Joined March 2018
- Tweets 342
- Following 0
- Followers 41,808
- Likes 186
70 Photos and videos
"brutecat is super talented", "luckily I'm not oncall ;)", "incredible"
These are all real quotes from Googlers after seeing this blog post. Amazing work @brutecat, thank you for sharing!
Hacking Google with A.I. for $500,000
brutecat.com/r/hacking-googlβ¦
2
24
543
31,785
π’ PSA for security researchers!
In our latest post, we're taking a closer look at how Google Spark (which was recently launched) works, ways to approach bug hunting in Spark, and how to distinguish high-impact vulnerabilities from expected system behavior π
bughunters.google.com/blog/sβ¦
3
7
107
8,762
π£Blast from the pastπ£
This post takes us back to a flaw discovered in 2010: while technology has advanced, the general story of how the flaw was detected is still a great example of effectively identifying and remediating a security issue.
bughunters.google.com/blog/bβ¦
2
3
32
2,942
π’ More on Google's approach to post-quantum cryptography π
This time, we're taking a closer look at digital signatures and the complex challenges they present, and discussing the opinionated paths we are taking at Google in this space.
bughunters.google.com/blog/nβ¦
6
42
3,956
More on passkeys π!
This time we are focusing on storage options, in particular the differences between using a password manager vs. a hardware security key to store your credentials, and why you might choose one option over the other.
bughunters.google.com/blog/hβ¦
2
19
2,250
In April 2026, we held the latest edition of bugSWAT (our live event for security researchers) in Seoul, South Korea.
For more information on this edition's focus, its impact & winners, as well as bugSWAT in general, see π
bughunters.google.com/blog/bβ¦
2
13
78
7,201
π£π’ Calling all Android and Chrome bug hunters π§βπ»π!
We're updating our Android & Chrome VRP programs to ensure we can continue to reward the most challenging and impactful vulnerabilities researchers find in our products. For details, π
bughunters.google.com/blog/eβ¦
22
33
208
143,308
Our Google Cloud VRP researchers don't want to miss this! π₯ Check out Omer's (@omer_asfu) cross-tenant bucket squatting research.
Apr 20
I achieved a cross-tenant #RCE in #GoogleCloud simply by abusing predictable bucket names. πͺ£
In my latest research for @FocalSecurity, I look into "Bucket Squatting" - a cross-tenant attack that landed me 3 critical vulnerabilities in GCP.
Here is how it works:
2
12
102
13,758
π’π’π’ Attention bug hunters!
The Google VRP is updating its reward model, with a focus on the impact of vulnerabilities and the sensitivity of the data involved. To this end, we're introducing two dimensions: Information Tiers and Action Criticality. ππ
bughunters.google.com/blog/sβ¦
9
38
241
20,692
Ever wondered how passkeys π work, and how they improve on classic passwords π€?
For more details, see our latest post, and you'll also learn what makes passkeys particularly resistant against phishing π.
bughunters.google.com/blog/pβ¦
1
4
40
11,207
π’ Open source security researchers, take note: we've updated the OSS VRP rules! We're emphasizing the need for actionable reports and verifiable reproduction steps β to allow us to focus on critical threats with real-world impact.
For more details π
bughunters.google.com/blog/oβ¦
1
13
78
8,121
GCP VRP Secrets? π€« Hear from the program leads! Michael Cote (linkedin.com/in/michaelpatriβ¦) & Darby Hopkins (linkedin.com/in/darbyhopkins) join @ctbbpodcast to talk shop: killer report tips, program insights & boosting your bounty game on Google Cloud.
π§ youtu.be/7u6xpVhEpBA
#GoogleVRP #BugBounty #CloudSecurity #GCP
1
6
58
9,136
Our Google Cloud VRP researchers don't miss! π₯ Check out @terminatorLM's latest Looker research uncovering 9 novel cross-tenant vulns in Looker.
See how it was done: π
Mar 10
π«£LeakyLooker: 1 Cross-tenant vulnerability? How about 9? (1/10)π§΅
Iβm incredibly proud to share LeakyLooker. I discovered 9 novel cross-tenant vulnerabilities in Google Cloudβs Looker Studio that broke fundamental design assumptions.
Here is how I broke tenant isolation: π
1
11
89
8,736
π£π£π£ Hot off the press: 2025 highlights of Google's vulnerability reward programs!
Notably, we awarded an all-time high of over $17 million in rewards π° and kicked off the dedicated AI VRP π€.
Thank you to our incredible bug hunting community π§βπ»π§βπ»π§βπ»!!!
bughunters.google.com/blog/gβ¦
3
9
92
18,137
π’ Interested in AI and agent security at Googleπ‘οΈ?
This post looks at how we mitigated the risk of URL-based data exfiltration through provenance checks and sanitization β effectively blocking a prompt injection-based exploitation vector.
bughunters.google.com/blog/mβ¦
5
18
107
19,843
Offline authentication on Android π€ π?
Find out how the FIDO alliances's Hybrid transport architecture was expanded to support this crucial scenario, and how this increases reliability and unlocks many new use cases.
bughunters.google.com/blog/hβ¦
1
3
46
5,881
Next up in our series on Android and authentication π€ π:
Learn how the FIDO Alliance's Hybrid protocol has been expanded beyond CTAP messages to also support generic JSON, and which new use cases this extended approach enables.
bughunters.google.com/blog/hβ¦
1
6
41
4,701
Curious how we go about security reviews at Google? In this case, we teamed up with Intel to take a closer look at Intel Trust Domain Extensions (TDX) 1.5 and help secure the confidential computing space!
For the details, π
bughunters.google.com/blog/aβ¦
2
20
93
22,715
π Want to move beyond passwords?
Check out this beginner's guide to Cross-Device Passkeys! Learn how "Hybrid transport" uses QR codes and Bluetooth to let you sign in securely on any device β even public ones β without ever sharing your private keys.
bughunters.google.com/blog/pβ¦
1
17
74
6,633