Google on Thursday expanded its Android Security Rewards Program by adding a new category where it plans to offer up to a $250,000 reward for a full exploit of a Pixel device running on Android Enterprise.
The new bug bounty comes on the heels of Google announcing added security features to Android 12. For employees, Google will offer additional privacy controls over which work apps can access device data, similar to a user’s experience with personal apps. For admins, Google plans on offering more controls to apply the right set of management configurations for work devices.
Security industry pros like Josh Brewton, virtual chief information security officer of Cyvatar, say there’s great growth potential for Android Enterprise. Brewton said because of the built-in flexibility, many users have become accustomed to using their mobile devices for more work tasks, so it only makes sense to incorporate these devices into an enterprise environment.
On the new bug bounty program, Brewton said Google has displayed a certain level of humility: Google doesn’t pretend that they are perfect and accept that they may not have thought of everything.
“Their bug bounty program allows them to discover vulnerabilities and remediate them before there has been an opportunity for exploitation,” Brewton said. “Doing this helps them get out in front of any possible issues and demonstrates their due diligence if an event occurs.”
Hank Schless, senior manager, security solutions at Lookout said introducing a vulnerability rewards program for Android Enterprise was a fantastic thing for Google to do.
“As much as we all wish it was the case, shipping software with flawless code is nearly impossible,” Schless said. “Having a program like this in place encourages independent researchers to contribute to the security of the greater community. The more developers introduce these programs the better. Since they’re constantly focused on building and shipping new code, it’s helpful to have another set of eyes look at the code and expose potentially dangerous vulnerabilities. The security research community tends to be very communal by sharing data publicly when they discover a new malware family or software vulnerability.”
John Bambenek, principal threat hunter at Netenrich, added that most likely, there are fewer Android Enterprise organizations out there with the shift to BYOD. Bambenek said if he had an employee who wanted enterprise features on their phone, they better provide the device.
“That said, those organizations tend to be quite large with [higher revenue] and have real security requirements,” Bambenek said. “A bug bounty is always a nice supplement to an organization's own product security efforts. However, it can never replace it. Google has a pretty good track record of finding its own problems, too, so this move should help increase overall confidence in its platform.”