I'm very excited, because the Google Security Team has launched new Application Security pages, including a new Hall of Fame called 0x0A list.
Now all related security informations are bundled to a central page.
The table below lists the top 10 superstar perform,er since Google launched the vulnerability reward
In the last months I found several XSS vulnerabilities in Google's Gmail. All bugs are now fixed in a very short time. Currently Gmail has around 350 Mio. users and it's clear that Google taking a lot of efforts to protect their users.
* Safebrowsing
* Google's Security Tools
* 2-Step-Verification
* Vulnerability Reward
Update 04/29/12: This blog post leads to a persistent XSS bug within InformationWeek.com
(screenshot), because Charlie Miller has tweeted about it. :-)
Update 05/02/12: InformationWeek has fixed the issue.
I contribute to the Google Vulnerability Reward Program since November 2010 now and I found a
Adam Mein from the Google Security Team shared today some stats from the VRP of the last 12 months.
The facts about one year VRP: $429.000 paid to around 200 researcher for 750qualifying bugs.
Roughly half of the bugs that received a reward were discovered in software written by
In the past I've reported a lot of security bugs to Google (you find here some stats about the last year) and three months ago I've found in just one night a lot of reflective XSS bugs on different apple.com sites.
If I try to compare both security team,
I found yesterday a persistent XSS on http://www.google.com.
Google Security filled a bug after 32 minutes. I will provide more informations about the bug after a fix is released. Very short response times are the normal case for Google's Security Team.
Timeline
Initial Report: 24. June 2011,