Sign in with
Sign up | Sign in

Google's Project Zero to Scan Web for Security Flaws

By - Source: Tom's Guide US | B 8 comments
Tags :

UPDATE 7/16/2014: Added more comments from another security expert.

Fear not, citizen: Google is looking out for you. 

Today (July 15) Google announced Project Zero, an in-house team of security researchers dedicated to finding flaws in non-Google software "across the Internet." Google says Project Zero will let the company more directly address zero-day flaws (newly discovered bugs) and other security issues in third-party software that affect Google users and Google products.

Among the members of Project Zero is George Hotz, a.k.a GeoHot, who was the first to carrier-unlock an iPhone in 2007 when he was 17, showed other how to hack a PlayStation 3 in 2010 (Sony sued him) and more recently found a Chrome OS exploit for which Google gave him a $150,000 reward -- and a job.

MORE:Best Android Antivirus Software 2014

"Our objective is to significantly reduce the number of people harmed by targeted attacks," said Google security expert (and newly minted head of Project Zero) Chris Evans in a blog post. "We're hiring the best practically-minded security researchers and contributing 100 percent of their time toward improving security across the Internet." 

Google says it created Project Zero to improve Internet security for all Internet users. Others in the security industry are a bit more skeptical.

"Google's Project Zero amounts to little more than a PR stunt," said Aaron Portnoy, vice president of Exodus Intelligence, a security company that specializes in discovering zero-day vulnerabilities and disclosing them only to its clients.

"Bug-bounty programs, such as HP's Zero Day Initiative, have upwards of 1,500 researchers submitting vulnerability reports to their program," Portnoy told Tom's Guide, referring to funds that pay rewards to the finders of software flaws.

Portnoy, who once ran the Zero Day Initiative, pointed out that Google isn't the first major corporation to create an in-house team of researchers focused on finding flaws in software other than its own.

"Google adding 10 more researchers to the mix isn't really going to affect our business," he said.

Chaouki Bekrar of VUPEN, a French company that finds and sells zero-day security flaws, also weighed in.

"What Google did not understand is that killing a few zero-days will make Google's researchers/shareholders feel better but it will definitely not kill the market of zero-day exploits, instead it will make it even more lucrative," he told Tom's Guide.  

Evans says Project Zero's researchers will first report any flaws they find directly to the affected software's developers. Once the report becomes public (which Evans says is "typically once a patch is available") the bug will be filed in a public database (found here), where people can see how much time passed between a bug's reporting and its patching.

"We also commit to sending bug reports to vendors in as close to real-time as possible, and to working with them to get fixes to users in a reasonable time," Evans added. 

The other members of Project Zero include Ben Hawkes, Tavis Ormandy and Ian Beer, well-regarded Google employees with multiple bug discoveries to their names.

Google researchers have been finding security bugs in non-Google products for several years. Often, when researchers find a security flaw and report it to the company in question, the company will pay the researchers a "bug bounty" for their trouble — as Google did for Hotz's Chrome OS bug.

Some freelance researchers depend on these bug bounties for income. Project Zero's salaried researchers (and they're hiring, according to Evans) may cut into their business.

UPDATE: An independent bug bounty hunter named Ciaran Mcnally has also weighed in to Tom's Guide: ""Hopefully the bugs they find can help improve the security of critical software used on a mass scale. It would be interesting to see if [the Project Zero researchers] publish all of their findings or decide to sell them to interested parties."

Email or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 3 Hide
    dextermat , July 15, 2014 4:16 PM
    This should have been done years ago.....
  • -2 Hide
    DalaiLame , July 15, 2014 4:44 PM
    They will exploit the flaws after the scanning. And of course, the NSA will net the results of the scan.
  • 2 Hide
    DavidTheExpert , July 15, 2014 7:18 PM
    This absolutely needs to be made open source. Imagine what Google could do if they have their own mysterious script sweeping every server and every computer connected to the web. This needs to be made open source for the sake of all of us. Let us know exactly what it's doing, so we know that it's not doing anything harmful. And the community could contribute to making it even better too.
  • Display all 8 comments.
  • 1 Hide
    Christopher1 , July 15, 2014 8:30 PM
    Good on Google. This is something that they should be doing, scanning for common security issues and informing the people who own the servers in question that they are vulnerable.
  • -1 Hide
    Bernie Fresh , July 15, 2014 9:29 PM

    moot point
  • 0 Hide
    Hard Line , July 16, 2014 6:26 AM
    the beginning of the end.. this is very reminiscent to the beginning of skynet
  • 0 Hide
    Montego , July 16, 2014 7:40 PM
    Since companies often pay rewards for flaws found that could affect their product, I wonder how much the NSA pays for information about those same flaws that they can exploit?
  • 0 Hide
    Montego , July 16, 2014 7:40 PM
    Since companies often pay rewards for flaws found that could affect their product, I wonder how much the NSA pays for information about those same flaws that they can exploit?
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS