Google VRP (Google Bug Hunters)

📢 Open source security researchers, take note: we've updated the OSS VRP rules! We're emphasizing the need for actionable reports and verifiable reproduction steps – to allow us to focus on critical threats with real-world impact. For more details 👇 bughunters.google.com/blog/ossvrp-ru…

GCP VRP Secrets? 🤫 Hear from the program leads! Michael Cote (linkedin.com/in/michaelpatr…) & Darby Hopkins (linkedin.com/in/darbyhopkins) join @ctbbpodcast to talk shop: killer report tips, program insights & boosting your bounty game on Google Cloud. 🎧 youtu.be/7u6xpVhEpBA #GoogleVRP #BugBounty #CloudSecurity #GCP

Our Google Cloud VRP researchers don't miss! 🔥 Check out @terminatorLM's latest Looker research uncovering 9 novel cross-tenant vulns in Looker. See how it was done: 👇

📣📣📣 Hot off the press: 2025 highlights of Google's vulnerability reward programs! Notably, we awarded an all-time high of over $17 million in rewards 💰 and kicked off the dedicated AI VRP 🤖. Thank you to our incredible bug hunting community 🧑‍💻🧑‍💻🧑‍💻!!! bughunters.google.com/blog/google-vr…

📢 Interested in AI and agent security at Google🛡️? This post looks at how we mitigated the risk of URL-based data exfiltration through provenance checks and sanitization – effectively blocking a prompt injection-based exploitation vector. bughunters.google.com/blog/mitigatin…

Offline authentication on Android 🤖 🔒? Find out how the FIDO alliances's Hybrid transport architecture was expanded to support this crucial scenario, and how this increases reliability and unlocks many new use cases. bughunters.google.com/blog/hybrid-tr…

Next up in our series on Android and authentication 🤖 🔒: Learn how the FIDO Alliance's Hybrid protocol has been expanded beyond CTAP messages to also support generic JSON, and which new use cases this extended approach enables. bughunters.google.com/blog/hybrid-pr…

Curious how we go about security reviews at Google? In this case, we teamed up with Intel to take a closer look at Intel Trust Domain Extensions (TDX) 1.5 and help secure the confidential computing space! For the details, 👇 bughunters.google.com/blog/a-joint-s…

🔒 Want to move beyond passwords? Check out this beginner's guide to Cross-Device Passkeys! Learn how "Hybrid transport" uses QR codes and Bluetooth to let you sign in securely on any device – even public ones – without ever sharing your private keys. bughunters.google.com/blog/passkeys

Want to see what elite security research looks like? 🌟 @omer_asfu, one of Google Cloud VRP's best, dropped a cross-tenant finding: CVE-2025-13292 (nvd.nist.gov/vuln/detail/CV…)

Interested in Android and authentication 🤖 🔒? Our latest post takes a look at how online authentication on Android evolved from simple passwords to more secure methods, and highlights the role of FIDO (Fast Identity Online) Alliance specifications. bughunters.google.com/blog/fido

Want to see what top-notch security research looks like? Look no further than @j_domeracki's latest research, a standout contributor to the Google Cloud VRP! 🪲💪 jdsec.cloud/posts/2026-01-…

New to hacking? Curious how to break things? 🕵️‍♂️✨ Google CTF Beginner's Quest 2025 is LIVE! 🚀 Tackle challenges crafted to get you started. Sign up, join the fun, and secure your spot on the leaderboard! 🏆 👇 capturetheflag.withgoogle.com/beginners-quest

📢📢📢 Our Patch Rewards Program rules were updated to explicitly encourage batched submissions, and place every Google-filed OSS vulnerability explicitly into scope (thanks for your feedback). Interested in getting rewarded for your awesome OSS security work? g.co/prp

Interested in the security of AI Agents 💁🛡️? Then you've likely heard of "prompt injection", but do you know what "task injection" is? If you're curious, check out our latest post for a description and some real-world examples we discovered. bughunters.google.com/blog/482385717… bughunters.google.com/blog/482385717…

📢 Calling all friends of cryptography 🔐 After assessing the Quantum Key Distribution (QKD) technology, we believe PQC is the more mature and scalable solution for Google's needs. Curious how we came to this conclusion? Read on... bughunters.google.com/blog/462546600…

We're LIVE from the Google Cybersecurity Engineering Center in Malaga! ⚡🛡️ The init.g sessions are kicking off, we're excited to meet the talent that will redefine the future of cybersecurity. Learning, networking, and lots of good hacking. init.g(malaga) { return SUCCESS; }

📣 Auto-CSP in Angular and Secure Web Application Guidelines: two examples of how Google's Secure by Design philosophy contributes to the security of the online ecosystem as a whole. Read on for details 👇 bughunters.google.com/blog/545713056…

Google's annual security conference, ESCAL8, has concluded. Check out our blog post for a detailed report 👇 Spoiler: includes bugs 🐞🪲🦗, cybersecurity education 🛡️, and a CTF 🏳️ 🏴 bughunters.google.com/blog/648968002…

This year's Hackceler8 finals in Mexico City 🇲🇽 have concluded, with Kalmarunionen taking the win in our coveted, annual CTF. Congratulations! Kudos to Zer0RocketWrecks for second place, and a big shout out to the semi-finalists DiceGang and Maple Mallard Magistrates. youtube.com/watch?v=gEP62j… 1st: @kalmarunionenDM 2nd: ctftime.org/team/307823 3rd: @mmm_ctf_team & @dicegangctf