company of the week: google
Google's bounty scope is six roots, and they aren't six Googles — they're six Alphabets: the search-and-ads core (google.com), the two acquisitions that became household names (youtube.com, blogger.com), and three moonshots — DeepMind (AI research), Waymo (self-driving cars), Wing (drone delivery). Read from outside, the estate is enormous and almost boringly clean. The thesis the data makes concrete: big is not the same as exposed. neobotnet's demonstration here is subtractive — it takes the loudest alarms and walks every one of them back to intent.
Google runs a public Vulnerability Reward Program, which puts that estate in scope for outside research — neobotnet's full index is in /urls.
read from dns: six roots, one of them a mirage
Public DNS hands you the shape first. Six root domains, and they aren't six versions of one company — they're six of Alphabet's bets, each still flying its own name:
google · 6 in-scope roots · the whole alphabet, read top to bottom
│
├─ the core .......... google.com 14,890 names → 8,700 distinct ips (search, ads, workspace, cloud)
├─ the pillars ....... youtube.com 8,709 names → 4,048 ips (bought 2006)
│ blogger.com 420 names → 240 ips (bought 2003)
└─ the moonshots ..... deepmind.com 15,010 names → 4 live servers (ai research)
waymo.com 982 names → 7 live servers (self-driving)
wing.com 41 names → 31 live servers (drone delivery)
The DNS finding is the walk-back. 40,052 names resolve, but 14,992 of DeepMind's 15,010 are *.r1.deepmind.com, every one answering to a single shared IP — a DNS wildcard (a record that answers any name you invent under it, whether or not it's real) catching a scanner's guessed names. And the guesses are transparently wordlist-derived: financialplanner.<junk>.r1.deepmind.com and thousands like it, none of them real hosts.
Strip the mirage and DeepMind is 18 real names and 4 live web servers; the honest resolved surface is roughly 25,060, not 40,052. The moonshot with the biggest DNS shadow has the smallest real presence — while google.com and youtube.com, at 8,700 and 4,048 distinct IPs, are the genuinely huge estates. The raw count lies; the shape is what matters.
browse the dns layer in /dns →
read from http: one login, the whole estate
757 hosts answer with a live page, and one title drowns out the rest. The single most common page across all six roots is "Sign in - Google Accounts" — 97 times on google.com, 18 times on wing.com — one SSO (single sign-on: one login that gates many separate services) fronting everything down to a drone-delivery partner portal. The product catalog reads straight off the page titles:
google public web · 757 live hosts · what answers the door
│
├─ the one login ..... "Sign in - Google Accounts" 97× google · 18× wing
│
├─ the core products . "Google" 55 · "YouTube" 55 · "Google Cloud Platform" 16
│ "Data Studio" 15 · "Google Sheets" 11 · "Google Maps" 7
│ "Drive Sign-in" 7 · "Gmail" 5 · "Google Meet" 5
│
└─ live hosts per root google 554 · youtube 92 · blogger 69 · wing 31 · waymo 7 · deepmind 4
│
the live-host order inverts the dns order — the moonshot with the most
names (deepmind) serves the fewest pages; the core serves the most
Even the newest moonshot answers through Google's login. Wing's entire web presence reads in three lines: the SSO 18 times, Wing Drone Delivery marketing 4 times, and Wing Partner Delivery Onboarding 3 times — a drone-delivery partner portal gated by the same account screen that fronts Gmail.
One caveat on the captures: /sorry/index answers 429 — Google's "unusual traffic" bot wall turning the crawler away — so many rows are request shapes, not live bodies. A 200 means the gate loaded, not opened.
see the live pages in /probes →
read from the urls: the payload that isn't
242,857 URLs indexed, 203,222 alive, and across the whole corpus: zero JWTs, zero auth tokens, zero credentials in URLs. The content-type hunt — searching by what a server says a file is (its content_type), not by the extension in the URL — that surfaced 711 customer invoices on Bolt returns about 13 PDFs here and no invoices, no data exports. Google leaks no documents. State the negative plainly: there is no secret in this quarter-million-URL corpus.
What there is, is noise that looks like a finding. Two shapes fire loudly; both walk back.
Finding 1 — 38,596 "cross-domain redirects," every one intentional. A cross-domain redirect is a URL param that sends the browser to another site; it's only dangerous when the server doesn't check the destination belongs to it — that's the open-redirect risk. A scanner screams it 38,596 times here. The composition:
/travel/clk?pcurl=— 38,100, Google Travel's hotel-affiliate click-tracker/url?q=/?url=— 437, Google's documented link redirector, which serves an interstitial warning page/o/oauth2/v2/auth?redirect_uri=— 16, OAuth, cross-domain by design/cloudshell/editor?cloudshell_git_repo=— 13, open-this-GitHub-repo-in-Cloud-Shell/blog-this.g?u=— 12, Blogger's bookmarklet
Every high-volume instance is a mechanism Google runs on purpose and rates low. The alarm is loud and the finding is zero — and telling those two apart is the whole job.
see the cross-domain parameters in /urls →

Finding 2 — 7,584 same-domain login-return tickets. The post-login "send me back here" params: continue (6,830), followup (4,512), url (714), all pointing back to Google properties — the same return-ticket shape 8x8 had, at Google scale. The one test that matters: does every continue/followup strictly validate that the destination stays on-Google? On this data every value is same-domain — a shape to test, not a finding.
see the login-return parameters in /urls →

Two lone signals close the section, both walked back. A single google_api_key sits on /maps/embed/v1/place?key= — a Maps Embed key, public by design and restricted by referring page, not a leak. And a single email hit is a parser artifact on a malformed captured URL, not an address in the open. Neither is real.
One last pass, by hand, through the HTML itself — hunting the corpus for the words that usually mark a soft spot: admin, console, debug, internal, setup. It returns hundreds of live pages, and every cluster is documentation. The 511 "debug" hits are Search Console's /monitor-debug/ guides and Earth Engine's debugging reference; the "console" pages are the Chrome DevTools docs. The interesting-looking parameters go the same way: onload= is reCAPTCHA's own documented callback, template= opens the public issue tracker, and the lone callback= is a 404 on Google Reader, shut down since 2013. The words that look like a way in are the words Google uses to explain the way in.
what it adds up to
Google's estate is well-kept: an SSO wall fronting the whole thing, a bot wall turning away the crawl, and a quarter-million-URL corpus with no cloud keys and no secrets. It's clean precisely enough that a researcher can rank what's left:
- the login-return validation —
continue,followup,redirect_uriacross every entry point. The one class with real surface, and the first thing to test: whether each strictly holds the destination on-Google. - the moonshot and edge stacks — Wing's partner-onboarding portal, Waymo, Blogger. Each answers on its own code at its own patch cadence, separate from the core.
- the wildcard and dark zones — DeepMind's 14,992 phantom names on one IP, a reminder the raw count lies and the real surface is smaller than it looks.
Two things stated plainly, the way this series always closes. Every item above is a signal, not a confirmed vulnerability — neobotnet surfaces the shape; confirming exploitability is the researcher's job. And the right destination for anything live is Google's Vulnerability Reward Program, not a blog post.
next week
neobotnet runs the same pass on a different in-scope program every week. Subscribe via RSS or browse the company of the week archive.
spotted something interesting or wrong? sam@neobotnet.com.
