Blog: New Patch Rewards Program for OSV-SCALIBR
Check out our new Patch Rewards Program for OSV-SCALIBR, offering financial incentives for providing novel OSV-SCALIBR plugins for inventory, vulnerability, or secret detection.| bughunters.google.com
This blog post describes the journey of discovering a VM escape bug with the goal of demystifying the security research process and demonstrating how persistence and pivoting can lead to achieving successful exploitation.| Security Engineering Blog
Check out our new Patch Rewards Program for OSV-SCALIBR, offering financial incentives for providing novel OSV-SCALIBR plugins for inventory, vulnerability, or secret detection.| bughunters.google.com
Curious to hear about our experience exploiting Retbleed (a security vulnerability affecting modern CPUs)? Then check out this post to see how we pushed the boundaries of Retbleed exploitation and understand more about the security implications of this exploit for modern computing systems.| bughunters.google.com
The HTML specification has been updated to escape '<' and '>' in attributes to prevent mutation XSS (mXSS) vulnerabilities. This post details the reasoning behind this change and explains why this update improves security.| Security Engineering Blog
This blog post presents one of the events we regularly host to complement our VRP program – bugSWAT, with a particular focus on our latest, AI-related event in Tokyo!| bughunters.google.com
The Android & Google Device VRP now offers a $1,000 reward to researchers who include an AutoRepro test with their vulnerability report! Check out our blog post for more details.| bughunters.google.com
This blog post takes you through the 2024 highlights across the assorted VRPs at Google.| bughunters.google.com
Join us as we take a closer look at the technical details of how we identified the root causes for TT violations in two flagship rollouts: Gmail and AppSheet.| bughunters.google.com
This blog post covers the full details of EntrySign, the AMD Zen microcode signature validation vulnerability recently discovered by the Google Security team.| bughunters.google.com
Learn more about how Google has created and deployed a high-assurance web framework that almost completely eliminates exploitable web vulnerabilities.| bughunters.google.com
This blog post takes you through everything you need to know about the Patch Rewards Program, including our newly introduced focus on memory safety (including reward multipliers!), recently increased reward amounts, and lots more!| bughunters.google.com
The InternetCTF offers a total reward of up to $10,000 to bug hunters who not only discover novel code execution vulnerabilities in Open Source Software, but also provide Tsunami plugin patches for them!| bughunters.google.com
This blog discusses what one year of AI bug bounties has taught us and where we're planning to go from here.| Security Engineering Blog
The Leaving Tradition in Google's security team, which could be described as a type of small-scale offensive security exercise, is a great (and fun) example of team culture. Curious? See this blog post for details.| Security Engineering Blog
Read this blog post to understand VPC-SC product details, how to set up an environment, and what vulnerability criteria to consider when bug hunting on this product.| Security Engineering Blog
Want to learn about using a static analysis tool called CodeQL to search for vulnerabilities in Google Chrome? Then this blog post is for you!| bughunters.google.com
This blog post looks at a few examples of how the `SslErrorHandler` class has been (mis)used, and then highlights how the class is actually meant to be implemented.| Security Engineering Blog
This blog post describes Google's approach to vulnerability research on our Cloud AI Platform, Vertex AI. We're sharing this so that external researchers can learn from our work and to help them discover new vulnerabilities.| Security Engineering Blog
False positive are a recurring issue when working with external scanning tools. This blog post discusses the most common types of false positives the AutoVM team at Google has observed in this context and provides instructions on how to identify them.| Security Engineering Blog
In this document, Google's Cloud Vulnerability Research team (CVR) presents vulnerabilities in a third-party JPEG 2000 image library called Kakadu. Exploiting memory corruption vulnerabilities typically requires knowledge about the target environment; however, CVR outlines how to overcome these challenges with a technique called 'Conditional Corruption,' achieving remote code execution impact.| Security Engineering Blog
Read on to understand how Google currently evaluates the threat landscape related to post-quantum cryptography, and what implications this has for migrating from classical cryptographic algorithms to PQC.| bughunters.google.com
