This is good bug hunting
n/t
Google's gVisor sandboxed kernel had a bug that would allow an attacker to escape their container and overwrite files in the host filesystem – according to Google Project Zero's Jann Horn. Horn popped his advisory up once Google's open-source folk posted fixes for the software at its GitHub repository. The high-severity bug, …
How about checking up on Google Groups, which has probably generated trillions of Usenet and email spams in the past decade due to feature abuse vulnerabilities? I have part of GMail blacklisted right now because Groups can be tricked into creating subscriptions for arbitrary e-mail addresses. I reported it and Google said it's not a security bug.
I have only two groups but have so far found the spam protection pretty good. One group requires moderation by first time posters, the other one you just need to be registered. I get occasional spam reports for the stuff that Google thinks is probably spam and it usually is. Funny thing was last week that my own e-mails were suspected, probably due to being on an anonymous VPN at the time.
But I guess volume may depend on the subject. If in doubt, however, enable moderation of posters.
NB. this has nothing really to do with software security.
Google filters out their own spam when they display Google Groups but lets it all flow out to their peers. Last the I used Usenet, popular topics were each getting 100 to 5000 spams a day from Chinese crime gangs scripting Google Groups. There's a new hack to make Groups work like a mailing list. Google knows about it but doesn't care.
...if a lazy group owner/administrator doesn't set up verified membership checking...
I'm a moderator of a reasonably popular group (over 1,000 members, been going 10 years on Google and on Yahoo! before), and we get almost no spam. Probably had one bit in the last 5 years or so.
If you create a phpBB forum and don't moderate new member applications because you're useless, would you blame phpBB for that?