DOM-based XSS at accounts.google.com: A long-awaited alert() has been popped up by the Google Voice Extension.
Research: Mass CSRF Affecting Multiple Google Products (*.google.com/*), Resulting in a more than $30,000 Reward.
Google Bug Stories and the Shiny Pixelbook: My 2017 Findings in the Google VRP.
My first bug in @GoogleVRP: A "lovingly" XSS vulnerability found on helpouts.google.com back in 2013.
Follow my blog and my Twitter feed for updates on security findings, and other related content..