Search this site
Skip to main content
Skip to navigation
We've moved! The content on this website is deprecated.
Visit the new site
Bughunter University
Home
Reward Program Rules
Report vulnerability
Behind the Scenes
Blog Posts
Frequently asked questions
Life of a Reward
Our Rewards Philosophy
Duplicates
Lateral Escalation
Systems Sandboxing
Weekly Panel Meeting
Presentations
Google VRP and Unicorns
Las vulnerabilidades favoritas del 2016
Secrets of Google VRP
Secrets of Google VRP: A look from a different angle
War Stories from Google VRP
Statistics and Charts
2014
2015
2016
Improving your reports
Auth Bypass Bugs
Avoid videos... but if you can't, here are some tips :-)
Help us quickly reproduce the bug
How to submit a complete bug report applicable to Android applications
How to submit a complete bug report applicable to Android platform
Reporting URLs that give users access to resources
Use your native language
Verify the output of the tools
What is a security vulnerability?
What is an abuse risk?
When reporting XSS, don't use alert(1)
Write down the attack scenario
Non-qualifying findings
"Back" button that keeps working after logout
Ability to map e-mail addresses to profile names
AngularJS expression sandbox bypass
Attacks facilitating phishing or social engineering
Attacks working only when sharing local account with the attacker
Bugs in recent acquisitions
Bugs in vendor or partner-operated web applications
Commonly reported SSL/TLS vulnerabilities
Cookies that keep working after logout
CSRF in the logout handler
CSV Excel formula injection
Do-it-yourself XSS
Download / print / copy protection bypasses in Drive
Gmail attachment filter bypass
Invalid SPF policy and e-mail spoofing issues
IP/port scanning via Google services
Lack of HSTS (HTTP Strict Transport Security)
Lack of X-Frame-Options without a well-defined risk
Limited content reflection or content spoofing
Open redirectors
Phishing by navigating browser tabs
reCAPTCHA accepting an invalid response to a challenge
Reflected File Download
Spectre Attacks
Unrealistically complicated clickjacking attacks
Using Google Account Recovery to hijack test accounts
XSLeaks and XS-Search
XSRF or clickjacking with no practical use to attackers
XSRF that requires the knowledge of a secret
XSS bugs in sandbox domains
XSS or XSRF that requires header injection
YouTube background playback protection bypass
Bughunter University
Home
Reward Program Rules
Report vulnerability
Behind the Scenes
Blog Posts
Frequently asked questions
Life of a Reward
Our Rewards Philosophy
Duplicates
Lateral Escalation
Systems Sandboxing
Weekly Panel Meeting
Presentations
Google VRP and Unicorns
Las vulnerabilidades favoritas del 2016
Secrets of Google VRP
Secrets of Google VRP: A look from a different angle
War Stories from Google VRP
Statistics and Charts
2014
2015
2016
Improving your reports
Auth Bypass Bugs
Avoid videos... but if you can't, here are some tips :-)
Help us quickly reproduce the bug
How to submit a complete bug report applicable to Android applications
How to submit a complete bug report applicable to Android platform
Reporting URLs that give users access to resources
Use your native language
Verify the output of the tools
What is a security vulnerability?
What is an abuse risk?
When reporting XSS, don't use alert(1)
Write down the attack scenario
Non-qualifying findings
"Back" button that keeps working after logout
Ability to map e-mail addresses to profile names
AngularJS expression sandbox bypass
Attacks facilitating phishing or social engineering
Attacks working only when sharing local account with the attacker
Bugs in recent acquisitions
Bugs in vendor or partner-operated web applications
Commonly reported SSL/TLS vulnerabilities
Cookies that keep working after logout
CSRF in the logout handler
CSV Excel formula injection
Do-it-yourself XSS
Download / print / copy protection bypasses in Drive
Gmail attachment filter bypass
Invalid SPF policy and e-mail spoofing issues
IP/port scanning via Google services
Lack of HSTS (HTTP Strict Transport Security)
Lack of X-Frame-Options without a well-defined risk
Limited content reflection or content spoofing
Open redirectors
Phishing by navigating browser tabs
reCAPTCHA accepting an invalid response to a challenge
Reflected File Download
Spectre Attacks
Unrealistically complicated clickjacking attacks
Using Google Account Recovery to hijack test accounts
XSLeaks and XS-Search
XSRF or clickjacking with no practical use to attackers
XSRF that requires the knowledge of a secret
XSS bugs in sandbox domains
XSS or XSRF that requires header injection
YouTube background playback protection bypass
More
Home
Reward Program Rules
Report vulnerability
Behind the Scenes
Blog Posts
Frequently asked questions
Life of a Reward
Our Rewards Philosophy
Duplicates
Lateral Escalation
Systems Sandboxing
Weekly Panel Meeting
Presentations
Google VRP and Unicorns
Las vulnerabilidades favoritas del 2016
Secrets of Google VRP
Secrets of Google VRP: A look from a different angle
War Stories from Google VRP
Statistics and Charts
2014
2015
2016
Improving your reports
Auth Bypass Bugs
Avoid videos... but if you can't, here are some tips :-)
Help us quickly reproduce the bug
How to submit a complete bug report applicable to Android applications
How to submit a complete bug report applicable to Android platform
Reporting URLs that give users access to resources
Use your native language
Verify the output of the tools
What is a security vulnerability?
What is an abuse risk?
When reporting XSS, don't use alert(1)
Write down the attack scenario
Non-qualifying findings
"Back" button that keeps working after logout
Ability to map e-mail addresses to profile names
AngularJS expression sandbox bypass
Attacks facilitating phishing or social engineering
Attacks working only when sharing local account with the attacker
Bugs in recent acquisitions
Bugs in vendor or partner-operated web applications
Commonly reported SSL/TLS vulnerabilities
Cookies that keep working after logout
CSRF in the logout handler
CSV Excel formula injection
Do-it-yourself XSS
Download / print / copy protection bypasses in Drive
Gmail attachment filter bypass
Invalid SPF policy and e-mail spoofing issues
IP/port scanning via Google services
Lack of HSTS (HTTP Strict Transport Security)
Lack of X-Frame-Options without a well-defined risk
Limited content reflection or content spoofing
Open redirectors
Phishing by navigating browser tabs
reCAPTCHA accepting an invalid response to a challenge
Reflected File Download
Spectre Attacks
Unrealistically complicated clickjacking attacks
Using Google Account Recovery to hijack test accounts
XSLeaks and XS-Search
XSRF or clickjacking with no practical use to attackers
XSRF that requires the knowledge of a secret
XSS bugs in sandbox domains
XSS or XSRF that requires header injection
YouTube background playback protection bypass
Statistics and Charts
Google Sites
Report abuse
Page details
Page updated
Google Sites
Report abuse