Google’s new Android Enterprise Vulnerability Rewards Program will pay security researchers up to $250,000 for exploits affecting Pixel smartphones running Android Enterprise.
The company announced its latest bug bounty program in a blog post highlighting several enterprise-focused security upgrades introduced with Android 12, such as “improving password complexity controls to make it easier to protect company data, and disabling USB signaling on company-owned devices to limit USB-based attacks,” among other feature updates.
Google said it’s “supercharging the role of identity providers in Zero Trust environments on Android,” too, by giving them access to the information they need to “build a comprehensive analysis of trustworthiness before granting access to corporate resources.” This should make it easier for companies managing Android devices to accurately control their access to resources. (Palo Alto Networks has a solid explanation of the Zero Trust model in its cyberpedia.)
The company’s final announcement was the new Android Management API Extensibility framework that’s supposed to allow Enterprise Mobility Management (EMM) solution users to “adjust Android Management API capabilities on the fly using on-device signals to trigger immediate policy changes and solve for unique and evolving business needs.”
Google knows that bragging about platform security is one of the quickest ways to inspire people to find ways around those protections, though, which is where the Android Enterprise Vulnerability Rewards Program comes in. Unfortunately the company hasn’t offered many details regarding the scope of the program or when it will start to accept submissions for it.
The page Google linked to in its blog post leads to the existing Android Security Rewards Program, which applies to vulnerabilities found in the operating system running on the company’s latest Pixel smartphones. The maximum payout for this program is $1 million, however, and the submission guidelines don’t include anything specific to Android Enterprise.
“Those pages should be updated soon,” a Google spokesperson told us. “The enterprise program will be part of the broader Android program.” The page wasn’t updated by time of writing, however, which is a day after the program was revealed.
Google plans to share more information about Android Enterprise and how it’s being used by organizations like the FBI, Walmart, and others during an event called The Art of Control on Oct. 27. (The link to which Twitter flagged as “being potentially spammy or unsafe,” by the way, at least as it appeared in the tweet about it from the official Android account.)
