Dustin Kirkland
As the VP of Engineering at Chainguard, I’m no stranger to complex software security problems or finding vulnerabilities in code. But nothing could have prepared me for the pride—and the sheer awe—I’ve felt as my daughters, Camille (12) and Corinne (10), both managed to discover and report their own security vulnerabilities in Google technologies in 2024. That's right: both of them, merely months apart. The future of cybersecurity is bright, and it seems the next generation is starting right in my own home!
It all began with Camille, my oldest. She has always had a knack for tinkering with tech, much like her dad, and breaking through controls designed to protect her. But this year, she took it to another level. One day, while we were driving, she asked for a 6-digit access code to unlock her Samsung Android tablet -- a routine request anytime we’re traveling. It’s a rotating code that changes every hour, which is used to unlock Family Link managed devices while off of WiFi. Well, in this particular instance, she memorized that same code and used it twice: first to unlock the device, and then to login to the Android Family Link app as a parent on her device. In a matter of seconds, she had parent-level access, enabling apps that were restricted and extending her time limits to her liking. I kept blocking apps and setting time limits on her app and screen usage, but those configurations kept disappearing and I couldn’t figure it out…
While she did keep this little hack to herself for a while, eventually, she told me about it. We talked about the differences between “white hat” and “black hat” hacking, and “responsible disclosure.” That’s when she asked, "Dad, can we report this to Google? Little kids might use this and see stuff that they’re not supposed to see." Together, we filed a responsible disclosure report with Google’s Vulnerability Rewards Program (VRP). And Camille insisted on writing it in her own words. Her vulnerability was accepted, the severity raised (P1/S1), and she was awarded a cash prize. What did she want to do with it? “Invest it in the stock market, Dad!” she said with a grin. Oh, and she loves to wear her Google Bug Hunters hoodie to school!
Camille’s success, however, also sparked a fire in my younger daughter, Corinne. Now, Corinne is competitive. If Camille found a bug and got a prize, you can bet Corinne wasn’t going to let that slide. And boy, did she make her mark.
Corinne's mission became clear: she set out to deliberately find her own vulnerability. Our Chromecast setup had been causing some complaints from both of the girls—we used the built-in Chromecast parents’ profiles feature, protected by a 4-digit PIN, to separate the apps and content they shouldn’t access. Well Corinne didn't like that very much, and it didn’t take long before she found a way to bypass that pesky PIN altogether. She found that simply mashing the "Home" button a few times (in the right conditions), and voilĂ —she was in the parents’ profile! She had completely bypassed the profile PIN and lock screen and could access any content she wanted!
The look on my face must’ve been priceless when she showed me this. I was floored. Corinne’s triumph wasn’t just about proving she could do it. She came to me and said, "I found my own Google vulnerability like Camille, Dad!" Of course, we reported it, and Google confirmed the bug at P2/S2, and—just like her sister—Corinne was awarded a cash prize. A much, much larger one, to her delight. Her reaction? Corinne told her mom, "Mom, it literally PAYS to tell the truth!"
I was so pleased at how excited she was. The competition for attention between these two sisters is real! And so now, in our household, we have not one but two bug hunters who have successfully bypassed parental controls designed to keep them in check. Camille's exploit showed the power of curiosity, and Corinne’s—well, that just proved how far determination and sibling rivalry can take you.
As a dad, watching my daughters dive into something that’s not only impressive but also ethical and responsible makes me so proud. They’ve both shown that even though they’re young, they can make a real difference in the tech world. The draw of YouTube and those kid-friendly apps is strong, sure—but the pull toward doing what’s right? That’s even stronger.
Here’s to the next generation of ethical hackers, and to always encouraging curiosity in the right direction!
Epilogue
Google rolled out a fix for the Chromecast PIN bypass within a few weeks of reporting, which we were able to confirm on all of our updated Chromecast devices. Which has kept the girls locked out of our parents accounts, so far. But this time, it’s Dad who’s reported his own vulnerability to Google. There’s another flaw in the Chromecast PIN mechanism and he knows that it’s a matter of time before Camille and Corinne find it too, for these two girls are absolutely relentless!!
