Google’s Native Client Vulnerability Contest

[hat tip: Ryan Naraine]

Google has decided to have a bugfinding contest for its Native Client. After its Borg-like introduction of the "Android Security Team" (no names, collective only), it also introduced the contest.

For vendors, this is probably the best option to take to address public vulnerability disclosure. The idea is to increase the value to researchers in order to focus efforts and presumably find most of the security bugs, rather than the traditional alternative of submitting to random public bugfinding.

I wrote a post back in 2005 that mentioned this option:

Of course, we don't live in that perfect world. We live in a world
where random people look for random vulnerabilities in random
applications. Randomness is kiling us. In this world, the best thing to
do is to create a set period of time and have a contest, real or
implied. Get everyone focused on one platform, perhaps by offering a
reward (from the manufacturer, not this ridiculous stuff by third
parties).

It will be interesting to see if the vulnerability discovery curve for Android is significantly different from other solutions. (It would also be great to determine rediscovery rates for vulnerabilities).

Corrected [2/27/09]: Fixed per Ryan's clarification in the comments.

1 comment for “Google’s Native Client Vulnerability Contest

  1. February 27, 2009 at 1:16 pm

    Thanks for the pickup Pete. Small correction: It’s for Native Client, not Android.

    _r

Comments are closed.