Security Blog
The latest news and insights from Google on security and safety on the Internet
Android Security 2015 Annual Report
April 19, 2016
Posted by Adrian Ludwig, Lead Engineer, Android Security
Today, for the
second year in a row
, we’re releasing our Android Security Annual report. This detailed summary includes: a look at how Google services protect the Android ecosystem, an overview of new security protections introduced in 2015, and our work with Android partners and the security research community at large. The full report is
here
, and an overview is below.
One important goal of releasing this report is to drive an informed conversation about Android security. We hope to accomplish this by providing more information about what we are doing, and what we see happening in the ecosystem. We strongly believe that rigorous, data-driven discussion about security will help guide our efforts to make the Android ecosystem safer.
Enhancing Google's services to protect Android users
In the last year, we’ve significantly improved our machine learning and event correlation to detect potentially harmful behavior.
We protected users from malware and other Potentially Harmful Apps (PHAs), checking over 6 billion installed applications per day.
We protected users from network-based and on-device threats by scanning 400 million devices per day.
And we
protected hundreds of millions of Chrome users on Android
from unsafe websites with Safe Browsing.
We continued to make it even more difficult to get PHAs into Google Play. Last year’s enhancements reduced the probability of installing a PHA from Google Play by over 40% compared to 2014. Within Google Play, install attempts of most categories of PHAs declined including:
Data Collection: decreased over 40% to 0.08% of installs
Spyware: decreased 60% to 0.02% of installs
Hostile Downloader: decreased 50% to 0.01% of installs
Overall, PHAs were installed on fewer than 0.15% of devices that only get apps from Google Play. About 0.5% of devices that install apps from both Play and other sources had a PHA installed during 2015, similar to the data in last year’s report.
It’s critical that we also protect users that install apps from sources other than Google Play. Our
Verify Apps service
protects these users and we improved the effectiveness of the PHA warnings provided by Verify Apps by over 50%. In 2015, we saw an increase in the number of PHA install attempts outside of Google Play, and we disrupted several coordinated efforts to install PHAs onto user devices from outside of Google Play.
New security features in the Android platform
Last year, we
launched Android 6.0 Marshmallow
, introducing a variety of new security protections and controls:
Full disk encryption is now a requirement for all new Marshmallow devices with adequate hardware capabilities and is also extended to allow encryption of data on SD cards.
Updated app permissions enable you to manage the data they share with specific apps with more granularity and precision.
New verified boot ensures your phone is healthy from the bootloader all the way up to the operating system.
Android security patch level
enables you to check and make sure your device has the most recent security updates.
And much more, including support for fingerprint scanners, and SELinux enhancements.
Deeper engagement with the Android ecosystem
We’re working to foster Android security research and making investments to strengthen protections across the ecosystem now and in the long run.
In June,
Android joined Google’s Vulnerability Rewards Program
, which pays security researchers when they find and report bugs to us. We fixed over 100 vulnerabilities reported this way and paid researchers more than $200,000 for their findings.
In August, we launched our
monthly public security update program
to the Android Open Source Project, as well as a security update lifecycle for Nexus devices. We intend the update lifecycle for Nexus devices to be a model for all Android manufacturers going forward and have been actively working with ecosystem partners to facilitate similar programs. Since then, manufacturers have provided monthly security updates for hundreds of unique Android device models and hundreds of millions of users have installed monthly security updates to their devices. Despite this progress, many Android devices are still not receiving monthly updates—we are increasing our efforts to help partners update more devices in a timely manner.
Greater transparency, well-informed discussions about security, and ongoing innovation will help keep users safe. We'll continue our ongoing efforts to improve Android’s protections, and we look forward to engaging with the ecosystem and security community in 2016 and beyond.
Helping webmasters re-secure their sites
April 18, 2016
Posted by Kurt Thomas and Yuan Niu, Spam & Abuse Research
Every week,
over 10 million users encounter harmful websites
that deliver malware and scams. Many of these sites are compromised personal blogs or small business pages that have fallen victim due to a weak password or outdated software. Safe Browsing and Google Search protect visitors from dangerous content by displaying browser warnings and labeling search results with
'this site may harm your computer'
. While this helps keep users safe in the moment, the compromised site remains a problem that needs to be fixed.
Unfortunately, many webmasters for compromised sites are unaware anything is amiss. Worse yet, even when they learn of an incident, they may lack the security expertise to take action and address the root cause of compromise. Quoting one webmaster from a survey we conducted, “our daily and weekly backups were both infected” and even after seeking the help of a specialist, after “lots of wasted hours/days” the webmaster abandoned all attempts to restore the site and instead refocused his efforts on “rebuilding the site from scratch”.
In order to find the best way to help webmasters clean-up from compromise, we recently teamed up with the University of California, Berkeley to explore how to quickly contact webmasters and expedite recovery while minimizing the distress involved. We’ve summarized our key lessons below. The full study, which you can read
here
, was recently presented at the
International World Wide Web Conference
.
When Google works directly with webmasters during critical moments like security breaches, we can help 75% of webmasters re-secure their content. The whole process takes a median of 3 days. This is a better experience for webmasters and their audience.
How many sites get compromised?
Number of freshly compromised sites Google detects every week.
Over the last year Google detected nearly 800,000 compromised websites—roughly 16,500 new sites every week from around the globe. Visitors to these sites are exposed to low-quality scam content and malware via
drive-by downloads
. While browser and search warnings help protect visitors from harm, these warnings can at times feel punitive to webmasters who learn only after-the-fact that their site was compromised. To balance the safety of our users with the experience of webmasters, we set out to find the best approach to help webmasters recover from security breaches and ultimately reconnect websites with their audience.
Finding the most effective ways to aid webmaster
Getting in touch with webmasters:
One of the hardest steps on the road to recovery is first getting in contact with webmasters. We tried three notification channels: email, browser warnings, and search warnings. For webmasters who proactively registered their site with
Search Console
, we found that email communication led to 75% of webmasters re-securing their pages. When we didn’t know a webmaster’s email address, browser warnings and search warnings helped 54% and 43% of sites clean up respectively.
Providing tips on cleaning up harmful content:
Attackers rely on hidden files, easy-to-miss redirects, and remote inclusions to serve scams and malware. This makes clean-up increasingly tricky. When we emailed webmasters, we included tips and samples of exactly which pages contained harmful content. This, combined with expedited notification, helped webmasters clean up 62% faster compared to no tips—usually within 3 days.
Making sure sites stay clean:
Once a site is no longer serving harmful content, it’s important to make sure attackers don’t reassert control. We monitored recently cleaned websites and found 12% were compromised again in 30 days. This illustrates the challenge involved in identifying the root cause of a breach versus dealing with the side-effects.
Making security issues less painful for webmasters—and everyone
We hope that webmasters never have to deal with a security incident. If you are a webmaster, there are some quick steps you can take to reduce your risk. We’ve made it easier to
receive security notifications through Google Analytics
as well as through
Search Console
. Make sure to register for both services. Also, we have laid out helpful tips for
updating your site’s software
and
adding additional authentication
that will make your site safer.
If you’re a hosting provider or building a service that needs to notify victims of compromise, understand that the entire process is distressing for users. Establish a reliable communication channel before a security incident occurs, make sure to provide victims with clear recovery steps, and promptly reply to inquiries so the process feels helpful, not punitive.
As we work to make the web a safer place, we think it’s critical to empower webmasters and users to make good security decisions. It’s easy for the security community to be pessimistic about incident response being ‘too complex’ for victims, but as our findings demonstrate, even just starting a dialogue can significantly expedite recovery.
Growing Eddystone with Ephemeral Identifiers: A Privacy Aware & Secure Open Beacon Format
April 14, 2016
Posted by
Nirdhar Khazanie, Product Manager and
Yossi Matias, VP Engineering
Last July, we
launched
Eddystone, an open and extensible Bluetooth Low Energy (BLE) beacon format from Google, supported by Android, iOS, and Chrome. Beacons mark important places and objects in a way that your phone can understand. To do this, they typically broadcast public one-way signals ‒ such as an Eddystone-UID or -URL.
Today, we're introducing Ephemeral IDs (EID), a beacon frame in the Eddystone format that gives developers more power to control who can make use of the beacon signal. Eddystone-EID enables a new set of use cases where it is important for users to be able to exchange information securely and privately. Since the beacon frame changes periodically, the signal is only useful to clients with access to a resolution service that maps the beacon’s current identifier to stable data. In other words, the signal is only recognizable to a controlled set of users. In this post we’ll provide a bit more detail about this feature, as well as Google’s implementation of
Eddystone-EID
with Google Cloud Platform’s
Proximity Beacon API
and the Nearby API for Android and CocoaPod for iOS.
Technical Specifications
To an observer of an Eddystone-EID beacon, the AES-encrypted eight byte beacon identifier changes pseudo-randomly with an average period that is set by the developer ‒ over a range from 1 second to just over 9 hours. The identifier is generated using a key and timer running on the beacon. When the beacon is provisioned, or set up, the key is generated and exchanged with a resolution service such as Proximity Beacon API using an Elliptic Curve Diffie-Hellman key agreement
protocol
, and the timer is synchronized with the service. This way, only the beacon and the service that it is registered with have access to the key. You can read more about the technical details of Eddystone-EID from the
specification
‒ including the provisioning process ‒ on GitHub, or from our recent
preprint
.
An Eddystone-EID contains measures designed to prevent a variety of nuanced attacks. For example, the rotation period for a single beacon varies slightly from identifier to identifier, meaning that an attacker cannot use a consistent period to identify a particular beacon. Eddystone-EID also enables safety features such as proximity awareness, device authentication, and data encryption on packet transmission. The
Eddystone-TLM
frame has also been extended with a new version that broadcasts battery level also encrypted with the shared key, meaning that an attacker cannot use the battery level as an identifying feature either.
When correctly implemented and combined with a service that supports a range of access control checks, such as Proximity Beacon API, this pattern has several advantages:
The beacon’s location cannot be spoofed, except by a real-time relay of the beacon signal. This makes it ideal for use cases where a developer wishes to enable premium features for a user at a location.
Beacons provide a high-quality and precise location signal that is valuable to the deployer. Eddystone-EID enables deployers to decide which developers/businesses can make use of that signal.
Eddystone-EID beacons can be integrated into devices that users carry with them without leaving users vulnerable to tracking.
Integrating Seamlessly with the Google Beacon Platform
Launching today on
Android
and
iOS
, is a new addition to the wider Google beacon platform: Beacon Tools. Beacon Tools allows you to provision and register an Eddystone-EID beacon, as well as associate content with your beacon through the Google Cloud Platform.
In addition to Eddystone-EID and the new encrypted version of the previously available Eddystone-TLM, we’re also adding a common configuration protocol to the Eddystone family. The
Eddystone GATT service
allows any Eddystone beacon to be provisioned by any tool that supports the protocol. This encourages the development of an open ecosystem of beacon products, both in hardware and software, removing restrictions for developers.
Eddystone-EID Support in the Beacon Industry
We’re excited to have worked with a variety of industry players as Eddystone-EID develops. Over the past year, Eddystone
manufacturers
in the beacon space have grown from 5 to over 25. The following 15 manufacturers will be supporting Eddystone-EID, with more to follow:
Accent Systems
Bluvision
Reco/Perples
Beacon Inside
Estimote
Sensoro
Blesh
Gimbal
Signal360
BlueBite
Nordic
Swirl
Bluecats
Radius Networks
Zebra
In addition to beacon manufacturers, we’ve been working with a range of innovative companies to demonstrate Eddystone-EID in a variety of different scenarios.
Samsonite
and
Accent Systems
have developed a suitcase with Eddystone-EID where users can securely keep track of their personal luggage.
K11
is a Hong Kong museum and retail experience using
Sensoro
Eddystone-EID beacons for visitor tours and customer promotions.
Monumental Sports
in Washington, DC, uses
Radius Networks
Eddystone-EID beacons for delivering customer rewards during Washington Wizards and Capitals sporting events.
Sparta Digital
has produced an app called Buzzin that uses Eddystone-EID beacons deployed in Manchester, UK to enable a more seamless transit experience.
You can get started with Eddystone-EID by creating a Google Cloud Platform project and purchasing compatible hardware through one of our
manufacturers
. Best of all, Eddystone-EID works transparently to beacon subscriptions created through the Google Play Services Nearby Messages API, allowing you to run combined networks of Eddystone-EID and Eddystone-UID transparently in your client code!
Improvements to Safe Browsing Alerts for Network Administrators
April 6, 2016
Posted by Nav Jagpal, Software Engineer
We
launched
Safe Browsing Alerts for Network Administrators over 5 years ago. Just as Safe Browsing warns users about dangerous sites, this service sends notifications to network administrators when our systems detect harmful URLs on their networks.
We’ve made good progress:
22k ASNs are being monitored, or roughly 40% of active networks
1300 network administrators are actively using the tool
250 reports are sent daily to these administrators
Today, to provide Network Admins with even more useful information for protecting their users, we’re adding URLs related to Unwanted Software, Malicious Software, and Social Engineering to the set of information we share.
Here’s the full set of data we share with network administrators:
Compromised
: Pages harming users through
drive-by-download
or exploits.
Distribution
: Domains that are responsible for launching exploits and serving malware. Unlike compromised sites, which are often run by innocent webmasters, distribution domains are typically set up with the primary purpose of serving malicious content.
Social Engineering
: Deceptive websites that trick users into performing unwanted actions such as downloading software or divulging private information. Social engineering includes phishing sites that trick users into revealing passwords.
Unwanted Software
: URLs which lead to software that violates our
Unwanted Software Policy
. This kind of software is often distributed through deceptive means such as social engineering, and has harmful software traits such as modifying users’ browsing experience in unexpected ways and performing unwanted ad injections. You can learn more about Unwanted Software, or UwS,
here
.
Malware Software
: Traditional malware downloads, such as trojans and viruses.
Network administrators can use the data provided by our service to gain insights into the security and quality of their network. By working together, we can make it more challenging and expensive for attackers to profit from user harm.
If you’re a network administrator and haven’t yet registered your AS, you can do so
here
. If you are experiencing problems verifying ownership, please
contact us
.
More Encryption, More Notifications, More Email Security
March 24, 2016
Posted by Nicolas Lidzborski, Gmail Security Engineering Lead and Jonathan Pevarnek,
Jigsaw
Engineer
Today, we’re announcing a variety of new protections that will help keep Gmail users even safer and promote email security best practices across the Internet as a whole.
New tools and industry standards make email even safer
On
Safer Internet Day
this year, we introduced a new visual element to Gmail that lets users know when they’ve received a message that wasn’t delivered using encryption or if they’re composing a message to a recipient whose email service doesn’t support TLS encryption. It’s the red lock icon featured below:
This has had an immediate, positive effect on Gmail security. In the 44 days since we introduced it, the amount of inbound mail sent over an encrypted connection
increased by 25%
. We’re very encouraged by this progress! Given the relative ease of implementing encryption and its significant benefits for users, we expect to see this progress continue.
However, as our recent
research
with the University of Michigan and University of Illinois shows, misconfigured or malicious parts of the Internet can still tamper with email encryption. To help ensure TLS encryption works as intended, we’ve teamed-up with a variety of industry partners — including Comcast, Microsoft, and Yahoo!— to submit a
draft IETF specification
for “SMTP Strict Transport Security.” With this new proposed standard, companies can ensure that mail will only be delivered through encrypted channels, and that any encryption failures should be reported for further analysis, helping shine the spotlight on any malfeasance occurring around the Internet.
Safe Browsing makes Gmail more secure
Since 2007,
Safe Browsing
has protected users across the web by warning them before they visit dangerous sites known for phishing, malware, and
Unwanted Software
. Over the years, we’ve brought the protections afforded by Safe Browsing to other Google products as well, including: Chrome,
Android
, Ads, Google Analytics, and more.
Safe Browsing already protects Gmail users by identifying potentially dangerous links in messages. Starting this week, Gmail users will begin to see warnings if they click these links, further extending this protection to different web browsers and email apps. The full-page warning will look like this:
Enhancing state-sponsored attack warnings
Since 2012
, we’ve warned Gmail users when we suspect they’ve been targeted by state-sponsored attackers:
These warnings are rare—fewer than 0.1% of users ever receive them—but they are critically important. The users that receive these warnings are often activists, journalists, and policy-makers taking bold stands around the world.
Today, we’re launching a new, full-page warning with instructions about how these users can stay safe. They may see these new warnings instead of, or in addition to, the existing ones.
The security of our users and their data is paramount. We’ll continue to build new protections, and work closely with the broader email ecosystem to support and improve standards such as TLS, that keep users safe.
Certificate Transparency for Untrusted CAs
March 21, 2016
Posted by Martin Smith, Software Engineer, Certificate Transparency
Today we are announcing a new Certificate Transparency log for a new set of root certificates: those that were once or are not yet trusted by browsers.
Certificate Transparency
(CT) data has a number of different uses, including protecting users from mis-issued certificates and providing webmasters and other interested parties with a public record of what certificates have been issued for domains.
Initially
, our logs included browser-trusted Certificate Authorities (CAs). However, there are two main classes of CA that can’t easily be included in the existing logs:
Those that were once trusted and have since been withdrawn from the root programs.
New CAs that are on the path to inclusion in browser trusted roots.
Including these in trusted logs is problematic for several reasons, including uncertainties around revocation policies and the possibility of cross-signing attacks being attempted by malicious third-parties.
However, visibility of these CAs’ activities is still useful, so we have created a new CT log for these certificates. This log will not be trusted by Chrome, and will provide a public record of certificates that are not accepted by the existing Google-operated logs.
The new log is accessible at
ct.googleapis.com/submariner
and is listed on our
Known Logs
page. It has the same API as the existing logs.
Initially, Submariner includes certificates chaining up to the set of root certificates that
Symantec
recently announced it had discontinued, as well as a
collection of additional roots
suggested to us that are pending inclusion in Mozilla.
Once Symantec’s affected certificates are no longer trusted by browsers, we will be withdrawing them from the trusted roots accepted by our existing logs (Aviator, Pilot, and Rocketeer).
Third parties are invited to suggest additional roots for potential inclusion in the new log by email to
google-ct-logs@googlegroups.com
.
Everyone is welcome to make use of the log to submit certificates and query data. We hope it will prove useful and help to improve web security.
BinDiff now available for free
March 18, 2016
Posted by Christian Blichmann, Software Engineer
BinDiff is a comparison tool for binary files that helps to quickly find differences and similarities in disassembled code. It is used by security researchers and engineers across the globe to identify and isolate fixes for vulnerabilities in vendor-supplied patches and to analyze multiple versions of the same binary. Another common use case is to transfer analysis results from one binary to another, helping to prevent duplicate analyses of, for example, malware binaries. This also helps to retain knowledge across teams of binary analysts where the individual workflows might vary from analyst to analyst.
More specifically, BinDiff can be used to:
Compare binary files for x86, MIPS, ARM/AArch64, PowerPC, and other architectures.
Identify identical and similar functions in different binaries.
Port function names, comments and local variable names from one disassembly to another.
Detect and highlight changes between two variants of the same function.
Here is a screenshot demonstrating what using BinDiff to display per-function differences looks like:
At Google, the BinDiff core engine powers a large-scale malware processing pipeline helping to protect both internal and external users. BinDiff provides the underlying comparison results needed to cluster the world's malware into related families with billions of comparisons performed so far.
Ever since zynamics
joined Google
in 2011, we have been committed to keeping our most valuable tools available to the security research community. We first lowered the price, and today we are taking the next logical step by making it available free of charge.
You can download BinDiff from the
zynamics web site
. It’s the current version, BinDiff 4.2 for both Linux and Windows. To use it, you also need the commercial Hex-Rays IDA Pro disassembler, 6.8 or later.
Happy BinDiff-ing!
Securing the web, together
March 15, 2016
Posted by Rutledge Chin Feman and Tim Willis, HTTPS Evangelists
Encryption keeps people’s information safe as it moves between their devices and Google, protecting it from interception and unauthorized access by attackers. With a modern encrypted connection, you can be confident that your data will be private and secure.
Today we are launching a new section of our
Transparency Report
to track the progress of encryption efforts—both at Google and on some of the web's most trafficked sites. Our aim with this project is to hold ourselves accountable and encourage others to encrypt so we can make the web even safer for everyone.
Here's an overview of what is included in the new report:
Google sites
Every week, we’ll update this report with progress we've made towards implementing HTTPS by default across Google’s services. We’ve long offered Gmail, Drive, and Search over HTTPS, and in the last year, we’ve begun to add traffic from more products, like
ads
and
Blogger
as well.
We're making positive strides, but we still have a ways to go.
This chart represents the percentage of requests to Google's servers that used encrypted connections. YouTube traffic is currently not included in this data.
We plan on adding additional Google products over time to increase the scope of this report.
Popular third-party sites
Our report also includes data about the
HTTPS connections on many popular sites across the web
, beyond Google. We've chosen these sites based on a combination of publicly-available
Alexa data
and our own Google internal data; we estimate they account for approximately 25% of all web traffic on the Internet.
Certificate Transparency
Websites use certificates to assert to users that they are legitimate, so browsers need to be able to check whether the certificate that you’re being presented is valid and appropriately issued. That is why this report also offers a
Certificate Transparency log viewer
, providing a web interface for users and site administrators to easily check and see who has issued a certificate for a website. For example, if you use this log viewer and search for google.com with ‘include expired' checked, you'll see the
mis-issued google.com certificate from September 2015
.
Encryption for everyone
Implementing HTTPS can be difficult—we know from experience! Some common obstacles include:
Older hardware and/or software that doesn’t support modern encryption technologies.
Governments and organizations that may block or otherwise degrade HTTPS traffic.
Organizations that may not have the desire or technical resources to implement HTTPS.
While there’s no one-size-fits-all solution to these challenges,
we’ve put together a resource for webmasters to use
as they work through this process. We also support industry-wide efforts, like EFF's ‘
Encrypt the Web
’ report, that aim to bring more of the web to HTTPS.
Implementing encryption is not easy work. But, as more people spend more of their time on the web, it’s an increasingly essential element of online security. We hope this report will provide a snapshot of our own encryption efforts and will encourage everyone to make HTTPS the default on the web, even faster.
Get Rich or Hack Tryin’
March 14, 2016
Posted by Nathan Parker, Chrome Defender and Tim Willis, Hacker Philanthropist
Since 2010, we've happily rewarded researchers who find and report security issues to us through Google’s Security Reward Program. Last year,
Google paid researchers more than $2,000,000 for their work
to make Google users safer.
It's no secret that Chrome takes security seriously. Today, we’re introducing two new changes to expand the Chrome Reward Program even further:
Increasing our top reward from $50,000 to $100,000.
Last year we introduced a $50,000 reward for the persistent compromise of a Chromebook in guest mode. Since we introduced the $50,000 reward, we haven’t had a successful submission. That said, great research deserves great awards, so we’re putting up a standing six-figure sum, available all year round with no quotas and no maximum reward pool.
Adding a Download Protection Bypass bounty.
We’re extending our reward program scope to include rewards for methods that bypass Chrome’s
Safe Browsing
download protection features
. There’s much more detail on this new category on
our rewards page
- be sure to take a look if you’re interested.
We look forward to seeing some amazing bugs and continuing to work with the security research community.
Happy hacking!
Scalable vendor security reviews
March 7, 2016
Posted by Lukas Weichselbaum and Daniel Fabian, Google Security
[Cross-posted on the
Google Open Source Blog
]
At Google, we assess the security of hundreds of vendors every year. We scale our efforts through automating much of the initial information gathering and triage portions of the vendor review process. To do this we've developed the Vendor Security Assessment Questionnaire (VSAQ), a collection of self-adapting questionnaires for evaluating multiple aspects of a vendor's security and privacy posture.
We've received feedback from many vendors who completed the questionnaires. Most vendors found them intuitive and flexible — and, even better, they've been able to use the embedded tips and recommendations to improve their security posture. Some also expressed interest in using the questionnaires to assess their own suppliers.
Based on this positive response, we've decided to open source the VSAQ Framework (Apache License Version 2) and the generally applicable parts of our questionnaires on GitHub:
https://github.com/google/vsaq
. We hope it will help companies spin up, or further improve their own vendor security programs. We also hope the base questionnaires can serve as a self-assessment tool for security-conscious companies and developers looking to improve their security posture.
The VSAQ Framework comes with four security questionnaire templates that can be used with the VSAQ rendering engine:
Web Application Security Questionnaire
Security & Privacy Program Questionnaire
Infrastructure Security Questionnaire
Physical & Data Center Security Questionnaire
All four base questionnaire templates can be readily extended with company-specific questions. Using the same questionnaire templates across companies may help to scale assessment efforts. Common templates can also minimize the burden on vendor companies, by facilitating the reuse of responses.
The
VSAQ Framework
comes with a simple client-side-only reference implementation that's suitable for self-assessments, for vendor security programs with a moderate throughput, and for just trying out the framework. For a high-throughput vendor security program, we recommend using the VSAQ Framework with a custom server-side component that fits your needs (the interface is quite simple).
Give VSAQ a try! A demo version of the VSAQ Framework is available here:
https://vsaq-demo.withgoogle.com
Excerpt from Security and Privacy Programs Questionnaire
Let us know how VSAQ works for you:
contact us
. We look forward to getting your feedback and continuing to make vendor reviews scalable — and maybe even fun!
Labels
#sharethemicincyber
#supplychain #security #opensource
android
android security
android tr
app security
big data
biometrics
blackhat
C++
chrome
chrome enterprise
chrome security
connected devices
CTF
diversity
encryption
federated learning
fuzzing
Gboard
google play
google play protect
hacking
interoperability
iot security
kubernetes
linux kernel
memory safety
Open Source
pha family highlights
pixel
privacy
private compute core
Rowhammer
rust
Security
security rewards program
sigstore
spyware
supply chain
targeted spyware
tensor
Titan M2
VDP
vulnerabilities
workshop
Archive
2024
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2023
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2022
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2021
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2020
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2019
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2018
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2017
Dec
Nov
Oct
Sep
Jul
Jun
May
Apr
Mar
Feb
Jan
2016
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2015
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2014
Dec
Nov
Oct
Sep
Aug
Jul
Jun
Apr
Mar
Feb
Jan
2013
Dec
Nov
Oct
Aug
Jun
May
Apr
Mar
Feb
Jan
2012
Dec
Sep
Aug
Jun
May
Apr
Mar
Feb
Jan
2011
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
2010
Nov
Oct
Sep
Aug
Jul
May
Apr
Mar
2009
Nov
Oct
Aug
Jul
Jun
Mar
2008
Dec
Nov
Oct
Aug
Jul
May
Feb
2007
Nov
Oct
Sep
Jul
Jun
May
Feed
Follow @google
Follow
Give us feedback in our
Product Forums
.