Google’s new Android Enterprise Vulnerability Rewards Program will give you up to $250,000 if you can fully exploit a Pixel 6
In the security world, bug bounties are incredibly common. The reason for their existence is simple and two-fold: they incentivize security researchers to poke holes in the security of a device, as the payout for a successful exploit can be lucrative. The second is that they encourage individuals to privately report their findings, rather than releasing them out into the wild. Google has now announced the Android Enterprise Vulnerability Rewards Program, which can payout up to $250,000 if you can fully exploit an Android Enterprise Pixel device, like the newly-released Google Pixel 6 series.
Android Enterprise is part of Android, and it offers the ability to have a fully locked-down, employer-owned handset with a number of parameters configured by the company. For example, some devices can be completely locked down without any personal space that is entirely managed remotely, and others can have just a containerized work profile managed remotely. What Google is offering is a reward of up to $250,000 for being able to break out of that.
In the same announcement, Google talked a lot about its Android 12-specific Enterprise improvements. It has improved password complexity controls, the ability to disable USB signaling, and more privacy-preserving security controls have been added to the Android work profile, such as network logging of work apps. Google also highlighted the fact that many workers are still working from home, and that the company is working towards a Zero Trust security model. Zero Trust is where trust is never assumed, which is particularly important in the context of a work-from-home environment.
At the same time, Google also announced the Android Management API. It’s a cloud-based API ensuring Enterprise customers receive fast delivery of all enterprise features. Android Enterprise Recommended requirements are set by default. Furthermore, the API can also be modified on the fly using on-device signals to trigger immediate policy changes. Finally, Google is introducing the ability for all Google Workspace (formerly G Suite) users to create a work profile on their smartphone starting next year.
On October 27, Google is also hosting an event to talk about these new security and management solutions with even more to come. You can register for The Art of Control, and find out how the company is bringing together security and management into one offering.