Google has launched a bug rewards program for Android Enterprise

Google has launched a bug rewards program for Android Enterprise

UK sanctions Russian microprocessor makers, banning them from ARM
“And since we believe scrutiny and transparency are key to improving security, we’ve launched our first Android Enterprise Vulnerability Rewards Program,” said Rajeev Pathak, Senior Product Manager at Google. “We’re offering a reward of up to $250,000 for a full exploit on a Pixel device running Android Enterprise.” Google is working with industry leaders (e.g., Okta, Ping, and Forgerock) to move to Custom Tabs for authentication. The company considers this to be the best way to integrate authentication into Android Enterprise apps.

Google has announced the introduction of its first vulnerability rewards programme for Android Enterprise, with up to a $250,000 bounty. This follows the release of various advancements to the platform’s overall security in Android 12. The latest Android version includes security upgrades ranging from turning off USB signalling on corporate devices to prevent USB-based assaults to better password complexity settings that give additional protection for company data.

Highlights

  • Since Google launched its first VRP over ten years ago, it has rewarded more than 2,000 security researchers from 84 different countries worldwide for reporting over 11,000 bugs. Google says that the total bounty earned by researchers amounts to $29,357,516 since January 2010, when it launched the Chromium vulnerability reward program. Rewards paid for qualifying bugs through Google’s VRPs range from $100 to $31,337, but the total amount can also drastically increase for exploit chains. For instance, Alpha Lab’s Guang Gong received a $201,337 payout for a remote code execution exploit chain that could be used to compromise Pixel 3 devices, this being the biggest single bounty Google ever paid.

  • The company is also introducing the Android Management API, which would provide the fastest delivery for enterprise features, with Android Enterprise Recommended requirements set by default. In July, Google launched a new platform to host all its vulnerability rewards programs (VRP) under the same roof. Google also launched the Bug Hunter University, enabling bug hunters to brush up on their skills or even start a hunting learning streak. “This new site brings all of our VRPs (Google, Android, Abuse, Chrome and Play) closer together and provides a single intake form that makes it easier for bug hunters to submit issues,” Google said at the time.