Google wants the Internet-using world to know that security is a top priority. That’s the message behind the launch of Project Zero, a team of researchers on the prowl for cyber threats and vulnerabilities.
“Beyond securing our own products, interested Googlers also spend some of their time on research that makes the Internet safer, leading to the discovery of bugs like Heartbleed,” Chris Evans, research herder at Google, wrote in a blog post. “The success of that part-time research has led us to create a new, well-staffed team called Project Zero.”
This Needs to Stop
As Evans sees it, you should be able to use the Web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications. Yet in sophisticated attacks, he noted, Google’s security team see the use of "zero-day" vulnerabilities that do everything from targeting human rights activists to conducting industrial espionage.
“This needs to stop. We think more can be done to tackle this problem,” Evans said. “Project Zero is our contribution, to start the ball rolling. Our objective is to significantly reduce the number of people harmed by targeted attacks. We're hiring the best practically-minded security researchers and contributing 100 percent of their time toward improving security across the Internet.”
Google is promising not to place any particular bounds on the project. The company also vowed to work toward improving the security on any software that large numbers of people depend on. That, Evans said, means paying careful attention to the techniques, targets and motivations of attackers.
“We'll use standard approaches such as locating and reporting large numbers of vulnerabilities,” he said. “In addition, we'll be conducting new research into mitigations, exploitation, program analysis -- and anything else that our researchers decide is a worthwhile investment.”
Google Hiring Security Gurus
Evans also committed to working transparently. That means every bug Project Zero discovers will be filed in an external database. Google will only report bugs to the software’s vendor in as close to real-time as possible, not to third parties. And once a bug report makes its way to the public, which typically happens after a patch is available, you can monitor vendor time-to-fix performance, review discussions about exploitability, and see historical exploits and crash traces.
And with that, Evans made another announcement: Google is hiring.
“We believe that most security researchers do what they do because they love what they do. What we offer that we think is new is a place to do what you love -- but in the open and without distraction. We'll also be looking at ways to involve the wider community, such as extensions of our popular reward initiatives and guest blog posts," he said.
We caught up with Paul Ducklin, senior security advisor at Sophos, to get this thoughts on Project Zero. He told us security-minded individuals and companies like Sophos all try to do their best to go the "extra mile" to give back to the community. Sophos, for example, partnered with the Queensland Police in Australia on a security project.
“If there is one thing I'd love to see Google wrap into this Project Zero it would be to put more pressure on,” Ducklin said, “and to make it easier for its own Android partners to ship security updates to end users."