Google App Engine Java security sandbox bypasses

It a pretty fair assumption to expect the Java runtime itself to be in an OS-level sandbox, Google would never treat that much native code as the last layer of security.<p>The App Engine CPython runtime can also be subverted in a variety of ways, but about the most exciting thing you can trigger here is for the process hosting your code to immediately be killed.

Google have a very good track record in security and that&#x27;s the reason why GAE-J is my system of choice. I am ignorant on their bounty offerings though, but I would have assumed Google are state of the art there. Can someone fill me in on the background and intentions of Security Explorations?

Just JVM things.

Can somebody explain me why GAE does not use virtualization as a security layer? Xen is a powerful, free, mature product that utilizes clever techniques along with hardware support to provide the best isolation layer yet available. AWS EC2 runs just fine on Xen, GAE seems to have lots and lots of hiccups.

Keep in mind that Oracle is one of the companies actively working with NSA as per some of the Snowden leaks. I trust anything java based not at all. (on the more practical side)