RT @GoogleVRP: We're sending a HUGE thank you to our incredible community of bughunters ! 🙏 Your passion for finding vulnerabilities keeps….

As part of our continued commitment to security & transparency on vulnerabilities found in our products & services, effective today we will be issuing CVEs for critical Google Cloud vulnerabilities, even when we do not require customer action or patching.

What do you want to know?.

Mandatory MFA is coming to Google Cloud. We will be implementing mandatory MFA for Google Cloud in a phased approach that will roll out to all users worldwide during 2025.

Big Sleep LLM agent found an exploitable stack buffer underflow in SQLite, the database engine. This is believed to be the first public example of an AI agent finding a previously unknown exploitable memory-safety issue in widely used real-world software.

Google's approach to the 7 Secure by Design goals include focus on MFA, default passwords, reducing entire classes of vulnerability, security patches, vulnerability disclosure (VRP), CVEs & evidence of intrusions. Stayed tuned for more re Cloud VRP & CVEs!

Announcing the launch of @googlecloud Vulnerability Reward Program (VRP), dedicated to products & services that are part of Google Cloud. GC VRP focuses on coordinating new vulnerabilities and compensating security researchers. Top award: $101,010.

While cloud providers can support customers in restoring access to their environments or activate backups, cloud providers generally lack the visibility & access to customer environments needed to perform customer incident response & remediation at scale.

Our CVR team performed vuln research on GCP’s AI Platform, Vertex AI & considered potential attack scenarios across Google & industry. They discovered unknown vulns that not remediated potentially could have allowed exfil of Gemini 1.0 Pro model @amlweems

While working with Project Zero, #NickGalloway found an integer overflow in the dav1d AV1 video decoder. He received questions about issue discovery as dav1d is already being fuzzed by oss-fuzz. This is a useful case study in constructing fuzzers 4 effect.

RT @CraigHRowland: The bad news is there is a vulnerability in the CUPS printer system on Linux. The good news is nobody has ever gotten th….

At Google, we continually evolve security capabilities & practices to make our cloud the most trusted cloud. To help protect from stolen creds, cookie theft & accidental creds loss, announcing general availability of cert-based access in our IAM portfolio.

Google's Cloud Vulnerability Research team (CVR) presents vulnerabilities in the 3rd party image library Kakadu, outlining challenges external attackers face exploiting vulnerabilities in unknown environments. @scannell_simon @amlweems @epereiralopez

RT @InfoSecMap: The @BlueTeamVillage at #DEFCON32 had lots of defender-focused activities, and the best pool party! 💙 🛡️. Shoutout to @RayR….

Looking forward to seeing folks tomorrow at our BTV panel in LVCC W3 10 from 3-4p. With over 80 years of SOC experience, we cut the buzzword bingo & get real. We’ll be discussing topics like how to get value with threat intel beyond IOC matching, and more!

RT @woofknight:

I'm excited to be on a panel at the Defcon Blue Team Village on hot topics in security operations with Carson Zimmerman, Enoch Long, and Eric Lippart at 3:00pm Pacific on Saturday in room W310. See you there! #Defcon #BlueTeamVillage #SecurityOperations Hope to see you there!.

I teach my teams this simple mantra: measurability == survivability. “Use specific, quantifiable metrics to showcase improvements in security posture and ops efficiency.” Reductions in vulnerability remediation time, decreases in IR costs, and latency too.

Cirrus: a command-line tool written in Python to facilitate environment access & evidence collection across Google Cloud & is composed of two scripts:.Assistant: automate Google Cloud access setup & cleanup.Collector: collect log, configuration & user data

RT @hetmehtaa: Awesome Security lists for SOC/CERT/CTI.