Chris Thompson

@[email protected]
61 Followers
45 Following
14 Posts
Security and usability engineer, experimenter, &c, working on Google Chrome Security.
Twitter (lol)@notyetsecure
Website (old)https://notyetsecure.com
Chris ThompsonOct 29
The MOARTLS journey continues! Looking forward to next year https://security.googleblog.com/2025/10/https-by-default.html
HTTPS by default

One year from now, with the release of Chrome 154 in October 2026, we will change the default settings of Chrome to enable “Always Use Secu...

Google Online Security Blog
Chris ThompsonJun 13, 2025
makeworldJul 23, 2024
I fucked up my repo so bad
Show threadChris ThompsonJun 9, 2025
@sereeena we didn’t need to make them scream, but we decided to do it anyway to encourage empathy for the machine and a greater understanding of what the internet truly meant
Chris ThompsonAug 28, 2024
AmyAug 28, 2024

Hi everyone — especially browser security researchers! Today we’ve announced some pretty significant changes to the Chrome VRP reward structure and amounts. This was all built with the purpose of incentivizing deeper and ever more impactful research of Chromium security issues.

I wrote a little blog about it here: https://bughunters.google.com/blog/5302044291629056/chrome-vrp-reward-updates-to-incentivize-deeper-research

We wanted to acknowledge the challenges faced and skills required to find the more complex and impactful issues in Chrome, especially when it comes to demonstrating the full exploitability and impact.

We hope these changes are helpful inspiring to browser security researchers and signal our continued investment in working with you to make Chrome more secure for all users.

Blog: Chrome VRP Reward Updates to Incentivize Deeper Research

The Chrome VRP is increasing reward amounts and their structure to incentivize high-quality reporting and deeper research of Chrome vulnerabilities, see this post for details!

Show threadChris ThompsonFeb 1, 2024
@adamshostack oops sorry! (Shorthand getting the better of me while phone-posting…) CA = Certiticate Authority (for Web PKI), mdsp = Mozilla Dev Security Policy mailing list where CA stuff is discussed publicly (https://groups.google.com/mozilla.org/g/dev-security-policy)
Chris ThompsonJan 31, 2024
Show threadChris ThompsonJan 31, 2024
@adamshostack Reading through this made me think about CA incident reports (and resulting discussion/analysis in venues like m.d.s.p.), or at least the idealized form of them. The same mistake Cruise made comes up a lot where CAs fail to proactively share all relevant information and get dinged more for failure to do good incident response/withholding information than for the initial incident itself. Good CA incident reports can be a bit rare but can also be deeply enlightening.
Show threadChris ThompsonJan 31, 2024
@adamshostack Reading through this made me think about CA incident reports (and resulting discussion/analysis in venues like m.d.s.p.), or at least the idealized form of them. The same mistake Cruise made comes up a lot where CAs fail to proactively share all relevant information and get dinged more for failure to do good incident response/withholding information than for the initial incident itself. Good CA incident reports can be a bit rare but can also be deeply enlightening.
Show threadChris ThompsonAug 23, 2023
@sereeena slide 4 there giving me evangelion vibes
Chris ThompsonAug 4, 2023
Anil DashAug 3, 2023
Hooray! Better streets for all humans. https://gothamist.com/news/third-avenue-redesign-kicks-off-next-week-with-upgrades-for-bikes-buses-and-pedestrians
Show threadChris ThompsonMay 31, 2023
@quidity Over a decade later and I still think about how some people think Numbers Exist and some people think Numbers Are Just Things That Fit Into The Holes That Are Shaped Like Numbers