Tuesday, August 3, 2021

A new chapter for Google’s Vulnerability Reward Program

Posted by Jan Keller, Technical Program Manager, Google VRP A little over 10 years ago, we launched our Vulnerability Rewards Program (VRP). Our goal was to establish a channel for security researchers to report bugs to Google and offer an...

Protecting more with Site Isolation

Posted by Charlie Reis​ and Alex Moshchuk, Chrome Security TeamChrome's Site Isolation is an essential security defense that makes it harder for malicious web sites to steal data from other web sites. On Windows, Mac, Linux, and Chrome OS,...

Advancing an inclusive, diverse security industry

Posted by Sarah Morales, Community Outreach Manager, Security It’s no secret that lack of diversity in corporate America is a well-documented problem and improvements have been slow. To help improve female representation in the cybersecurity industry, Google teamed up with...

Verifiable design in modern systems

Posted by Ryan Hurst, Production Security TeamThe way we design and build software is continually evolving. Just as we now think of security as something we build into software from the start, we are also increasingly looking for new...

Measuring Security Risks in Open Source Software: Scorecards Launches V2

Posted by Kim Lewandowski, Azeem Shaikh, Laurent Simon, Google Open Source Security TeamContributors to the Scorecards project, an automated security tool that produces a “risk score” for open source projects, have accomplished a lot since our launch last fall....

Announcing a unified vulnerability schema for open source

Posted by Oliver Chang, Google Open Source Security team and Russ Cox, Go team In recent months, Google has launched several efforts to strengthen open-source security on multiple fronts. One important focus is improving how we identify and respond to...

Get ready for the 2021 Google CTF

Posted by Kristoffer Janke, Information Security EngineerAre you ready for no sleep, no chill and a lot of hacking? Our annual Google CTF is back!The competition kicks off on Saturday July 17 00:00:01 AM UTC and runs through...

Introducing SLSA, an End-to-End Framework for Supply Chain Integrity

Posted Kim Lewandowski, Google Open Source Security Team & Mark Lodato, Binary Authorization for Borg Team Supply chain integrity attacks—unauthorized modifications to software packages—have been on the rise in the past two years, and are proving to be common and...

Rust/C++ interop in the Android Platform

Posted by Joel Galenson and Matthew Maurer, Android Team One of the main challenges of evaluating Rust for use within the Android platform was ensuring we could provide sufficient interoperability with our existing codebase. If Rust is to meet...

Verifiable Supply Chain Metadata for Tekton

Posted by Dan Lorenc, Priya Wadhwa, Open Source Security TeamIf you've been paying attention to the news at all lately, you've probably noticed that software supply chain attacks are rapidly becoming a big problem. Whether you're trying to prevent...

Announcing New Abuse Research Grants Program

Posted by Anna Hupa,  Marc Henson, and Martin Straka, Google VRP Team Our Abuse Bug Bounty program has proved tremendously successful in the past three years since its introduction – thanks to our incredibly engaged community of researchers. Their contributions...

New protections for Enhanced Safe Browsing users in Chrome

Posted by Badr Salmi, Google Safe Browsing & Varun Khaneja, Chrome Security In 2020 we launched Enhanced Safe Browsing, which you can turn on in your Chrome security settings, with the goal of substantially increasing safety on the web....

Introducing Security By Design

Posted by Jon Markoff and Sean Smith, Android Security and Privacy Team Integrating security into your app development lifecycle can save a lot of time, money, and risk. That’s why we’ve launched Security by Design on Google Play Academy...

Introducing Half-Double: New hammering technique for DRAM Rowhammer bug

Research Team: Salman Qazi, Yoongu Kim, Nicolas Boichat, Eric Shiu & Mattias Nissler Today, we are sharing details around our discovery of Half-Double, a new Rowhammer technique that capitalizes on the worsening physics of some of the newer DRAM chips...

Integrating Rust Into the Android Open Source Project

Posted by Ivan Lozano, Android Security & Privacy TeamThe Android team has been working on introducing the Rust programming language into the Android Open Source Project (AOSP) since 2019 as a memory-safe alternative for platform native code development. As...

Raccoon Stealer Bundles Malware, Propagates Via Google SEO

An update to the stealer-as-a-service platform hides in pirated software, pilfers crypto-coins and installs a software dropper for downloads of more malware.

SAP Customer Survey Reveals False Sense of Security

Many SAP customers have a false sense of security, according to a new report from risk management consultancy Turnkey Consulting and business-critical application security firm Onapsis. The SAP Security Survey Report 2021 is based on information from over 100 SAP...

BazarCaller – the malware gang that talks you into infecting yourself

Calling someone back feels safer than clicking an unknown link... but it isn't! Remind your friends and family.

‘DeadRinger’ Targeted Exchange Servers Long Before Discovery

Cyberespionage campaigns linked to China attacked telecoms via ProxyLogon bugs, stealing call records and maintaining persistence, as far back as 2017.

How American Law Lets Feds Spy On WhatsApp Without Needing To Say Why

Pen registers let governments keep tabs on who WhatsApp users are talking with, when and what IP addresses they’re using, and they don’t have to give judges a full explanation as to why. The same goes for surveillance on...