We got 7000 USD bounty from Google VRP. Nice, but hard work.

Good and interesting desirable bug 😂🍀❤️

@wwkenwong
@vxresearch

Add V8SandboxFuzzer · googleprojectzero/fuzzilli@675eccd This is a basic fuzzer for the V8 Sandbox. It uses the memory corruption API to implement a random-but-deterministic (given a seed) traversal through the V8 heap object graph and corrupts some obje...

We released our Fuzzilli-based V8 Sandbox fuzzer: github.com/googleprojec...
It explores the heap to find interesting objects and corrupts them in a deterministic way using V8's memory corruption API. Happy fuzzing!

Blog - Memory Integrity Enforcement: A complete vision for memory safety in Apple devices - Apple Security Research Memory Integrity Enforcement (MIE) is the culmination of an unprecedented design and engineering effort spanning half a decade that combines the unique strengths of Apple silicon hardware with our adv...

I have often stated that well-implemented memory tagging will be a game changer for memory corruptions. And it seems that with the next iPhone it's finally here: security.apple.com/blog/memory-...

We derestricted crbug.com/382005099 today which might just be my favorite bug of the last few years: bad interaction between WebAudio changing the CPU's handling of floats and V8 not expecting that. See crbug.com/382005099#co... for a PoC exploit. Also affected other browsers

V8 Sandbox - Bytecode Verification V8 Sandbox - Bytecode Verification Author: saelo@ First Published: November 2025 Last Updated: November 2025 Status: Draft Visibility: PUBLIC Tracking Bug: crbug.com/461681036 This document is part ...

More details: docs.google.com/document/d/1...

Implementation: source.chromium.org/chromium/chr...

We derestricted a number of vulnerabilities found by Big Sleep in JavaScriptCore today: issuetracker.google.com/issues?q=com...

All of them were fixed in the iOS 26.1 (and equivalent) update last month. Definitely some cool bugs in there!

I've uploaded the slides of my recent talk "JS Engine Security in 2025": saelo.github.io/presentation.... I think there'll also be a recording available at some point (otherwise I can make one as not everything's in the slides).

Fantastic conference as usual, big thanks to the PoC Crew!

Some more cool JS Engine bugs found by Big Sleep were fixed in yesterday's Apple security updates: support.apple.com/en-us/125632
Technical details will be available soon at issuetracker.google.com/issues?q=com...

VXCON VXCON, we are glad to invite a few prominent speakers and researchers all over the world. They are frequent speakers of Blackhat, DEF CON, HITCON and in various global hacker and security conference. ...

We are going to hold VXCON
www.vxcon.hk

This time is a real thrilling announcement as our paper about template-based fuzzing for JavaScript engine is accepted in OOPSLA24-25.

Thank you so much to every co-authors including Ken Wong, Dongwei Xiao, Dr. Daoyuan Wu Dr. Shuai Wang and Yiteng Peng.

What a good evening!

Congratulations to Carl Smith from v8 Security team and join Blackhat USA review board as guest reviewer. He is willing to share, open-minded, and a hardcore researcher and developer.

@rwx.page

… Threat actors will expose more about their plans when they get in only, and let them get into our matrix. This is more interactive with threat actor, and it is the art.

… the back-end system is all fabricated, when particular threat actor is detected. We can differentiate who is the threat actor or not with provision of different security level of backend systems.

Adversarial Misuse of Generative AI | Google Cloud Blog We share our findings on government-backed and information operations threat actor use of the Gemini web application.

The countries always attempt to hack into vendor platforms or apps, my idea is making a “Realistic Honeypot Platform” and let them in, capture as much as information about them and …

cloud.google.com/blog/topics/...

An inspiration of beginning of new year. It is our first Chrome VRP bounty.

Our first Chrome VRP bounty, it is an inspiration and keep going.

We got our first Google Chrome bounty for minimum wage or McDonalds before Christmas 🎄.

Getting money from Google is mission impossible.

Minimum wage 🤣

We are glad to complete VXCON. Thank you so much to every speakers, guest, and crew member to make it happen.

#vxcon #vxrl

V8 Sandbox - Trusted Space V8 Sandbox - Trusted Space Author: saelo@ First Published: October 2023 Last Updated: October 2023 Status: Living Doc Visibility: PUBLIC This document is part of the V8 Sandbox Project and discusses...

Here's another V8 sandbox design document, this time discussing how sensitive ("trusted") V8-internal objects (such as BytecodeArrays) can be protected: docs.google.com/document/d/1...
This should be one of the last pieces of infrastructure required for the sandbox.

Finally got around to publishing the slides of my talk @offensivecon.bsky.social from ~two weeks ago. Sorry for the delay!

The V8 Heap Sandbox: saelo.github.io/presentation...

Fantastic conference, as usual! :)

Chrome Vulnerability Reward Program Rules | Google Bug Hunters ATTENTION As of 4 February 2024, Chromium has migrated to a new issue tracker, please report security bugs to the new issue tracker using this form . Please see the Chrome VRP News and FAQ page for mo...

Another big step towards becoming a security boundary: today we’re expanding the VRP for the V8 Sandbox

* No longer limited to d8

* Rewards for controlled writes increased to $20k

* Any memory corruption outside the sandbox is now in scope

bughunters.google.com/about/rules/...

Happy hacking!

www.youtube.com/live/b9Ohamk...

VXCON finished and thank you so much to everyone.