Google's "0x0A List"

I'm very excited, because the Google Security Team has launched new Application Security pages, including a new Hall of Fame called 0x0A list. Now all related security informations are bundled to a central page. The table below lists the top 10 superstar perform,er since Google launched the vulnerability reward

Cross-Site-Scripting in Google Mail

In the last months I found several XSS vulnerabilities in Google's Gmail. All bugs are now fixed in a very short time. Currently Gmail has around 350 Mio. users and it's clear that Google taking a lot of efforts to protect their users. Safebrowsing Google's Security Tools 2-Step-Verification Vulnerability Reward

Ethiopia gets a new school - thanks to a XSS in Google+

Update 04/29/12: This blog post leads to a persistent XSS bug within InformationWeek.com  (screenshot), because Charlie Miller has tweeted about it. :-)   Update 05/02/12: InformationWeek has fixed the issue. I contribute to the Google Vulnerability Reward Program since November 2010 now and I found a

One year Google web vulnerability research

Adam Mein from the Google Security Team shared today some stats from the VRP of the last 12 months. The facts about one year VRP: $429.000 paid to around 200 researcher for 750qualifying bugs. Roughly half of the bugs that received a reward were discovered in software written by

Apple.com XSS Gallery

In the past I've reported a lot of security bugs to Google (you find here some stats about the last year) and three months ago I've found in just one night a lot of reflective XSS bugs on different apple.com sites. If I try to compare both security team,

XSS on Google.com

I found yesterday a persistent XSS on http://www.google.com. Google Security filled a bug after 32 minutes. I will provide more informations about the bug after a fix is released. Very short response times are the normal case for Google's Security Team. Timeline Initial Report: 24. June 2011,