RuhrSec 2017: 'Secrets of the Google Vulnerability Reward Program', Krzysztof Kotowicz

RuhrSec is the annual English speaking non-profit IT security conference with cutting-edge security talks by renowned experts. RuhrSec is organized by Hackmanit.
🔽 More information ...

Abstract. In Google VRP, we receive and process over 600 vulnerability reports a month. While the majority of them end up being invalid, some of the vulnerabilities reported by our bughunters from all over the world are amazing, in terms of their severity, impact and/or the difficulty of patching them on a Google scale. While some of them were already described in the past at various security conferences or writeups, most of them remain unknown to the security community.

In this presentation, we'll highlight the most interesting bug reports submitted through Google VRP, with the root causes both in our products, open source libraries or common software stacks. We'll analyze the security patches to the libraries we helped create, and reveal the full story behind them. For example, you'll get to know what has the reason behind a couple of Angular security releases.

Additionally, we'll give insights on how we evaluate and deal with vulnerability reports internally. Special focus will be put on the remediation process - making sure that a given vulnerability is not only patched, but prevented from happening ever again.

Biography. Krzysztof Kotowicz is an Information Security Engineer at Google and a panel member of Google's Vulnerability Rewards Program. He's a web security researcher specialized in Javascript, browser extensions and client-side security. Author of multiple open-source pentesting tools, and recognized HTML5/UI redressing attack vectors. Speaker at international IT security conferences & meetings (Black Hat, BruCON, Hack In Paris, CONFidence, SecurityByte, HackPra, OWASP AppSec, Insomni'Hack).

Speaker: Krzysztof Kotowicz

———

👉 Subscribe to our channel:

👉 Read more about interesting IT Security topics on our blog:

✍️ Want a deeper dive?
Training courses in Single Sign-On (SAML, OAuth and OpenID Connect), Secure Web Development, TLS and Web Services are available here:

———

———

Thanks for your attention and support. Stay secure.

#cybersecurity #GoogleVRP #ruhrsec #cyber #conference
#itsecurity #itsicherheit #bug #bugsecurity #talk