Instructure paid. That's the story.

Two enterprises paid this week. Neither said the word ransom.

On Wednesday, Instructure confirmed it had "reached an agreement" with ShinyHunters, the group that claimed 3.65 terabytes of Canvas user data and threatened release if a ransom went unpaid by May 12. ShinyHunters then removed every reference to Canvas and the roughly 8,809 institutions affected from its leak site. Two days earlier, West Pharmaceutical Services filed an 8-K with the SEC describing steps to "mitigate the risk of dissemination of the exfiltrated data" from a May 4 ransomware attack. No ransomware crew has publicly claimed West, which security reporters typically read as a paid settlement. Two large enterprises in two regulated sectors took the same playbook this week: negotiate, settle, do not say the word ransom.

The older playbook still works, and it has been the default for years. Disclose under the SEC 8-K rules, accept that the plaintiffs' bar will file class actions inside two weeks of public notice, and litigate from there. The cost curve is painful but known. The newer playbook is different. The immediate harm to data subjects shrinks because the data does not get dumped. The disclosure your downstream partners and customers would have used to update their own posture never arrives. The trade-offs run in opposite directions, and there is no public version of how a given vendor will choose.

For a CIO or CISO running vendor risk reviews, that bifurcation is the news. Vendor risk questionnaires already cover SOC 2 status, encryption posture, and 72-hour breach notification clauses. Almost none cover the vendor's operational default under a live ransom demand. The Instructure outcome means roughly 8,809 institutions had their notification timeline decided by one vendor's choice to settle. The West Pharmaceutical outcome means downstream pharma and medtech customers whose specs and shipping data flowed through West's systems may not know whose hands the data passed through, because there is no public claim and no detailed disclosure beyond the 8-K. Both are valid corporate decisions. Neither is in your questionnaire.

Two structural forces are pushing more enterprises toward the pay-and-quiet path. The plaintiffs' bar now files inside two weeks of disclosure, which compresses the cost calculus toward immediate settlement on the criminal side rather than a multi-year class defense. And ransom groups have figured out that operational SaaS players are more pressed for time than they are. Canvas hit during exam season. West sits in the middle of global pharmaceutical shipping flows. The leverage favors quiet settlement, and the cost-benefit math on the corporate side has started to agree.

Two questions belong in every vendor renewal between now and the end of the year. First: under a live ransom demand affecting our tenant, what is your default operational posture, and what notification do we get inside 24 hours? Most vendors will not answer this clearly, which is itself the answer. Second: who is your incident response counsel and IR retainer firm, and have they handled a paid ransom in the last 12 months? Vendors who have negotiated a settlement know how the process actually works. Vendors who have not are running their first one on your data.

The week's bigger pattern is that disclosure is no longer the default. Enterprises that hold consumer or patient or student data are quietly learning that the legal and reputational cost curve favors paying. Your downstream exposure now depends on a decision your vendor makes inside a 72-hour window you do not see. That is not a controls problem. It is a contract problem. The vendor questionnaires that catch up will be the ones that ask what happens when the breach the vendor never tells you about runs its course.

The data in this issue came from priority submissions by 5,000+ enterprise IT leaders. If you run IT or security at a $100M+ company and want to see what your peers are funding — and earn rewards for participating in vetted meetings with the vendors worth your time — apply to join DoGood.

Cisco's SD-WAN Controller got an emergency CVSS 10 with active exploitation

Cisco published an emergency advisory Wednesday for CVE-2026-20182, an authentication bypass in the Catalyst SD-WAN Controller (formerly vSmart) that scores CVSS 10.0 and is already under limited exploitation by a sophisticated actor Talos tracks as UAT-8616. The flaw lives in the peering authentication path over DTLS port 12346 and lets an unauthenticated remote attacker gain administrative privileges, at which point the SD-WAN fabric configuration is editable. CISA added it to the KEV catalog with a federal mitigation deadline of May 17. There is no workaround; the patch is the only mitigation. Audit your SD-WAN controllers for DTLS exposure and patch this weekend.

An 18-year-old NGINX bug shipped this week with a working public PoC

On Wednesday, F5 and the research firm depthfirst jointly disclosed CVE-2026-42945, nicknamed NGINX Rift: a heap buffer overflow in the rewrite module that has been latent since 2008. CVSS 9.2. Affects every NGINX Open Source version from 0.6.27 through 1.30.0 and NGINX Plus R32 through R36. A working unauthenticated RCE proof-of-concept landed alongside the disclosure. The interesting detail under the hood: depthfirst found it by pointing an autonomous vulnerability analysis system at the NGINX source tree and getting a hit inside six hours. Patch to 1.30.1 or 1.31.0, audit your active rewrite rules for unnamed PCRE captures with question marks in the replacement, and add NGINX to the short list of foundational middleware to recheck whenever an AI-driven discovery tool gets pointed at it next.

A researcher dumped two more Microsoft zero-days while Patch Tuesday went clean

A researcher using the alias Nightmare-Eclipse (also Chaotic Eclipse) released proof-of-concept code Tuesday for two unpatched Microsoft vulnerabilities. YellowKey is a BitLocker bypass. GreenPlasma escalates a local user to SYSTEM. Both followed the same researcher's April release of BlueHammer (CVE-2026-32201, which Microsoft patched). Two earlier PoCs from the same alias, RedSun and UnDefend, remain unfixed, and Microsoft has acknowledged that exploit code based on them is already being used in real attacks. Microsoft's own May Patch Tuesday release math showed zero exploited zero-days, the first such month since June 2024. A single uncoordinated researcher provided two more the same week. Treat the new PoCs as actively exploited until Microsoft ships fixes. Compensating controls until then: tighten BitLocker recovery key handling on managed endpoints, and harden user-facing devices against local privilege escalation.

23 months: the gap between this week's Microsoft Patch Tuesday with zero exploited or publicly disclosed zero-days and the last one. Read on its own, that number is a footnote. Read next to Quick Hit 3, it changes a planning variable. Microsoft's release math went clean for the first time in nearly two years. A single uncoordinated researcher provided two new zero-days the same week. The "fix-the-exploited-bugs-first" rule of thumb did not return an empty set this month; it stopped pulling from Microsoft's own advisory text. For the reader: disclosure source is a planning variable now, not a fixed input. The working assumption that one or two exploited zero-days per Patch Tuesday come from Microsoft needs a footnote that says "or from a researcher with a grudge."

What you don't control is the question your next vendor renewal cycle needs to answer. The CIOs in the DoGood network renewing this quarter are the ones to compare notes with on what they're now putting in writing.

The CXO Brief is powered by the DoGood network, 5,000+ IT leaders sharing what they are actually working on.

Know a CIO who needs this? Forward it and they can subscribe here.

Enterprise IT leader at a $100M+ company? Apply to join DoGood.