DOM-Based XSS at accounts.google.com, a long awaited alert() has been popped-up by Google Voice Extension.
Research: The mass CSRFing of *.google.com/* products, more than $30K in rewards.
Google bugs stories and the shiny pixelbook, some of my findings in Google VRP in 2017
My first bug in @googlevrp, a lovingly XSS in helpouts.google.com back in 2013
My blog and my Twitter feed, for updates on security findings, and other stuff.