Google goes to war against zero-days
Google has announced the launch of Project Zero, a dedicated internal team that will concentrate on finding zero-day vulnerabilities in Google’s and third-party software so that they can be patched before malicious actors have a chance of misusing them.
“You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications,” noted Chris Evans, former head of Google’s Chrome security team and now principal “researcher herder” for Project Zero.
The project is aimed at improving the security of any software that has a large user-base.
“We’ll use standard approaches such as locating and reporting large numbers of vulnerabilities. In addition, we’ll be conducting new research into mitigations, exploitation, program analysis—and anything else that our researchers decide is a worthwhile investment,” he explained.
In an interview with Wired, Evans revealed the other (current) members of the team: George Hotz (aka “geohot”), the famous iPhone and PlayStation 3 hacker; and three prolific security researchers and bug hunters that were recruited internally: Tavis Ormandy, Ben Hawkes, and Ian Beer. The current goal is to recruit at least six more.
“We commit to doing our work transparently,” explained Evans. “Every bug we discover will be filed in an external database. We will only report bugs to the software’s vendor—and no third parties. Once the bug report becomes public (typically once a patch is available), you’ll be able to monitor vendor time-to-fix performance, see any discussion about exploitability, and view historical exploits and crash traces.”
The vendors will have between 60 and 90 days to issue a patch before Google goes public with the bug. If the vulnerability is already being exploited in the wild, this grace period will considerably shortened – it could be as little as seven days.
Evans says that the project is a natural continuation of the security measures that Google started implementing in the wake of Edward Snowden’s revelations about the US NSA intercepting Google user information as it moves between the company’s data centers.
Google already has its own internal bug bounty program, and finances several outside ones, as well as a patch reward program for code improvements to open source programs.
Project Zero, Evans claims, is “primarily altruistic,” but it will help keep all users safe – including Google’s. And a user who feels safe is more likely to click on ads, he points out.
Also, the project is a good way for Google to recruit and test researchers that might later contribute to other company projects.
“We believe that most security researchers do what they do because they love what they do. What we offer that we think is new is a place to do what you love—but in the open and without distraction,” said Evans, and invited interested researchers to apply for a spot on the team.