This project hosts security advisories and their accompanying proof-of-concepts related to research conducted at Google which impact non-Google owned code.

We believe that vulnerability disclosure is a two-way street. Vendors, as well as researchers, must act responsibly. This is why Google adheres to a 90-day disclosure deadline. We notify vendors of vulnerabilities immediately, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix.

You can read up on our full policy at: https://www.google.com/about/appsecurity/.

This is not an official Google product.

The disclosure of vulnerabilities are all in the form of security advisories, which can be browsed in the Security Advisories page.

Accompanying proof-of-concept code will be used to demonstrate the security vulnerabilities.

The advisories and patches posted here are free and open source.

See LICENSE for further details.

The easiest way to contribute to our security research projects is to correct the patches when you see mistakes.

Please read up our Contribution policy.