I’m excited to announce the AI Cyber Challenge, a major, two-year DARPA competition challenging the best and the brightest in cybersecurity and AI to secure the systems on which all American rely. aicyberchallenge.com

this is a big one… if you have opinions on this, make sure that they are heard 👀 Fact Sheet: Office of the National Cyber Director Requests Public Comment on Open-Source Software Security and Memory Safe Programming Languages | ONCD | The White House m.cje.io/3s2Xz6t

Ever struggle with C++ buffer issues? Spatial Safety is one of the main root causes for in-the-wild exploits! Read more about how we piloted the LLVM proposal for C++ Buffer Hardening here: bughunters.google.com/blog/636855965…

Today I spoke on the importance of Secure by Design on behalf of Google alongside Cybersecurity and Infrastructure Security Agency FDD Venable LLP & more. We also launched a paper on Google's approach to Secure by Design & published on how it can be applied to address memory safety vulns: blog.google/technology/saf…

"just as our efforts to eliminate XSS attacks through tooling showed, removing large classes of exploits both directly benefits consumers of software and allows us to move our focus to addressing further classes of security vulnerabilities." security.googleblog.com/2024/03/secure…

Excited to share this blog post about server-side memory corruption that my team exploited in production. Shout-out to Simon Scannell, Ezequiel Pereira, and 那个饺子🦆(JJ) - this was a very fun project. :-) bughunters.google.com/blog/622075742…

Released a blog about our Theori AIxCC experience! medium.com/@sa-blog/winni… Tim Becker and I were hoping to have more info about other challenges, but they aren't released, so some of the information is a bit limited. Still, hope folks can enjoy reading it!

The drop in Android's memory safety vulnerabilities is astonishing. It's counterintuitive, but prioritizing memory-safe languages in new code quickly reduces memory-safety risks. Once we turn off the tap of new vulnerabilities, they start decreasing exponentially.

Google CVR is doing incredible vulnerability research.

Excited to share Google's memory safety strategy! We're working to build safer software by migrating to memory-safe languages like Rust as well as hardening our existing C++: security.googleblog.com/2024/10/safer-…. We'll be sharing more details in upcoming posts.

Percentage of codebase that's memory-safe 📈, memory-safety vulns 📉, EVEN IF YOU KEEP ADDING LINES OF C 🤯

The dedication and hard work has payed off: "for hundreds of complex web applications that are built on Google’s hardened and safe-by-design frameworks, we've averaged less than one XSS report per year in total" (see page 9 of the whitepaper).

Bounds-checking in C++: so people ask if the .3% overhead is real. It's not just a benchmark result, we got this through our Google-Wide profiling, that gives us the live insights from DCs. This surprised us too as it was much cheaper than we thought research.google/pubs/google-wi…

Celebrating 15 years of password hacking 💻 🔑, Swiss Army knives (and sometimes even chainsaws or swords) included! 😲 Discover how Google's security teams turn employee farewells into security tests. bughunters.google.com/blog/635526578…

🛡️Want to help make the open source world safer and earn up to $45k 💰? We've revamped our Patch Rewards Program, extending its scope and increasing rewards for security patches – with a particular focus on memory safety, including bonus multipliers! bughunters.google.com/blog/527306491…

We're joining forces with industry & academia to call for memory safety standardization: security.googleblog.com/2025/02/securi…. It's a recognition that memory unsafety is no longer a niche technical problem but a societal one, impacting everything from national security to personal privacy.

Hardening the C++ Standard Library at massive scale. A look at increasing memory safety with libc++ hardening — a collaborative paper from engineers at Apple and Google. The results have been impressive: at Google the team discovered and fixed 1000+ bugs as hardening was enabled.