The project will employ security experts to search for ‘zero-day’ exploits in popular software
Google has revealed the existence of Project Zero, a new effort to spot and fix critical vulnerabilities before they can be used in cyber attacks.
The project’s scope will not be limited to Google’s products and services – it is interested in improving the security of any software that’s used to run the Web.
For these purposes, Project Zero will employ a “well-staffed” team of researchers and hackers. According to Wired, it has already recruited experienced bug-hunters Ben Hawkes, Tavis Ormandy and Ian Beer, as well as a single intern – George ‘geohot’ Hotz – a young hacker who came to prominence after successfully circumventing protection of several Apple and Sony products.
“Our objective is to significantly reduce the number of people harmed by targeted attacks. We’re hiring the best practically-minded security researchers and contributing 100 percent of their time toward improving security across the Internet,” wrote Chris Evans, the head of the project.
Project Zero will focus on previously unknown, so-called ‘zero-day’ vulnerabilities (previously unknown issues), in any software “depended upon by large numbers of people”. In other words, the team hopes to pick up on problems like the recent Heartbleed hole in the OpenSSL code which is widely used in web applications.
“We’ll use standard approaches such as locating and reporting large numbers of vulnerabilities. In addition, we’ll be conducting new research into mitigations, exploitation, program analysis—and anything else that our researchers decide is a worthwhile investment,” explained Evans.
The project team will report its discoveries to the relevant software vendor. Once a patch becomes available, it will also publish the results of this work in an external database. This database will enable other security experts to monitor time-to-fix performance and view historical exploits.
It’s worth noting that because they are previously unknown, zero-day exploits have become a valuable commodity often sold for $50,000 – $100,000 on underground forums. It is especially refreshing to see Google spend its own money in order to keep these vulnerabilities out of the hands of cyber criminals.
One of the most intriguing members of the team is Holtz. At the tender age of 17, he became the first person to bypass Apple’s operator lock in 2007. Later, the hacker got in legal trouble after successfully reverse-engineering anti-piracy protection on Sony’s PlayStation 3. And in 2013, he received $150,000 from Google after pointing out flaws in its Chrome OS.
Project Zero is still hiring, and qualified security experts might want to get in touch with the company – as it happens, most of the current team members are British. Google said it wants to build a community around the project, with reward initiatives and its own independent blog.
Some have questioned whether Project Zero can really make an impact on the security landscape. “Of course, Google may recruit the best team possible, but the nature of zero-day attacks, and today’s connected world in general, means that, inevitably, things will fall through the cracks,” commented Ross Brewer, VP and MD for international markets at LogRythm.
“While many of us may rely solely on Google to answer our day-to-day search queries, it would be an error to rely on them to protect our networks in equal measure.
“We’re all building a similar jigsaw and working together could just help us find a crucial missing piece.”
How well do you know network security? Try our quiz and find out!