Security Blog
The latest news and insights from Google on security and safety on the Internet
A secure web is here to stay
February 8, 2018
Posted by Emily Schechter, Chrome Security Product Manager
For the past several years, we’ve moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption. And within the last year, we’ve also helped users understand that HTTP sites are not secure by
gradually
marking
a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.
In Chrome 68, the omnibox will display “Not secure” for all HTTP pages.
Developers have been transitioning their sites to HTTPS and making the web safer for everyone.
Progress last year
was incredible, and it’s continued since then:
Over 68% of Chrome traffic on both Android and Windows is now protected
Over 78% of Chrome traffic on both Chrome OS and Mac is now protected
81 of the top 100 sites on the web use HTTPS by default
Chrome is dedicated to making it as easy as possible to set up HTTPS. Mixed content audits are
now available
to help developers migrate their sites to HTTPS in the
latest Node CLI
version of
Lighthouse
, an automated tool for improving web pages. The new audit in Lighthouse helps developers find which resources a site loads using HTTP, and which of those are ready to be upgraded to HTTPS simply by changing the subresource reference to the HTTPS version.
Lighthouse is an automated developer tool for improving web pages.
Chrome’s new interface will help users understand that all HTTP sites are not secure, and continue to move the web towards a secure HTTPS web by default. HTTPS is
easier and cheaper
than ever before, and it unlocks both performance improvements and powerful new features that are too sensitive for HTTP. Developers, check out our
set-up guides
to get started.
Vulnerability Reward Program: 2017 Year in Review
February 7, 2018
Posted by Jan Keller, Google VRP Technical Pwning Master
As we kick-off a new year, we wanted to take a moment to look back at the Vulnerability Reward Program in 2017. It joins our past retrospectives for
2014
,
2015
, and
2016
, and shows the course our VRPs have taken.
At the heart of this blog post is a big thank you to the security research community. You continue to help make Google’s users and our products more secure. We looking forward to continuing our collaboration with the community in 2018 and beyond!
2017, By the Numbers
Here’s an overview of how we rewarded researchers for their reports to us in 2017:
We awarded researchers more than 1 million dollars for vulnerabilities they found and reported in Google products, and a similar amount for Android as well. Combined with our Chrome awards, we awarded nearly 3 million dollars to researchers for their reports last year, overall.
Drilling-down a bit further, we awarded $125,000 to more than 50 security researchers from all around the world through our
Vulnerability Research Grants Program
, and $50,000 to the hard-working folks who improve the security of open-source software as part of our
Patch Rewards Program
.
A few bug highlights
Every year, a few bug reports stand out: the research may have been especially clever, the vulnerability may have been especially serious, or the report may have been especially fun and quirky!
Here are a few of our favorites from 2017:
In August, researcher Guang Gong
outlined
an exploit chain on Pixel phones which combined a remote code execution bug in the sandboxed Chrome render process with a subsequent sandbox escape through Android’s libgralloc. As part of the
Android Security Rewards Program
he received the largest reward of the year: $112,500. The Pixel was the only device that wasn’t exploited during last year’s annual Mobile pwn2own competition, and Guang’s report helped strengthen its protections even further.
Researcher "gzobqq" received the $100,000
pwnium
award for a
chain of bugs
across five components that achieved remote code execution in Chrome OS guest mode.
Alex Birsan discovered that anyone could have gained access to internal
Google Issue Tracker
data. He detailed his research
here
, and we awarded him $15,600 for his efforts.
Making Android and Play even safer
Over the course of the year, we continued to develop our Android and Play Security Reward programs.
No one had claimed the top reward for an Android exploit chain in more than two years, so we
announced
that the greatest reward for a remote exploit chain--or exploit leading to TrustZone or Verified Boot compromise--would increase from $50,000 to $200,000. We also increased the top-end reward for a remote kernel exploit from $30,000 to $150,000.
In October, we introduced the by-invitation-only
Google Play Security Reward Program
to encourage security research into popular Android apps available on Google Play.
Today, we’re expanding the range of rewards for remote code executions from $1,000 to $5,000. We’re also introducing a new category that includes vulnerabilities that could result in the theft of users’ private data, information being transferred unencrypted, or bugs that result in access to protected app components. We’ll award $1,000 for these bugs. For more information visit the Google Play Security Reward Program
site
.
And finally, we want to give a shout out to the researchers who’ve submitted fuzzers to the
Chrome Fuzzer Program
: they get rewards for every eligible bug their fuzzers find without having to do any more work, or even filing a bug.
Given how well things have been going these past years, we look forward to our Vulnerability Rewards Programs resulting in even more user protection in 2018 thanks to the hard work of the security research community.
* Andrew Whalley (
Chrome VRP
), Mayank Jain (
Android Security Rewards
), and Renu Chaudhary (
Google Play VRP
) contributed mightily to help lead these Google-wide efforts.
Labels
#sharethemicincyber
#supplychain #security #opensource
android
android security
android tr
app security
big data
biometrics
blackhat
C++
chrome
chrome enterprise
chrome security
connected devices
CTF
diversity
encryption
federated learning
fuzzing
Gboard
google play
google play protect
hacking
interoperability
iot security
kubernetes
linux kernel
memory safety
Open Source
pha family highlights
pixel
privacy
private compute core
Rowhammer
rust
Security
security rewards program
sigstore
spyware
supply chain
targeted spyware
tensor
Titan M2
VDP
vulnerabilities
workshop
Archive
2024
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2023
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2022
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2021
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2020
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2019
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2018
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2017
Dec
Nov
Oct
Sep
Jul
Jun
May
Apr
Mar
Feb
Jan
2016
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2015
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2014
Dec
Nov
Oct
Sep
Aug
Jul
Jun
Apr
Mar
Feb
Jan
2013
Dec
Nov
Oct
Aug
Jun
May
Apr
Mar
Feb
Jan
2012
Dec
Sep
Aug
Jun
May
Apr
Mar
Feb
Jan
2011
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
2010
Nov
Oct
Sep
Aug
Jul
May
Apr
Mar
2009
Nov
Oct
Aug
Jul
Jun
Mar
2008
Dec
Nov
Oct
Aug
Jul
May
Feb
2007
Nov
Oct
Sep
Jul
Jun
May
Feed
Follow @google
Follow
Give us feedback in our
Product Forums
.