Google's financial incentives for vulnerability detection will be welcomed, but it may attract money-motivated non-technical people

Penetration testing company ProCheckUp has welcomed the announcement by Google to offer rewards for flaw identifications on Chrome.

Penetration testing manager at ProCheckUp Jan Fry commented that Mozilla had been making such an effort for around six years, and it had not made a huge amount of difference to the number of publicly disclosed vulnerabilities.

Fry said: "You may get a few more people interested in finding bugs but the majority of researchers who actually find exploitable vulnerabilities do so for 'fun' rather than money."

In agreement was penetration tester Rolando Fuentes, who said that there are a lot of bug-tracking systems available for almost each application.

He said: "My personal feel is that people are not going to be specially tempted by the reward because they don't have the technical skills for finding bugs, especially debugging and programming ones which from my point of view are required in order to do so.

"As Jan says, I see researchers who don't care about the money because the majority of them are well established anyway and do that just for fun, and perhaps an increment of non-technical people motivated mainly by the money who would try their best for semi-blindly finding a bug in the product.

"Last possibility I see is a slight increase of people trying to become true researchers motivated by both factors, the reward and the seeking of technical expertise."

Finally, another penetration tester, George Christopoulos, commented that it helps software development if there are people actively trying to break at code, as the more people reviewing a code (from the security perspective) the more likelihood a vulnerability or a flaw within the code will be found.

He said: "Due to the financial incentives I personally think that more people will be motivated to 'research' and spend more time trying to find vulnerabilities in the Chrome browser. However, I sense that the majority of these people, will probably be 'script kiddies' and their outcome of their 'research' will be some minor vulnerability disclosure.

"Google's financial incentives are hoping to prompt disclosure of critical vulnerabilities to their research team directly as opposed to an exploit released in the wild. However these critical vulnerabilities require the security researcher to have both skills and time and usually these people are already full time pen testers, well established within the industry, and as such their disclosure will always involve the vendor.

"To summarise disclosure of critical vulnerabilities will most likely occur from individuals who are established within the security industry and their motives for their research will not necessarily be driven by the up to $1,000 that Google is offering. The disclosure of their research (if any vulnerability has been found) will likely involve the vendor anyway, and if a malicious individual will want to make money out of his identified exploit Google's incentives won't stop him either."

The following article appears on SC Magazine. You can click here to read it in its original source.