Secure by Design: Google's Blueprint for a High-Assurance Web Framework
Learn more about how Google has created and deployed a high-assurance web framework that almost completely eliminates exploitable web vulnerabilities.Level Up Your Open Source Karma (And Your Wallet) by Improving Security
This blog post takes you through everything you need to know about the Patch Rewards Program, including our newly introduced focus on memory safety (including reward multipliers!), recently increased reward amounts, and lots more!Capturing the Flags of the Internet: Find 0-days in OSS and write scanners to detect them
The InternetCTF offers a total reward of up to $10,000 to bug hunters who not only discover novel code execution vulnerabilities in Open Source Software, but also provide Tsunami plugin patches for them!Celebrating One Year of AI Bug Bounties at Alphabet
This blog discusses what one year of AI bug bounties has taught us and where we're planning to go from here.The Great Google Password Heist: 15 years of hacking passwords to test our security (and build team culture!)
The Leaving Tradition in Google's security team, which could be described as a type of small-scale offensive security exercise, is a great (and fun) example of team culture. Curious? See this blog post for details.Finding Bugs in Chrome with CodeQL
Want to learn about using a static analysis tool called CodeQL to search for vulnerabilities in Google Chrome? Then this blog post is for you!Think Outside the Perimeter: Bug Hunting in Google Cloud's VPC Service Controls
Read this blog post to understand VPC-SC product details, how to set up an environment, and what vulnerability criteria to consider when bug hunting on this product.Certificate Error Mishandling: Misuse and Abuse of the SslErrorHandler Class
This blog post looks at a few examples of how the `SslErrorHandler` class has been (mis)used, and then highlights how the class is actually meant to be implemented.Protecting Large Language Models
This blog post describes Google's approach to vulnerability research on our Cloud AI Platform, Vertex AI. We're sharing this so that external researchers can learn from our work and to help them discover new vulnerabilities.Non-Actionable Findings in 3rd-party Security Scanners...and How to Identify Them
False positive are a recurring issue when working with external scanning tools. This blog post discusses the most common types of false positives the AutoVM team at Google has observed in this context and provides instructions on how to identify them.
Items per page:
10
1 – 10 of 38