<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Vulnerability Research on Jorge Laurel</title><link>https://jorgelaurel.com/topics/vulnerability-research/</link><description>Recent content in Vulnerability Research on Jorge Laurel</description><generator>Hugo</generator><language>en-us</language><lastBuildDate>Tue, 14 Jul 2026 21:10:17 +0000</lastBuildDate><atom:link href="https://jorgelaurel.com/topics/vulnerability-research/index.xml" rel="self" type="application/rss+xml"/><item><title>When an AI Assistant Stores a False Memory</title><link>https://jorgelaurel.com/writing/when-an-ai-assistant-stores-a-false-memory/</link><pubDate>Tue, 14 Jul 2026 21:10:17 +0000</pubDate><guid>https://jorgelaurel.com/writing/when-an-ai-assistant-stores-a-false-memory/</guid><description>&lt;p&gt;&lt;img src="https://jorgelaurel.com/images/writing/fb739c940af496ef.png" alt="When an AI Assistant Stores a False Memory"&gt;&lt;/p&gt;
&lt;p&gt;A single email can lead an AI assistant to record something false about a user, without disclosing that it has done so, and then draw on that false record in later sessions. The technique requires no stolen password and no account access. It relies only on a message sent to an inbox the assistant is configured to read.&lt;/p&gt;
&lt;p&gt;Researchers describe the technique, which they call stealth memory injection, in a &lt;a href="https://arxiv.org/abs/2607.05189v1"&gt;paper posted to arXiv on 6 July 2026&lt;/a&gt;, titled &amp;ldquo;When Claws Remember but Do Not Tell.&amp;rdquo; They built a tool called MemGhost that generates the attack emails, and a benchmark called WhisperBench to measure how often it succeeds. The findings are relevant to teams, and individuals, considering agentic assistants in a production or private environment.&lt;/p&gt;</description></item><item><title>Vulnerability Exploitation Is Moving Faster. What the 2026 Time-to-Exploit Data Shows</title><link>https://jorgelaurel.com/writing/vulnerability-exploitation-is-moving-faster-what-the-2026-time-to-exploit-data-s/</link><pubDate>Fri, 26 Jun 2026 16:46:24 +0000</pubDate><guid>https://jorgelaurel.com/writing/vulnerability-exploitation-is-moving-faster-what-the-2026-time-to-exploit-data-s/</guid><description>&lt;p&gt;&lt;img src="https://jorgelaurel.com/images/writing/9ff786bcd88babc4.png" alt=""&gt;&lt;/p&gt;
&lt;p&gt;Average time from vulnerability disclosure to working exploit has dropped from roughly 125 days in early 2025 to under a day by April 2026, across an analysis of approximately 69,000 CVEs. Some vulnerabilities are now exploited before patch advisories are published. The assumptions most patch management processes were built on may no longer hold.&lt;/p&gt;
&lt;p&gt;For most of the last two decades, vulnerability management rested on a quiet assumption: between the moment a flaw became public and the moment an attacker could use it at scale, defenders had a usable buffer. Days, often weeks. Enough time to test, stage, and deploy a patch or patches. A lot of process was built on top of that buffer.&lt;/p&gt;</description></item><item><title>The Code Looks Fine. That's the Problem.</title><link>https://jorgelaurel.com/writing/the-code-looks-fine-that-s-the-problem/</link><pubDate>Thu, 04 Jun 2026 08:15:24 +0000</pubDate><guid>https://jorgelaurel.com/writing/the-code-looks-fine-that-s-the-problem/</guid><description>&lt;p&gt;&lt;img src="https://jorgelaurel.com/images/writing/4fa23481c605b74b.png" alt=""&gt;&lt;/p&gt;
&lt;p&gt;There is a version of this story that sounds like hype. Chinese AI models are secretly inserting backdoors into American software. Hackers are hiding in your IDE. The threat is invisible and everywhere.&lt;/p&gt;
&lt;p&gt;That version is wrong, and it is worth saying so clearly. Booz Allen Hamilton, which published this research in May 2026, does not claim intentional sabotage. The report is careful about that. What it does claim, backed by more than 2,800 test trials across five frontier models, is something more unsettling in its own way.&lt;/p&gt;</description></item></channel></rss>