Hey all. Long time lurker, first-time poster. I’m still relatively new to the scene, but over the past few months I’ve had a lot of success reverse-engineering and red-teaming Gemini (Google’s AI platform). I’ve found multiple working zero-days and full security bypasses, including architectural issues, and submitted three of them to Google’s official VRP program.
Here’s where it gets frustrating: Two of the exploits were silently patched with zero communication, no acknowledgment, and no bounty, despite being clear violations of Google’s own outlined VRP policy. One day the exploits worked; next day, post-Christmas, they were dead. No appropriate triage, no follow up, nothing. Just patched and ghosted.
I found working bypasses to both patches within 30 minutes. The core issue is architectural, not a simple one liner fix, but it feels like they’re just slapping a band-aid on and pretending the vector doesn’t exist. I’ve since built even more advanced exploit chains, using full red team methodology, and I’m at a crossroads now.
Do I give them another shot and submit one more (hoping they don’t take the piss again)? Or do I start looking elsewhere; private buyers, brokers, or even just responsible public disclosure? These aren’t minor bugs. These are multi-stage attack chains that meet the top payout tier according to their own guidelines.
Would love to hear from others who’ve dealt with VRP, especially folks who’ve reported to Google recently.
Is this a one-off? Or is this becoming the norm? Serious input only please. Appreciate any advice.
[link] [comments]
from hacking: security in practice https://ift.tt/DVSGdzm
Comments
Post a Comment