Tag Archives: safety and security

.App: bringing more people online securely

Posted by Ben Fried, VP, CIO, & Chief Domains Enthusiast

Celebrating 100 of our favorite .app websites. See the list here.

A year ago, we launched .app, the first open top-level domain (TLD) with built-in security through HSTS preloading. Since then, hundreds of thousands of people have registered .app domains, and we want to take a moment to celebrate them.

People are making more websites and apps than ever before. A recent survey we conducted with The Harris Poll found that nearly half (48%) of U.S. respondents plan to create a website in the near future. And a lot of people, especially students, are already building on the web. Over a third (34%) of 16-24 year olds who’ve already created a website did so for a class project.

Having a meaningful domain name helps students turn their projects into reality. Take Ludwik Trammer, creator of shrew.app, who said: “The site started as a project for my graduate Educational Technology class at Georgia Tech. Getting the perfect domain gave me the initial push to turn it into the real deal (instead of making a prototype, publishing a scientific paper on it, and forgetting it).”

Helping creators launch their sites securely

With so many new creators, it’s essential that everyone does their part to make the internet safer. That’s why Google Registry designed .app to be secure by default, meaning every website on .app requires a HTTPS connection to ensure a secure connection to the internet.

HTTPS helps keep you and your website visitors safe from bad actors, who may exploit connections that aren’t secure by:

  • intercepting or altering the site’s content
  • misdirecting traffic
  • spying on open Wi-Fi networks
  • injecting ad malware or tracking


“As a social application, data protection is paramount. As cyber attacks increase, the security benefits a .app domain brings was a key factor for us. We also believe that a .app domain is significantly more descriptive than a .com domain, meaning users can find us more easily! All in all it was a no brainer for us switching to .app.”

-Daneh Westropp, Founder, pickle.app


There's still work to be done. One out of two people don’t know the difference between HTTP and HTTPS. Many major browsers (like Chrome) warn users in the URL bar when content is "not secure," but there’s every website creator still has a shared responsibility to keep their users safe.

.App is year in, and we’re happy to see so many people using it to build secure websites and connect with the world. You can read more stories from .app owners here and get your own .app name at get.app. If you’re one of the millions of people planning to build a website, we hope you’ll join us in making the internet safer and take the steps to securely launch your website.

A global hub for privacy engineering, in the heart of Europe

Last week at I/O, our annual developer conference in California, I shared how we’re working to build a more helpful Google for everyone. Keeping people safe online, and their information private and secure, is a big part of how we do this. We believe that privacy and safety must be equally available to everyone in the world, and we bring that to life with products that empower everyone with clear and meaningful choices around their data.

To build on that commitment, this week, we’re officially opening the Google Safety Engineering Center (GSEC) in Munich, Germany. We’re growing our operations and doubling the number of privacy engineers in Munich to more than 200 by the end of 2019, making Germany a global hub for Google’s cross-product privacy engineering efforts. The team will work hand-in-hand with privacy specialists in Google offices across Europe and globally, and the products built there will be used around the world.

It’s no accident that we’re building our privacy hub in the heart of Europe, and in a country that in many ways reflects how Europeans think about online safety, privacy and security. Many of our privacy products have been built in Munich, including Google Account, a central place where you can control your privacy when you use Google products. Today, more than 20 million people visit Google Account every day to review their settings, using tools like Privacy Checkup, which provides a quick and easy walk-through of your privacy settings.

Our Munich-based privacy engineers have also made it easier for you to make decisions about your data by making privacy controls easy to find, without ever leaving the app. This capability is already in Search, and we’re rolling it out to Maps, the Assistant and YouTube, too.  

Building privacy and security into the core of our products doesn’t just mean keeping people safe while using Google’s products—it also means keeping people safe when they browse the web. Munich is also home to engineering teams who have built our privacy and security features into the Chrome browser—like enhanced password management and tools and improvements for our cookie controls.

This is a major milestone in our investments in Europe. Since 2007, we’ve grown in Munich to more than 750 people, hailing from more than 60 countries. We’ll continue to invest in all parts of our operation, including the GSEC team. This year’s expansion will take us beyond 1,000 employees for the first time, making the office a true global hub not only for privacy engineering, but for research and product development, as well.

We’re also working to empower more organizations to do this important work with a new Google Impact Challenge on Safety. It’s a 10 million euro grant fund to support nonprofits, universities, academic research institutions, for-profit social enterprises and other organizations that are already working across Europe on a range of safety issues, from keeping young people safe online to addressing hate crimes in their communities.

These announcements mark a significant step forward in making privacy and security a reality for everyone, and we’re excited our teams in Munich are leading the way.

At I/O ’19: Building a more helpful Google for everyone

Today, we welcomed thousands of people to I/O, our annual developer’s conference. It’s one of my favorite events of the year because it gives us a chance to show how we’re bringing Google’s mission to life through new technological breakthroughs and products.

Our mission to make information universally accessible and useful hasn’t changed over the past 21 years, but our approach has evolved over time. Google is no longer a company that just helps you find answers. Today, Google products also help you get stuff done, whether it’s finding the right words with Smart Compose in Gmail, or the fastest way home with Maps.

Simply put, our vision is to build a more helpful Google for everyone, no matter who you are, where you live, or what you’re hoping to accomplish. When we say helpful, we mean giving you the tools to increase your knowledge, success, health, and happiness. I’m excited to share some of the products and features we announced today that are bringing us closer to that goal.

Helping you get better answers to your questions

People turn to Google to ask billions of questions every day. But there’s still more we can do to help you find the information you need. Today, we announced that we’ll bring the popular Full Coverage feature from Google News to Search. Using machine learning, we’ll identify different points of a story—from a timeline of events to the key people involved—and surface a breadth of content including articles, tweets and even podcasts.

Sometimes the best way to understand new information is to see it. New features in Google Search and Google Lens use the camera, computer vision and augmented reality (AR) to provide visual answers to visual questions. And now we’re bringing AR directly into Search. If you’re searching for new shoes online, you can see shoes up close from different angles and even see how they go with your current wardrobe. You can also use Google Lens to get more information about what you’re seeing in the real world. So if you’re at a restaurant and point your camera at the menu, Google Lens will highlight which dishes are popular and show you pictures and reviews from people who have been there before. In GoogleGo, a search app for first-time smartphone users, Google Lens will read out loud the words you see, helping the millions of adults around the world who struggle to read everyday things like street signs or ATM instructions.

Google Lens: Urmila’s Story

Google Lens: Urmila’s Story

Helping to make your day easier

Last year at I/O we introduced our Duplex technology, which can make a restaurant reservation through the Google Assistant by placing a phone call on your behalf. Now, we’re expanding Duplex beyond voice to help you get things done on the web. To start, we’re focusing on two specific tasks: booking rental cars and movie tickets. Using “Duplex on the Web,” the Assistant will automatically enter information, navigate a booking flow, and complete a purchase on your behalf. And with massive advances in deep learning, it’s now possible to bring much more accurate speech and natural language understanding to mobile devices—enabling the Google Assistant to work faster for you.

We continue to believe that the biggest breakthroughs happen at the intersection of AI, software and hardware, and today we announced two Made by Google products: the new Pixel 3a (and 3a XL), and the Google Nest Hub Max. With Pixel 3a, we’re giving people the same features they love on more affordable hardware. Google Nest Hub Max brings the helpfulness of the Assistant to any room in your house, and much more.

Building for everyone

Building a more helpful Google is important, but it’s equally important to us that we are doing this for everyone. From our earliest days, Search has worked the same, whether you’re a professor at Stanford or a student in rural Indonesia. We extend this approach to developing technology responsibly, securely, and in a way that benefits all.

This is especially important in the development of AI. Through a new research approach called TCAV—or testing with concept activation vectors—we’re working to address bias in machine learning and make models more interpretable. For example, TCAV could reveal if a model trained to detect images of “doctors” mistakenly assumed that being male was an important characteristic of being a doctor because there were more images of male doctors in the training data. We’ve open-sourced TCAV so everyone can make their AI systems fairer and more interpretable, and we’ll be releasing more tools and open datasets soon.

Another way we’re building responsibly for everyone is by ensuring that our products are safe and private. We’re making a set of privacy improvements so that people have clear choices around their data. Google Account, which provides a single view of your privacy control settings, will now be easily accessible in more products with one tap. Incognito mode is coming to Maps, which means you can search and navigate without linking this activity with your Google account, and new auto-delete controls let you choose how long to save your data. We’re also making several security improvements on Android Q, and we’re building the protection of a security key right into the phone for two-step verification.

As we look ahead, we’re challenging the notion that products need more data to be more helpful. A new technique called federated learning allows us to train AI models and make products smarter without raw data ever leaving your device. With federated learning, Gboard can learn new words like “zoodles” or “Targaryen” after thousands of people start using them, without us knowing what you’re typing. In the future, AI advancements will provide even more ways to make products more helpful with less data.

Building for everyone also means ensuring that everyone can access and enjoy our products, including people with disabilities. Today we introduced several products with new tools and accessibility features, including Live Caption, which can caption a conversation in a video, a podcast or one that’s happening in your home. In the future, Live Relay and Euphonia will help people who have trouble communicating verbally, whether because of a speech disorder or hearing loss.

Project Euphonia: Helping everyone be better understood

Project Euphonia: Helping everyone be better understood

Developing products for people with disabilities often leads to advances that improve products for all of our users. This is exactly what we mean when we say we want to build a more helpful Google for everyone. We also want to empower other organizations who are using technology to improve people’s lives. Today, we recognized the winners of the Google AI Impact Challenge, 20 organizations using AI to solve the world’s biggest problems—from creating better air quality monitoring systems to speeding up emergency responses.

Our vision to build a more helpful Google for everyone can’t be realized without our amazing global developer community. Together, we’re working to give everyone the tools to increase their knowledge, success, health and happiness. There’s a lot happening, so make sure to keep up with all the I/O-related news.

Source: Android


Privacy that works for everyone

Whether it’s delivering search results in the correct language or recommending the quickest route home, data can make Google products more helpful to you. And you should be able to understand and manage your data—and make privacy choices that are right for you. That’s why easy-to-use privacy features and controls have always been built into our products. At I/O, we announced a number of additional privacy and security tools across our products and platforms: 

Making it easier to control your data

One-tap access to your Google Account from all our major products
Privacy controls should be easy to find and use. A few years ago, we introduced Google Account to provide a comprehensive view of the information you’ve shared and saved with Google, and one place to access your privacy and security settings. Simple on/off controls let you decide which activity you want to save to your account to make Google products more helpful. You can also choose which activities or categories of information you want to delete.

As the number of Google products has grown, we’re making it even easier to find these controls. Today you’ll see your Google Account profile picture appear in the top right corner across products like Gmail, Drive, Contacts and Pay. To quickly access your privacy controls, just tap on your picture and follow the link to your Google Account. The prominent placement of your profile picture also makes it easier to know when you’re signed into your Google Account. We’re bringing this one-tap access to more products this month, including Search, Maps, YouTube, Chrome, the Assistant and News.

MEGA.gif

Easily manage your data in Search, Maps and the Assistant
Last year, we made it easier for you to make decisions about your data directly within Search. Without leaving Search, you can review and delete your recent Search activity, get quick access to the most relevant privacy controls in your Google Account, and learn more about how Search works with your data. Now we’re making it easier to manage your data in Maps, the Assistant and YouTube (coming soon). For example, you'll be able to review and delete your location activity data directly in Google Maps, and then quickly get back to your directions.

Auto-delete now available for Web & App Activity, coming soon to Location History
Last week we announced a new control that lets you choose a time limit for the amount of time your Location History and Web & App Activity data will be saved—3 or 18 months. Any data older than that will be automatically and continuously deleted from your account if you choose. This new control is available today for Web & App Activity and coming next month to Location History.

Bringing Incognito mode to Google apps
Since launching more than a decade ago, Incognito mode in Chrome has given you the choice to browse the internet without your activity being saved to your browser or device. As our phones become the primary way we access the internet, we thought it was important to build Incognito mode for our most popular apps. It’s available in YouTube and coming soon to Maps and Search. Tap from your profile picture to easily turn it on or off. When you turn on Incognito mode in Maps, your activity—like the places you search or get directions to—won’t be saved to your Google Account.

InCognito Mode.gif

Building stronger privacy controls into our platforms
We also made announcements today about privacy across our platforms and products: Android Q is bringing privacy to the forefront of Settings and creating more transparency and control around location. Chrome announced plans to more aggressively restrict fingerprinting across the web and improve cookie controls. Finally, we announced plans to give users more visibility into the data used to personalize ads and the companies involved in the process for the ads that Google shows on our own properties and those of our publishing partners.

Doing more for users with less data

Federated learning makes products more helpful while keeping data on your device
Advances in machine learning are making our privacy protections stronger. One example is federated learning, a new approach to machine learning. It allows developers to train AI models and make products smarter—for you and everyone else—without your data ever leaving your device. These new AI techniques allow us to do more with less data.

Gboard, Google’s keyboard, now uses federated learning to improve predictive typing as well as emoji prediction across tens of millions of devices. Previously, Gboard would learn to suggest new words for you, like “zoodles” or “Targaryen”, only if you typed them several times. Now, with federated learning, Gboard can also learn new words after thousands of people start using them, without Google ever seeing what you’re typing.

We’ve also invested in differential privacy protections, which enable us to train machine learning models without memorizing information that could reveal specific details about a user. We published early research on this topic in 2014, and since then we’ve used it in Chrome, in Gmail with Smart Compose, and in Google Maps to show you how busy a restaurant is. And with the release of the TensorFlow Privacy open-source project, ML developers can now more easily use differential privacy technology.

The strongest security across our products and platforms

Your data is not private if it’s not secure. We’ve always invested in systems to keep our users safe—from our Safe Browsing protection that protects nearly 4 billion devices every day to blocking more than 100 million spam and phishing attempts in Gmail every day. Security keys provide the strongest form of 2-Step Verification against phishing attacks, and now they are built into phones running on Android 7.0 and above, making it available to over one billion compatible devices.

And beginning this summer, anyone with a Nest Account will have the option to migrate their Nest Account to a Google Account, which comes with the added benefits of tools and automatic security protections, like 2-Step Verification, notifications that proactively alert you about unusual account activity and access to Security Checkup.

We strongly believe that privacy and security are for everyone. We’ll continue to ensure our products are safe, invest in technologies that allow us to do more for users with less data, and empower everyone with clear, meaningful choices around their data.

Sharing what’s new in Android Q

 This year, Android is reaching version 10 and operating on over 2.5 billion active devices. A lot has changed since version 1.0, back when smartphones were just an early idea. Now, they’re an integral tool in our lives—helping us stay in touch, organize our days or find a restaurant in a new place.

Looking ahead, we’re continuing to focus on working with partners to shape the future of mobile and make smartphones even more helpful. As people carry their phones constantly and trust them with lots of personal information, we want to make sure they’re always in control of their data and how it’s shared. And as people spend more time on their devices, building tools to help them find balance with technology continues to be our priority. That’s why we’re focusing on three key areas for our next release, Android Q: innovation, security and privacy and digital wellbeing.

New mobile experiences

Together with over 180 device makers, Android has been at the forefront of new mobile technologies. Many of them—like the first OLED displays, predictive typing, high density and large screens with edge-to-edge glass—have come to Android first. 

This year, new industry trends like foldable phone displays and 5G are pushing the boundaries of what smartphones can do. Android Q is designed to support the potential of foldable devices—from multi-tasking to adapting to different screen dimensions as you unfold the phone. And as the first operating system to support 5G, Android Q offers app developers tools to build for faster connectivity, enhancing experiences like gaming and augmented reality.

We’re also seeing many firsts in software driven by on-device machine learning. One of these features is Live Caption. For 466 million deaf and hard of hearing people around the world, captions are more than a convenience—they make content more accessible. We worked closely with the Deaf community to develop a feature that would improve access to digital media. With a single tap, Live Caption will automatically caption media that’s playing audio on your phone. Live Caption works with videos, podcasts and audio messages, across any app—even stuff you record yourself. As soon as speech is detected, captions will appear, without ever needing Wifi or cell phone data, and without any audio or captions leaving your phone.

On-device machine learning also powers Smart Reply, which is now built into the notification system in Android, allowing any messaging app to suggest replies in notifications. Smart Reply will now also intelligently predict your next action—for example, if someone sends you an address, you can just tap to open that address in Maps.

A phone screen showing a message coming in with an address, and a chip in the notification that opens the address in Google Maps.

Security and privacy as a central focus

Over the years, Android has built out many industry-first security and privacy protections, like file-based encryption, SSL by default and work profile. Android has the most widely-deployed security and anti-malware service of any operating system today thanks to Google Play Protect, which scans over 50 billion apps every day. 

We’re doing even more in Android Q, with almost 50 new features and changes focused on security and privacy. For example, we created a dedicated Privacy section under Settings, where you’ll find important controls in one place. Under Settings, you’ll also find a new Location section that gives you more transparency and granular control over the location data you share with apps. You can now choose to share location data with apps only while they’re in use. Plus, you’ll receive reminders when an app has your location in the background, so you can decide whether or not to continue sharing. Android Q also provides protections for other sensitive device information, like serial numbers.

Finally, we're introducing a way for you to get the latest security and privacy updates, faster. With Android Q, we’ll update important OS components in the background, similar to the way we update apps. This means that you can get the latest security fixes, privacy enhancements and consistency improvements as soon as they’re available, without having to reboot your phone.

Helping you find balance

Since creating our set of Digital Wellbeing tools last year, we’ve heard that they’ve helped you take better control of your phone usage. In fact, app timers helped people stick to their goals over 90 percent of the time, and people who use Wind Down had a 27 percent drop in nightly phone usage.

This year, we’re going even further with new features like Focus mode, which is designed to help you focus without distraction. You can select the apps you find distracting—such as email or the news—and silence them until you come out of Focus mode. And to help children and families find a better balance with technology, we’re making Family Link part of every device that has Digital Wellbeing (starting with Android Q), plus adding top-requested features like bonus time and the ability to set app-specific time limits.

Phone screens showing new Family Link controls in Android Q.

Available in Beta today

Android Q brings many more new features to your smartphone, from a new gesture-based navigation to Dark Theme (you asked, we listened!) to streaming media to hearing aids using Bluetooth LE. 

A grid of logos that demonstrates which devices and brands Android Q beta is available on, including Pixel, Sony, Nokia, Huawei and LG.

You can find some of these features today in Android Q Beta, and thanks to Project Treble and our partners for their commitment to enable faster platform updates, Beta is available for 21 devices from 13 brands, including all Pixel phones.

Source: Android


Introducing auto-delete controls for your Location History and activity data

Whether you’re looking for the latest news or the quickest driving route, we aim to make our products helpful for everyone. And when you turn on settings like Location History or Web & App Activity, the data can make Google products more useful for you—like recommending a restaurant that you might enjoy, or helping you pick up where you left off on a previous search. We work to keep your data private and secure, and we’ve heard your feedback that we need to provide simpler ways for you to manage or delete it.


You can already use your Google Account to access simple on/off controls for Location History and Web & App Activity, and if you choose—to delete all or part of that data manually. In addition to these options, we’re announcing auto-delete controls that make it even easier to manage your data. Here’s how they’ll work:

Gif showing how to choose how long to keep your web and app activity. gif

Choose a time limit for how long you want your activity data to be saved—3 or 18 months—and any data older than that will be automatically deleted from your account on an ongoing basis. These controls are coming first to Location History and Web & App Activity and will roll out in the coming weeks.


You should always be able to manage your data in a way that works best for you--and we’re committed to giving you the best controls to make that happen.

The ultimate account security is now in your pocket

Phishing—when an attacker tries to trick you into turning over your online credentials—is the most common cause of security breaches. Preventing phishing attacks can be a major challenge for personal and business users alike. At Google, we automatically block the overwhelming majority of malicious sign-in attempts (even if an attacker has your username or password), but an additional layer of protection can be helpful.

Two-step verification (or 2SV) makes it even harder for attackers to gain access to your accounts by adding one more step to the sign-in process. While any form of 2SV, like SMS text message codes and push notifications, improves the security of your account, sophisticated attackers can skirt around them by targeting you with a fake sign-in page to steal your credentials.

We consider security keys based on FIDO standards, like our Titan Security Key, to be the strongest, most phishing-resistant method of 2SV on the market today. These physical security keys protect your account from phishers by requiring you to tap your key during suspicious or unrecognized sign-in attempts.

Now, you have one more option—and it’s already in your pocket. Starting today in beta, your phone can be your security key—it’s built into devices running Android 7.0+. This makes it easier and more convenient for you to unlock this powerful protection, without having to carry around additional security keys. Use it to protect your personal Google Account, as well as your Google Cloud Accounts at work. We also recommend it for people in our Advanced Protection Program—like journalists, activists, business leaders and political campaign teams who are most at risk of targeted online attacks.

Using the built-in security key in a Pixel 3 to log into your Google Account.gif

To activate your phone’s built-in security key, all you need is an Android 7.0+ phone and a Bluetooth-enabled Chrome OS, macOS X or Windows 10 computer with a Chrome browser. Here’s how to do it:

  1. Add your Google Account to your Android phone.
  2. Make sure you’re enrolled in 2SV.
  3. On your computer, visit the 2SV settings and click "Add security key".
  4. Choose your Android phone from the list of available devices—and you’re done!

When signing in, make sure Bluetooth is turned on on your phone and the device you are signing in on.

We recommend registering a backup security key to your account and keeping it in a safe place, so you can get into your account if you lose your phone. You can get a security key from a number of vendors, including our own Titan Security Key.

Now on Android, your phone is a security key to protect your accounts from phishing. Christiaan Brand, product manager on the Google Cloud Security team, explains why protecting your identity is top of mind for Android.

Here’s to stronger account security—right in your pocket.

Source: Android


Building a safer internet, one secure domain at a time

Do you lock your doors when you're not home or when you’re sleeping at night? Your home protects everything and everyone that lies within it—whether that’s your family, pets or belongings—and a door is the most direct way for a criminal to access your home. Locking your door is the simplest thing you can do to keep safe. Similarly, when you’re browsing the web, there’s one key thing that helps keep you and your information safe and “locked” up.


HTTPS is a certificate that works just like the lock on your front door at home. By “locking” your connection to a website, it helps prevent interception or alteration of content on the site you’re visiting. We want every website to have a lock on it. That’s why Google Registry created safe.page: so you can understand the most direct steps you can take to keep yourself and others safe while browsing the internet.

Visit safe.page to learn how to read a URL (to avoid phishing attacks) and the importance of a secure connection (especially when sharing sensitive info like credit cards and passwords).

Build safely, get rewarded

That’s not all we’re doing to support HTTPS. We're also teaming up with WordPress to make it easy for anyone to build a secure website. They make building secure websites a snap by automatically installing SSL certificates at no cost for domains they host. If HTTPS is locking your online information safely, an SSL certificate acts like the actual lock on the door.


If you’ve been thinking of building a website, now’s a good time to get started: We're running a contest for the best sites created through April 30, 2019. Nine winners will be selected based on their website’s user experience, user interface, originality, design and content clarity. Winners will receive a Pixel 3 phone or equivalent prize and the opportunity to be featured on one of Google Registry's websites (get.page, get.app and get.dev). Entering the competition is simple:

  1. Register your .page, .app or .dev domain. All three extensions are secure by default (registered domains only work with an SSL certificate). You can register your domain through your preferred registrar.
  2. Build your website. You can get started building your site on WordPress.com and save 25 percent using the promo code SAFE_A24F at checkout. (The offer is valid until April 30, 2019.) Websites created in other ways on .app, .page and .dev are also eligible for the contest.
  3. Learn more about the contest rules here, including eligibility restrictions, prize details and entry deadlines. Submit your website to the contest at safe.page.

That’s it! Regardless of whether you create your own secure website, we encourage everyone to visit safe.page to learn the fundamentals of keeping your information safe. Good luck and thanks for doing your part to build a safer internet!

Fighting disinformation across our products

Providing useful and trusted information at the scale that the Internet has reached is enormously complex and an important responsibility. Adding to that complexity, over the last several years we’ve seen organized campaigns use online platforms to deliberately spread false or misleading information.

We have twenty years of experience in these information challenges and it's what we strive to do better than anyone else. So while we have more work to do, we’ve been working hard to combat this challenge for many years.

Today at the Munich Security Conference, we presented a white paper that gives more detail about our work to tackle the intentional spread of misinformation—across Google Search, Google News, YouTube and our advertising systems. We have a significant effort dedicated to this work throughout the company, based on three foundational pillars:

  • Improve our products so they continue to make quality count;
  • Counteract malicious actors seeking to spread disinformation;
  • Give people context about the information they see.

The white paper also explains how we work beyond our products to support a healthy journalistic ecosystem, partner with civil society and researchers, and stay one step ahead of future risks.

We hope this paper and increased transparency can lead to more dialogue about what we and others can do better on these issues. We're committed to acting responsibly and thoroughly as we tackle this important challenge.

Working with security researchers to make the web safer for everyone

What do a 19-year-old researcher from Uruguay, a restaurant owner from Cluj, Romania and a Cambridge professor have in common? They’re all security researchers—a global community of professionals, academics, students and hobbyists who are essential to the safety of our products and the web as a whole. We’re grateful to be a part of this community and support their work in a bunch of ways, including the Vulnerability Rewards Program and our 2018 Privacy and Security academic research awards.

Vulnerability Reward Program: Year in Review

Whether it’s been written by a PhD or a hobbyist, software inevitably has bugs that make it behave in unexpected ways. The important thing is that bugs are identified and patched as quickly as possible. Back in 2010, we started the Vulnerability Reward Program to get help from the security research community in identifying and reporting bugs in Google apps and software. The goal of the program is simple: encourage researchers to report issues so that we can fix them quickly and keep users’ data secure. We also provide financial rewards for bug reporters, ranging from $100 to $200,000, based on the risk level of their discovery. 

Since 2015, we’ve taken a look back at what VRP researchers have done to help make Google users safer. Here’s 2018, by the numbers:

vrp2018

Thanks to researchers from all around the world, we’ve been able to patch all different types of bugs. Ezequiel Pereira, a 19-year-old researcher from Uruguay, uncovered a Remote Code Execution "RCE" bug that allowed him to gain remote access to our Google Cloud Platform console. Tomasz Bojarski from Poland discovered a bug related to Cross-site scripting (XSS), a type of security bug that can allow an attacker to change the behavior or appearance of a website, steal private data or perform actions on behalf of someone else. Tomasz was last year’s top bug hunter and used his reward money to open a lodge and restaurant. After Dzmitry Lukyanenka, a researcher from Minsk, Belarus, lost his job, he began bug-hunting full-time and became part of our VRP grants program, which provides financial support for prolific bug-hunters over time.

Security and Privacy Research awards

We’ve also worked closely with leading security and privacy experts in academia, collaborating when we can provide the technology needed to carry out specific research projects. Academic breakthroughs help improve data privacy and security for years to come. Last year, we announced the Security and Privacy research awards, a new effort to recognize academics who have made major contributions to the field. Awards winners are selected by a committee of senior security and privacy researchers at Google.

Today, we’re revealing the 2018 winners—and on their behalf, we’re making a financial contribution to their universities totaling more than half a million dollars:

Whether they’re finding bugs today or making breakthroughs that will protect the web years into the future, the security research community is making everyone’s information safer online. We’ll continue to do our part to support it.