Welcome to Runtime! Today: Why Patch Tuesday is about to go from an annoying-but-predictable chore to a huge project, the new vulnerability program proposed by the White House looks a lot like the old one, and Google Cloud's big outage Down Under.

Please forward this email to a friend or colleague! If it was forwarded to you, sign up here to get Runtime for free every week, or level up here.

At such a cost: At the time, it made a lot of sense: Microsoft has been orchestrating Patch Tuesday on the second Tuesday of the month ever since 2003, when it was scrambling to recover from a series of security disasters that threatened to erase its standing atop the tech world. Lumping security patches into a single release allowed corporate admins to prepare for those updates and ensure they could patch their systems without running into problems that could take down production applications.

But fast forward 23 years, and the AI era could lead Microsoft and its partners to rethink the way security updates are distributed to businesses. The company released over 630 distinct patches this week as part of the monthly tradition, when a year ago this month it had just 137 vulnerabilities to patch.

Microsoft blockbuster Patch Tuesday shows the vulnpocalypse has landed
Windows admins now have more than 630 new vulnerabilities to patch. Good luck!

That's an astonishing amount of patches to vet and test against production systems, and managing that deluge could be daunting for small to medium-size businesses that don't have enormous teams to crank through the process. And it certainly didn't help that Dell customers ran into immediate problems trying to apply the patches, which forced Microsoft to hold off on updating those systems until it could get a handle on the problem.

But it looks like this week's Patch Tuesday volume will be the new normal thanks to the arrival of powerful security LLMs, which certainly helped Microsoft find and patch more vulnerabilities than ever, but which also allow attackers to quickly detect and attack those vulnerabilities as soon as they are disclosed. It might be time to come up with a new system for patching at scale.

SPONSORED

GRC's reputation is shifting, and GRC Engineering is at the forefront. Join Ayoub Fandi, GRC Engineer at Lovable, and Justin Pagano, Sr. Director of GRC Engineering at Vanta, to discuss Legacy GRC and what comes next. You’ll learn practical ways to start automating, with lessons from Lovable and Vanta.

Learn more

Go birds: Of course, Microsoft is not the only company and organization that needs to manage the discovery, disclosure, and patching of software vulnerabilities. This week the White House unveiled "Gold Eagle," a new system for coordinating vulnerability disclosure that really looks a lot like the system discarded by the administration last year, Phillip de Wet reports.

US Gold Eagle vuln system looks a lot like the old one
So far, the Gold Eagle vulnerability clearing house seems to be CISA with some extra bits.

Zone out: Cloud companies offer availability zones to help customers insulate themselves against regional outages, but what happens when the zone-management software goes down? Google Cloud customers in Australia found out the hard way Wednesday after Google Cloud VMware Engine (GCVE) Stretched Cluster went down for nearly 12 hours thanks to a bad networking configuration update.

Google config error hits VMware clusters in three regions
Google sells stretched private clouds as protection against a complete failure of any one zone. But it messed up the network config.

To each their own: There are many different ways to run a multicloud infrastructure strategy; some companies set up redundant workloads across different cloud providers to insulate themselves from outages (at quite a cost), while others, like InDrive, use one cloud for production and another for analytics. "... if you really want to make things more reliable than with a single cloud, then your orchestration layer between environments needs to be more robust than what Amazon or Google builds, which is almost impossible without their level of investment," InDrive CTO Yuri Misnik told The Stack.

inDrive CTO insists on a “one workload, one cloud” approach
“We’re handling 300-400,000 transactions per second at peaks, so quite a high volume...”

Caveat emptor: If for whatever reason your business decides it needs to use SpaceXAI's Grok models, keep a close eye on network activity. This week it was revealed that Grok Build customers were sending their entire code bases to a SpaceXAI-owned Google Cloud storage bucket without their consent or any notification, which the company rolled back after widespread protest.

Grok Build uploaded entire code bases to SpaceXAI without telling users
“Allowing this would be appreciated, but your privacy settings are always respected,” says Musk

And to appease its privacy concerned customers, SpaceXAI has promised to delete all the data it retained and has open sourced the coding harness for all to see.

SpaceXAI open sources Grok Build CLI after privacy concerns
SpaceXAI open sources Grok coding agent after a researcher found it was quietly scrapping users’ git repos.

Shrug it off: Cursor says an arbitrary code execution bug in its vibe coding platform is not its responsibility after researchers said it had failed to patch the vulnerability for seven months. Mindgard said it first reported the bug which impacts Windows environments in December 2025, 70 versions later it's still there.

Cursor says ‘not our problem’ to seven-month-old bug report
“Issues that depend on compromised or malicious inputs already present in that context generally fall outside our bug bounty scope.”

We're also reading:

Dave Brown, one of AWS's top computing executives for nearly 20 years, is leaving the company for another opportunity, AWS announced.

Microsoft is doubling down on the AI security business and tossing some traditional security products and executives to the side, according to The Information.

Want to sponsor a newsletter and get in front of 30,000+ subscribers, including CTOs and CIOs wielding $150 billion in annual tech budget? Get in touch through our Partner page. 

The link has been copied!