For example, Mariner (now branded Azure Linux) is a Microsoft-supported Linux distribution. So in this list of 570 vulnerabilities, Microsoft have reported 100 vulnerabilities inherited from all sorts of open source software projects included in their Azure Linux distribution. The OpenSSH vulnerabilities are described in better detail at https://www.openssh.org/releasenotes.html where it implies 2 vulnerabilities were detected with Swival Security Scanner (using LLMs) and another 6 by other researchers/companies (using undisclosed methods).
As an example of one of the OpenSSH vulnerabilites CVE-2026-59996 which is attributed to Swival Security Scanner, Swival have published the output of their automated vulnerability detection report at https://github.com/Swival/security-audits/blob/main/openssh/...
https://devblogs.microsoft.com/dotnet/dotnet-and-dotnet-fram...
Releases without cve patches used to be quite common, max ive seen before were 3
I suppose you're a cake enjoyer, miss Marie Antoinette?
It is also true that Copilot is currently in use developing Bitlocker and Sharepoint. So I wouldn't be confident saying it was one or the other.
The pattern moved to packaging in all your dependencies.
Winget/Microsoft Store etc could auto-update your apps even with packaged .NET DLLs, though.
If 20 years ago you told me a single piece of software had 428 vulnerabilities I wouldn't have believed it.
If Chromium has that many security bugs, perhaps the move fast and break things approach of spraying diarrhea masquerading as code into a keyboard — in a rush to add new features no one asked for — needs to be reexamined.
For something as complex as an operating system or a web browser, even one from 20 years ago (say, Windows XP or IE/Firefox) I wouldn't have believed there were 428 vulnerabilities either, I would have assumed there were much more than that.
If only real intelligence found the fucking things instead.
As ye sew, so shall ye reap!
Probably working as intended...