Brolly

@Bugcrowd Absolutely agree! The crux of the matter: How to convince the triage teams (in my experience quite often the "not-so-expierenced" staff)? They are seemingly trained too often for remote issues, not what can happen when using logic errors. It's ~95 % "by design" then. Do tell! :(

Some vulnerabilities only show up when a real person understands the business logic, chains together signals, and thinks like an attacker. In our webinar with Schibsted, Gabriel explains why bug bounty programs are a critical layer for finding the deeper exploits automated tools can miss. Keep up the great work, hackers 👏 Watch the full clip: bugcrowd.com/webinar/

What was the main reason for getting actually valid security vulnerabilities rejected, here in #Bugbounty programs VRP driven by OS companies?

@GoogleVRP Just wondering why @Android is continu. hardening secondary lockscreens in system settings depending on loc./scenario the device is (could be biometrics bcs shoulder surfers) but @GoogleVRP is neglecting sec. lockscr. issues by default as per their scope? developer.android.com/security/fraud…

@GoogleVRP Question: In scope: "unlocking Private Space without the designated lock factor" Not in scope: "secondary lockscreen bypasses". I am wondering what is correct. Dependent from coincidence? Thx for an enlightenment.

📣📢 Calling all Android and Chrome bug hunters 🧑‍💻🔎! We're updating our Android & Chrome VRP programs to ensure we can continue to reward the most challenging and impactful vulnerabilities researchers find in our products. For details, 👇 bughunters.google.com/blog/evolving-…

@lukashanren1 Sometimes Google VRP needs months. In case they have no more justification why it should be still Working As Intended (contrary to their rules and security feature descriptions) it would suddenly be a "duplicate". Own experiences. More than once. For sake of "burning the bridge"?

Google VRP handles duplicate reports very quickly — usually within 1–3 minutes. It appears to be fully automated. Why don’t other platforms do the same?

@GoogleVRP @erbbysam A pity, no answer as usual. Means, an existing issue in current Android 16 where any app could replace several Android settings activities by own activ. will stay as it is, exploitable by malicious apps. Capable of gaining user credentials. Directly in the settings task itself.

@GoogleVRP @erbbysam Hi, May you please clarify: Which vectors're meant? Attacks depend. on malic. apps are normally declined as the user's fault bcs he has installed that mal. app, issues with local-phys. access/2nd lockscr. bypass ditto as the device would be unlocked, so the user's fault

📢📢📢 Attention bug hunters! The Google VRP is updating its reward model, with a focus on the impact of vulnerabilities and the sensitivity of the data involved. To this end, we're introducing two dimensions: Information Tiers and Action Criticality. 👀👇 bughunters.google.com/blog/standardi…

@Google @Android > Continuing to advance Android security and privacy (...) we are ensuring that Android remains the most secure platform. We will continue (...) to keep users, their data, and their devices safe throughout 2026 and beyond. Seriously? Proposal: Listen to Security Researchers!!

Catch up on all the upgrades coming to @Android → goo.gle/4eIbi9g #TheAndroidShow

We’re rolling out new updates to make your everyday @Android experience even better, including: 🤳 Screen Reactions, so you can record yourself and your screen at the same time — without switching apps or setting up a green screen 📸 An improved Instagram experience in partnership with Meta, including ultra HDR video, Night Mode integrations, brand new tools in the Edits app and more 📴 New digital wellbeing tools, like Pause Point, to help you reclaim your time and use apps more mindfully 😀 Nearly 4,000 redesigned emoji 🤝 New features to make it even easier to switch to Android from another phone, so your passwords, photos, messages, favorite apps, contacts and even your homescreen travel with you 🛜 Expanded Quick Share compatibility, so you can easily share files with more types of devices #TheAndroidShow

@freebsdfrau The next number is 42417680.

Few people can look at this and tell what it is that I am doing … #FreeBSD

@GoogleVRP Is your blog implicitly confirming what many people here seem to feel, in other words collab. preferably with a selected "elite" crowd only? These feelings may already be confirmed by yourself by not reacting to the many concerns and questions on your X channel, aren't they? 🤔

In April 2026, we held the latest edition of bugSWAT (our live event for security researchers) in Seoul, South Korea. For more information on this edition's focus, its impact & winners, as well as bugSWAT in general, see 👇 bughunters.google.com/blog/bugswat-i…

@GoogleVRP Invest ≠ go-live. 🤔 "(...) we continuously invest in the quality of our VRP programs and our relations with the external (...) community – all with the goal of ensuring that (...) products maintain the _highest_possible_ security standards and _remain_safe_ for our users."

@alisaesage Really great. Google and Android VRP are also excited in ensuring that the reporter is experiencing such a groundbreaking interpretation of their own explicit rules. At least your report got a fix.

One of my great experiences with Google's Chromium VRP last month

@intigriti Eagle eyes, brain and keyboard/mouse. (Sadly this is often not compatible with triagers, as they are seemingly only trained for code, code and code. Though there are so many logic flaws exploitable just by using the aforementioned four things).

What are currently your top 3 most used bug bounty tools? 😎

@0x0v1 It might depend on the skills, experiences and enthusiasm of the parties involved. Just speculation.

@coolbrolly Not quite. Google won't accept bugs if Developer Mode is a requirement for the bug. They will accept bugs where the bug is affecting that component itself. Locality is accepted also. But this also affects many devices who exposed their ADB port to the internet.

Today we are disclosing CVE-2026-0073: A critical no-interaction proximal/adjacent remote code execution vulnerability in adbd's ADB-over-TCP authentication path. Full technical write-up + exploit flow: barghest.asia/blog/cve-2026-…

@0x0v1 Yes. My experiences are nonetheless others. The user is not allowed to trust any network, and/or developer mode as "the gate" is on. Regardless of a bug there itself and the way: remote or cable on an actually secure device (without ADB!) doesn't mind: WAI/NSI/infeasible then:(

@0x0v1 But thank you that you found it and secured the world!

Got an invite from @msftsecresponse for a researcher meeting during BlackHat 2026! 🎉 How thoughtful of them to acknowledge all that under-the-radar "collaboration". Though Vegas seems like a bit too much (away) for a quick coffee or two. 😅 #MSRC #Cybersecurity

@sirdarckcat IMHO many misunderstandings leading to discouragement could be minimised by simply reading plus trying to understand questions, concerns and appeals, finally answering them thoroughly (less AI templates). One example would be GoogleVRP at X -- purely unanswered topics.

For Bug Hunters, it always seemed like we were discouraging collaboration (having a private edge was a difference between $0 and hundreds of thousands of dollars). We tried everything to fix that, but with very modest successes. Another problem was predictability.. 4/🧵

Just finished a really cool visit to Singapore! Where I met with a lot of the smartest folks here in the Vulnerability Research space. We are planning to build a new security hub in Singapore. And the first team we are building is going to be focused on.. 1/?🧵

@sirdarckcat > And if you didn't find a "full chain", either the bug was worth nothing, or you felt like it wasn't paid properly.. Might be. But wasn't the public statement in several rules for years now that the max possible impact would count? If the entrance to the target was opened ...

... It was common for even experienced bug hunters not to know if their bug will be rewarded, and if so, how much. Even the best bugs could be duplicates. And if you didn't find a "full chain", either the bug was worth nothing, or you felt like it wasn't paid properly.. 5/🧵

@sirdarckcat Things happen. All normal in life. I am wondering why newer/younger/weird canonical IDs (1337, 1338 and others) would allegedly exist. What is the intention here? Burning the bridge for discussions? Typo? Mistriage? Personal benefits? Thx.

@sirdarckcat That is an interesting comparison. Cool. Hasn't Triage at several Google VRP's started already to believe so? The grass is green, the flowers are coloured, and the justification for not being a security vulnerability only minds the tiny ants between the grass blades.

But everyday people also don't know how to differentiate a valid from an invalid bug. LLMs "kindof" know, but given enough encouragement they'll tell me the sky is white and the clouds are blue.. until I start to believe that too! 9/🧵