| ▲ | wxw 2 hours ago | |||||||
> The vulnerability was first identified by Mindgard on December 15, 2025. We reported it the same day and multiple times since. More than six months and 197+ new versions later, the issue remains present in the latest tested version of Cursor. > The report was initially closed as Informative and out of scope. After we challenged that determination, HackerOne reopened the report, reproduced the issue, and confirmed that the details had been delivered to Cursor. And then everything stopped. Requests for updates went unanswered, additional follow-ups received no response, escalation through HackerOne produced no meaningful engagement, and direct outreach to Cursor leadership yielded the same result: no response. Really unfortunate. I don't understand why there's such a lack of response on the Cursor side. | ||||||||
| ▲ | app13 2 hours ago | parent | next [-] | |||||||
The CVE process itself is broken. HackerOne and company VDPs are inundated with new reports of varying quality thanks to the advancements (I think) in agentic AI. It's allowed for both an increase in trash-tier low quality AND legitimately high quality reports. Since the same AI's are writing both, its almost impossible to distinguish between the two at a surface level. In response, companies just aren't responding like they used to. I spoke at a cybersecurity conference In June and the overwhelming "vibe" on the floor and in the talks was that responsible disclosure was dead or dying, and public disclosure is the way forward. The Microsoft and Nightmare Eclipse situation was oft cited. | ||||||||
| ||||||||
| ▲ | buran77 2 hours ago | parent | prev | next [-] | |||||||
> I don't understand why there's such a lack of response on the Cursor side. Too busy being acquired by SpaceX? | ||||||||
| ▲ | _AzMoo 2 hours ago | parent | prev | next [-] | |||||||
It screams intentional to me. | ||||||||
| ▲ | sofixa 2 hours ago | parent | prev | next [-] | |||||||
> Really unfortunate. I don't understand why there's such a lack of response on the Cursor side. It's hard to vibe code security. | ||||||||
| ▲ | 2 hours ago | parent | prev | next [-] | |||||||
| [deleted] | ||||||||
| ▲ | khurs 2 hours ago | parent | prev | next [-] | |||||||
Perhaps its a intentional back door? NSA/FBI puts a git.exe in GitHub for a target. Target pulls the repo and it executes the payload. As Cursor is/was based on VS Code, does it happen in VS Code too? | ||||||||
| ||||||||
| ▲ | solid_fuel 2 hours ago | parent | prev [-] | |||||||
> I don't understand why there's such a lack of response on the Cursor side. ~~~To busy porting to their new rust-backed version of Bun to do anything boring like engineering, probably.~~~ EDIT: My mistake, wrong owners. It's hard to keep these tools straight sometimes. Most of the LLM tooling and interfaces I've tried are heavy on the features but light on the engineering, and that seems to be the case here too. | ||||||||
| ||||||||