Secrets of Google VRP: A look from a different angle

by Krzysztof Kotowicz, Google Security Team

In Google VRP, we receive and process over 600 vulnerability reports a month. While the majority of them end up being invalid, some of the vulnerabilities reported by our bughunters from all over the world are amazing, in terms of their severity, impact and/or the difficulty of patching them on a Google scale. While some of them were already described in the past at various security conferences or writeups, most of them remain unknown to the security community.

In this presentation, we'll highlight the most interesting bug reports submitted through Google VRP, with the root causes both in our products, open source libraries or common software stacks. We'll analyze the security patches to the libraries we helped create, and reveal the full story behind them. For example, you'll get to know what has the reason behind a couple of Angular security releases.

Additionally, we'll give insights on how we evaluate and deal with vulnerability reports internally. Special focus will be put on the remediation process - making sure that a given vulnerability is not only patched, but prevented from happening ever again.

The following presentation was given at RuhrSec 2017.

Slides