1blogshowBlog

Security Engineering Blog

Google's goal is to make it easier for ourselves, and the rest of the world, to ship secure products. Our blog is intended to share ways in which we make the Internet, as a whole, safer, and what that journey entails.
    2blogsshowValues
  • David Dworken, Lukas Weichselbaum | Feb 4, 2025

    Secure by Design: Google's Blueprint for a High-Assurance Web Framework

    Learn more about how Google has created and deployed a high-assurance web framework that almost completely eliminates exploitable web vulnerabilities.
  • Sam Erb, Duygu Isler, Alex Rebert, Dirk Göhmann | Jan 21, 2025

    Level Up Your Open Source Karma (And Your Wallet) by Improving Security

    This blog post takes you through everything you need to know about the Patch Rewards Program, including our newly introduced focus on memory safety (including reward multipliers!), recently increased reward amounts, and lots more!
  • Annie Mao, Hlynur Óskar Guðmundsson | Jan 8, 2025

    Capturing the Flags of the Internet: Find 0-days in OSS and write scanners to detect them

    The InternetCTF offers a total reward of up to $10,000 to bug hunters who not only discover novel code execution vulnerabilities in Open Source Software, but also provide Tsunami plugin patches for them!
  • Aaron Brown, Mark M. Jaycox | Dec 17, 2024

    Celebrating One Year of AI Bug Bounties at Alphabet

    This blog discusses what one year of AI bug bounties has taught us and where we're planning to go from here.
  • Alexis Imperial-Legrand, David Dworken, Federico Scrinzi | Dec 4, 2024

    The Great Google Password Heist: 15 years of hacking passwords to test our security (and build team culture!)

    The Leaving Tradition in Google's security team, which could be described as a type of small-scale offensive security exercise, is a great (and fun) example of team culture. Curious? See this blog post for details.
  • Julia Hansbrough | Nov 21, 2024

    Finding Bugs in Chrome with CodeQL

    Want to learn about using a static analysis tool called CodeQL to search for vulnerabilities in Google Chrome? Then this blog post is for you!
  • Vincent Winstead | Nov 12, 2024

    Think Outside the Perimeter: Bug Hunting in Google Cloud's VPC Service Controls

    Read this blog post to understand VPC-SC product details, how to set up an environment, and what vulnerability criteria to consider when bug hunting on this product.
  • Julian Yates, Richard (Torne) Coles | Oct 28, 2024

    Certificate Error Mishandling: Misuse and Abuse of the SslErrorHandler Class

    This blog post looks at a few examples of how the `SslErrorHandler` class has been (mis)used, and then highlights how the class is actually meant to be implemented.
  • Anthony Weems | Oct 4, 2024

    Protecting Large Language Models

    This blog post describes Google's approach to vulnerability research on our Cloud AI Platform, Vertex AI. We're sharing this so that external researchers can learn from our work and to help them discover new vulnerabilities.
  • Erik Varga | Sep 16, 2024

    Non-Actionable Findings in 3rd-party Security Scanners...and How to Identify Them

    False positive are a recurring issue when working with external scanning tools. This blog post discusses the most common types of false positives the AutoVM team at Google has observed in this context and provides instructions on how to identify them.
Items per page:
1 – 10 of 38