Google today announced a new initiative it is calling “Project Zero,” a broad attempt at reducing the number of internet users that are harmed every day by a variety of different types of targeted attacks. Google believes that everyone should be able to use the internet without constant worry that attackers might use software vulnerabilities nefariously, and due to that, the Mountain View corporation has assembled a team of experienced security researchers to help improve security across the internet.
In the announcement, Google specifically uses the example of zero day vulnerabilities found in Adobe Flash Player that were used to target human rights activists, as well as to conduct industrial espionage. “This needs to stop,” the company says. “We think more can be done to tackle this problem.”
To help get this get done, Wired reports that one of the people they’ve brought on to help pioneer this elite group of hackers is George Hotz, the man known as the first to ever “unlock” the iPhone from the tight grip of AT&T. Hotz went on to later hack the PS3 — and consequently got sued by Sony, only managing to settle on the promise of never hacking another one of the Japanese company’s products.
Google definitely won’t be playing favorites and focusing on Adobe software, as the company says that there won’t be any specific bounds on what the project will focus on. The Project Zero team will give appropriate attention to any software that relied upon by a significant number of people:
We’re not placing any particular bounds on this project and will work to improve the security of any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers. We’ll use standard approaches such as locating and reporting large numbers of vulnerabilities. In addition, we’ll be conducting new research into mitigations, exploitation, program analysis—and anything else that our researchers decide is a worthwhile investment.
Additionally, Google says that the work that happens under Project Zero will be transparent, and that “every bug” the team discovers will filed and documented in a database. Bugs won’t be submitted to anyone but the actual vendor of the software, and will be made public typically after said vendor has released a patch. But it doesn’t stop there. Google also wants to give the public the ability to track things like how fast vendors fix these bugs:
Every bug we discover will be filed in an external database. We will only report bugs to the software’s vendor—and no third parties. Once the bug report becomes public (typically once a patch is available), you’ll be able to monitor vendor time-to-fix performance, see any discussion about exploitability, and view historical exploits and crash traces.
Google wants to do all of this as close to real-time as they can, and they even want to go as far as to help vendors get fixes out to affected users. And to top it off, the company says it is looking to grow this team of security experts as well as get the wider community more involved in the bug-finding process.