[hat tip: Ryan Naraine]
Google has decided to have a bugfinding contest for its Native Client. After its Borg-like introduction of the "Android Security Team" (no names, collective only), it also introduced the contest.
For vendors, this is probably the best option to take to address public vulnerability disclosure. The idea is to increase the value to researchers in order to focus efforts and presumably find most of the security bugs, rather than the traditional alternative of submitting to random public bugfinding.
I wrote a post back in 2005 that mentioned this option:
where random people look for random vulnerabilities in random
applications. Randomness is kiling us. In this world, the best thing to
do is to create a set period of time and have a contest, real or
implied. Get everyone focused on one platform, perhaps by offering a
reward (from the manufacturer, not this ridiculous stuff by third
It will be interesting to see if the vulnerability discovery curve for Android is significantly different from other solutions. (It would also be great to determine rediscovery rates for vulnerabilities).
Corrected [2/27/09]: Fixed per Ryan's clarification in the comments.
Thanks for the pickup Pete. Small correction: It’s for Native Client, not Android.