In the wake of Heartbleed, everyone is still reeling from the havoc that one software vulnerability can have on the safety of the web. Provoked to action, Google is creating a new team called Project Zero, dedicated to improving the security of software by seeking out vulnerabilities and monitoring exploits.
“You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications,” explained Chris Evans, a Google “researcher herder,” in a blog. “Yet in sophisticated attacks, we see the use of zero-day vulnerabilities to target, for example, human rights activists or to conduct industrial espionage. This needs to stop. We think more can be done to tackle this problem.”
Project Zero is first and foremost a human resource-intensive project. Evans said that the search giant is “hiring the best practically-minded security researchers and contributing 100% of their time toward improving security across the Internet.” He added, “We’re hiring. We believe that most security researchers do what they do because they love what they do. What we offer that we think is new is a place to do what you love—but in the open and without distraction.”
As far as goals, the idea is to seek out rafts of software bugs, but Evans underscored that there aren’t limitations on the scope of the work. “We will work to improve the security of any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers,” he said. “We’ll use standard approaches such as locating and reporting large numbers of vulnerabilities. In addition, we’ll be conducting new research into mitigations, exploitation, program analysis—and anything else that our researchers decide is a worthwhile investment.”
When the team discovers a bug, it will be filed in an external database and reported to the software’s vendor only – and no third parties. Once the bug report becomes public (typically once a patch is available), interested parties will be able to monitor vendor time-to-fix performance, see any discussion about exploitability, and view historical exploits and crash traces.
“We also commit to sending bug reports to vendors in as close to real-time as possible, and to working with them to get fixes to users in a reasonable time,” Evans said. “We’ll also be looking at ways to involve the wider community, such as extensions of our popular reward initiatives and guest blog posts.”
Google has been working to beef up its security of late, including implementing SSL encryption by default for Search, Gmail and Drive, and encrypting data moving between its data centers. It has also added a mobile device kill switch for Android, and helped to fund an open-source security initiative.