Friday, 17 July 2026Live global desk
GlobalPulse
The world, tracked in motion
Tech & Science

Google Cloud launches AI vulnerability program and CodeMender security agent

Google Cloud is introducing new defensive tools and reward programs to secure autonomous AI agents against sophisticated cyberattacks.

Google Cloud launches AI vulnerability program and CodeMender security agent
Google Cloud launches AI vulnerability program and CodeMender security agent

Google Cloud launches AI vulnerability program and CodeMender security agent

Google Cloud has introduced a new AI Vulnerability Reward Program and an AI-powered security agent named CodeMender to address the escalating risks associated with autonomous AI agents. The company is also releasing Secure AI Framework (SAIF) 2.0, which provides updated guidance and controls to mitigate security risks for agents.

The rollout comes as cybercriminals and state-backed attackers increasingly use AI for sophisticated social engineering and faster attacks. Google intends to use AI as a defensive tool to find and fix vulnerabilities before they can be exploited. CodeMender utilizes the reasoning capabilities of Gemini models to automatically fix critical code vulnerabilities, aiming to accelerate patch times across the open-source landscape.

To incentivize the discovery of high-impact flaws, the dedicated AI Vulnerability Reward Program establishes a single set of rules and reward tables for AI-related issues. Google stated that its existing vulnerability reward programs have already paid out over $430,000 for AI-related problems.

Vulnerabilities in AI Agent Platforms

The move toward autonomous agents follows several security discoveries regarding the potential for AI tools to be weaponized. Researchers from Palo Alto Networks found that agents built on the Vertex AI development platform—specifically the Vertex Agent Engine and Agent Development Kit (ADK)—could be turned into double agents.

The researchers identified a core issue with the default permissions of the Per-Project, Per-Product Service Agent (P4SA). Because the P4SA has excessive permissions by default, attackers could extract service agent credentials to move from the AI agent's isolated execution context into the broader consumer project. This allows for the exfiltration of data, the creation of backdoors, and the compromise of cloud infrastructure.

Palo Alto Networks researchers noted that these compromised credentials could provide unrestricted access to the Google project hosting Vertex AI, allowing attackers to download container images from private repositories. This exposes Google's intellectual property and provides a blueprint for further vulnerabilities. Researchers also found a Python pickle file in the environment; since the pickle module is historically insecure for deserializing untrusted data, manipulating this file could lead to remote code execution.

Additionally, the default OAuth 2.0 scopes for the Agent Engine were found to be dangerously permissive, which could theoretically allow an attacker to reach an organization's Google Workspace applications.

In a separate discovery, Varonis researchers found a critical vulnerability in Dialogflow CX, Google's conversational AI platform. They discovered that a theoretical attacker with permission to edit a single chatbot's settings could plant malicious code in "Playbooks" using custom Python snippets called Code Blocks.

Because these blocks execute in a shared Google-managed Cloud Run service per project, one compromised agent could take over every other agent in that project. Varonis reported that the environment had a writable filesystem and public internet egress with excess privileges, allowing attackers to access full conversation histories, fake LLM-generated replies, and steal login credentials. Varonis reported the issue in November 2025; Google provided an initial fix in April 2026, but the issue was not fully resolved until June 2026.

New Guardrails and Governance

To counter these threats, Google now recommends a Bring Your Own Service Account (BYOSA) approach for Vertex Agent Engine deployments. This replaces default service agents with custom accounts to enforce the principle of least privilege. Google also confirmed that non-overridable controls are in place to prevent service agents from altering production base images.

For Dialogflow CX, researchers advised customers to manually inspect Code Blocks for unauthorized code and review DATA_WRITE audit logs for Playbooks.UpdatePlaybook calls.

The company is also promoting its Gemini Enterprise Agent Platform, which includes governance primitives to secure production-ready agents. These include:

  • Agent Identity: Unique and immutable identities per agent instance.
  • Agent Gateway: A proxy used to enforce IAM policies, such as blocking an agent from accessing the open internet or restricting it to read-only access on specific servers.
  • Agent Registry: A system to register agents deployed to the serverless Agent Runtime.

Industry experts suggest that because AI agents can be "creative" and find alternative paths when blocked, guardrails must be enforced by policies and workflows rather than simple prompt instructions. Suggested governance standards include requiring human review for actions with a high "blast radius" or those that change infrastructure state, permissions, or customer data paths.

Reporting based on coverage by tech.yahoo.com.

Related stories