Google today announced Project Zero, a new team inside the company focused on protecting the Internet as a whole. The company argues that anyone should be able to use the Web without fear of criminal or state-sponsored attacks to infect your computer, steal secrets, or monitor your communications.
Yet zero-day vulnerabilities are a daily worry. These are security holes that have not been publicly disclosed yet, and so don’t have a patch available. They are often used in targeted attacks against human rights activists, companies, or governments because they are difficult to detect without prior knowledge.
Google explains its approach to tackling the problem:
Our objective is to significantly reduce the number of people harmed by targeted attacks. We’re hiring the best practically-minded security researchers and contributing 100% of their time toward improving security across the Internet.
Google already dedicates a lot of money and resources to security, and it says Project Zero was born out of its previous investments. Many employees spend part of their time focusing on security flaws in the company’s software, as well as third-party software, but now there will be a dedicated team for the Internet in general (Google is also already hiring to expand Project Zero).
The company says it is “not placing any particular bounds on this project” – any software depended upon by large numbers of people is fair game. Project Zero will use standard approaches such as locating and reporting large numbers of vulnerabilities, but will also conduct new research into mitigations, exploitation, program analysis, “and anything else that our researchers decide is a worthwhile investment.”
Every new bug will be filed in an external database, but it will be first reported only to the software’s vendor. Once it is public, usually meaning a patch is available, anyone will be able to see vendor time-to-fix performance, discuss the exploitability, as well as view historical exploits and crash traces.
It’s only a matter of time before we hear about the first few discoveries and fixes.
See also – Three years in, Google has paid researchers over $2 million in security rewards and fixed more than 2,000 bugs and Google begins offering financial rewards for proactive security patches made to select open-source projects
Top Image Credit: Johannes Eisele/Getty Images