Google's Project Zero to Scan Web for Security Flaws
UPDATE 7/16/2014: Added more comments from another security expert.
Fear not, citizen: Google is looking out for you.
Today (July 15) Google announced Project Zero, an in-house team of security researchers dedicated to finding flaws in non-Google software "across the Internet." Google says Project Zero will let the company more directly address zero-day flaws (newly discovered bugs) and other security issues in third-party software that affect Google users and Google products.
Among the members of Project Zero is George Hotz, a.k.a GeoHot, who was the first to carrier-unlock an iPhone in 2007 when he was 17, showed other how to hack a PlayStation 3 in 2010 (Sony sued him) and more recently found a Chrome OS exploit for which Google gave him a $150,000 reward -- and a job.
"Our objective is to significantly reduce the number of people harmed by targeted attacks," said Google security expert (and newly minted head of Project Zero) Chris Evans in a blog post. "We're hiring the best practically-minded security researchers and contributing 100 percent of their time toward improving security across the Internet."
Google says it created Project Zero to improve Internet security for all Internet users. Others in the security industry are a bit more skeptical.
"Google's Project Zero amounts to little more than a PR stunt," said Aaron Portnoy, vice president of Exodus Intelligence, a security company that specializes in discovering zero-day vulnerabilities and disclosing them only to its clients.
"Bug-bounty programs, such as HP's Zero Day Initiative, have upwards of 1,500 researchers submitting vulnerability reports to their program," Portnoy told Tom's Guide, referring to funds that pay rewards to the finders of software flaws.
Portnoy, who once ran the Zero Day Initiative, pointed out that Google isn't the first major corporation to create an in-house team of researchers focused on finding flaws in software other than its own.
"Google adding 10 more researchers to the mix isn't really going to affect our business," he said.
Chaouki Bekrar of VUPEN, a French company that finds and sells zero-day security flaws, also weighed in.
"What Google did not understand is that killing a few zero-days will make Google's researchers/shareholders feel better but it will definitely not kill the market of zero-day exploits, instead it will make it even more lucrative," he told Tom's Guide.
Evans says Project Zero's researchers will first report any flaws they find directly to the affected software's developers. Once the report becomes public (which Evans says is "typically once a patch is available") the bug will be filed in a public database (found here), where people can see how much time passed between a bug's reporting and its patching.
"We also commit to sending bug reports to vendors in as close to real-time as possible, and to working with them to get fixes to users in a reasonable time," Evans added.
The other members of Project Zero include Ben Hawkes, Tavis Ormandy and Ian Beer, well-regarded Google employees with multiple bug discoveries to their names.
Google researchers have been finding security bugs in non-Google products for several years. Often, when researchers find a security flaw and report it to the company in question, the company will pay the researchers a "bug bounty" for their trouble — as Google did for Hotz's Chrome OS bug.
Some freelance researchers depend on these bug bounties for income. Project Zero's salaried researchers (and they're hiring, according to Evans) may cut into their business.
UPDATE: An independent bug bounty hunter named Ciaran Mcnally has also weighed in to Tom's Guide: ""Hopefully the bugs they find can help improve the security of critical software used on a mass scale. It would be interesting to see if [the Project Zero researchers] publish all of their findings or decide to sell them to interested parties."
- 7 Scariest Security Threats headed Your Way
- 12 Things You Didn't Know Could Be Hacked
- 9 Tips to Stay Safe on Public Wi-Fi