates.io #Google #npm #PyPI #Reproducible Builds #SBOM #SCA #Supply Chain Backdoor

🔐 Google’s Open Source Security Team today announced OSS Rebuild, a new project to reproduce upstream artifacts and supply SLSA-grade provenance for popular package ecosystems. The service automates declarative build definitions and reproducible builds for PyPI, npm, and Crates.io, generating attestations that meet SLSA Build Level 3 requirements without requiring publisher changes. Security teams can use the project to verify published artifacts, detect unexpected embedded source or build-time compromises, and integrate the resulting provenance into vulnerability response workflows. The project is available as a hosted data set and as open-source tooling and infrastructure for organizations to run their own rebuild pipelines.

read more →

Mon, August 4, 2025

Zero Day Quest returns with up to $5M bounties for Cloud

#AI Security #Azure #Bug Bounty #Conference #IAM #Microsoft #Zero-Day

🔒 Microsoft is relaunching Zero Day Quest with up to $5 million in total bounties for high-impact Cloud and AI security research. The Research Challenge runs 4 August–4 October 2025 and focuses on targeted scenarios across Azure, Copilot, Dynamics 365 and Power Platform, Identity, and M365. Eligible critical findings receive a +50% bounty multiplier, and top contributors may be invited to an exclusive live hacking event at Microsoft’s Redmond campus in Spring 2026. Participants will have access to training from the AI Red Team, MSRC, and product teams, and Microsoft will support transparent, responsible disclosure.

read more →

Mon, August 4, 2025

Talos and NetHope Equip NGOs with Tailored TTX Decks

#Backdoors & Breaches #Cisco #Cisco Talos #NetHope #NGO-ISAC

🔐 Talos, in collaboration with NetHope and Cisco Crisis Response, developed a customized Backdoors & Breaches expansion deck to help humanitarian aid NGOs improve incident response and proactive security within constrained budgets. The cards model real-world challenges—forced relocation, limited connectivity, and scarce resources—to make tabletop exercises practical and relevant for both technical and non-technical teams. Hundreds of physical decks have been distributed and a U.S.-focused edition was created with NGO-ISAC for domestic organizations. Resources and virtual play options are provided to lower barriers to adoption and scale training.

read more →

< all cybersecurity news >