Cursor says seven-month unresolved bug is not its responsibility Cursor denied responsibility for a seven-month-old arbitrary code execution bug in its vibe coding platform, saying the issue depends on compromised or malicious input and falls outside its bug bounty scope. The platform, owned by Anysphere and used by 64% of the Fortune 500, was criticized by researchers at Mindgard for ignoring their disclosure. Security /tag/security/ Cursor has denied responsibility for an arbitrary code execution bug in its vibe coding platform after researchers said it had failed to patch the vulnerability for seven months. The platform, bought by SpaceX for $60 billion in June, said the issue depended on a compromised or malicious input and therefore fell outside its bug bounty scope after Mindgard accused it of ignoring its research https://mindgard.ai/blog/cursor-0day-when-full-disclosure-becomes-the-only-protection-left?ref=thestack.technology . A Cursor spokesperson told The Stack : “We operate under a shared responsibility model for workspace and agent-context inputs: customers decide which repositories, prompts, external content, MCP servers, rules, and tools to introduce into their environment, and Cursor provides controls to help manage that trust boundary.” Cursor, a product of Anysphere, has more than 50,000 enterprise customers, including 64% of the Fortune 500, according to its website https://cursor.com/enterprise?ref=thestack.technology , and a 1 million+ daily active users. https://www.cnbc.com/2026/05/19/cursor-cnbc-disruptor-50-ranking.html?ref=thestack.technology reported Get the full story: Subscribe for free Join peers managing over $100 billion in annual IT spend and subscribe to unlock full access to The Stack’s analysis and events. Subscribe now https://www.thestack.technology/membership/ Already a member? Sign in https://www.thestack.technology/signin/