VPNs, at least originally, were designed to provide access to private/business networks across another network. Office to office, home to office, that sort of thing. VPNs were only later turned into some kind of (supposed) security tool.
If your take on VPN code is "as long as your phone can reach the office printer over 5G" then this is a tiny bug. QUIC connections aren't being shut down properly, like they weren't before the introduction of the feature.
If your take on VPN code is "this wireguard tunnel must keep my identity safe no matter what" or "my security relies on this wireguard tunnel being an exact copy of all traffic exchanged over the internet" then this is a massive problem.
I don't think Android VPNs, or any VPN to be honest, were ever designed as a privacy or security measure. Especially not against apps with code execution on the device. The device itself will do all kinds of network interactions, some happening from within the modem chip itself.
Closing the bug was a mistake on Google's part, but I can see why they don't consider this a security bug in their bug bounty programme.
Google's Pixel hardware division likely operates at a loss - or breaks even.
and even if every active HN user bought $100-$400 used Pixels from Swappa, meaningless money to them.
Step one… completely reform MBA programs.
If you patch it, you'd need to find another way to de-anonymize those users.
I feel like this should be toward the top of the terms of service for the phone, even above the mandatory arbitration clause.
What planet are you from?
