Project Zero was announced Tuesday by Google, which is the company’s hired team of hackers tasked with searching for bugs and security flaws.
In the security world, bugs that can be used for hacking are called “zero-day” vulnerabilities, which are then exploited by criminals, governments, and intelligence agencies, according to Wired.
Hackers not only use these exploits to spy, but will also sell knowledge of exploits — especially those related to human rights activists or company secrets — to other hackers or foreign governments, according to The Huffington Post. And not just nefarious individuals exploit these bugs; governments have been known to do the dirty work themselves.
Back in April when Heartbleed was discovered, it was reported that the NSA already knew about the flaw for two or more years and used it for their intelligence collecting. U.S. officials denied these reports, though it follows suit with an exception passed by President Barack Obama. The exception allowed the NSA to use the flaws in the collecting, though only where “a clear national security or law enforcement need” was presented.
“People deserve to use the internet without fear that vulnerabilities out there can ruin their privacy with a single website visit,” said Chris Evans, a Google security engineer who formerly led Google’s Chrome security team and now leads Project Zero. “We’re going to try to focus on the supply of these high value vulnerabilities and eliminate them.”
Project Zero has already hired well-known hackers from Google’s own staff. Ben Hawkes, Tavis Ormandy, George Hotz, and Brit Ian Beer have been previously credited for finding bugs in Google’s own Chrome OS to Adobe, Microsoft, Apple, and many other products. And they plan to recruit more to bring Project Zero up to 10 full-time researchers.
Google is hiring “the best practically-minded security researchers and contributing 100 percent of their time toward improving security across the Internet,” Evans said.
The team itself might be new, but Google’s hunt for bugs is not. They have for years paid “bug bounties” to friendly hackers who found flaws in the search engine giant’s code — Project Zero’s George Hotz was one of the previous recipient of such bounty. However, Google is finding more of a need to look for bugs outside of its own software since some of the company’s programs rely on third-party code.
When Project Zero locates flaws on associated software, the team will notify the company and give them 60 to 90 days to fix it before they publish the flaw on the team’s blog. Project Zero will give only seven days to companies whose software flaws are being actively exploited.
“It’s not acceptable to put people at risk by taking too long or not fixing bugs indefinitely,” Evans said.
Project Zero is just another way the company is helping protect its users and is setting industry standard as it fronts the protest to save Net Neutrality. Google also released its own less-than-favorable diversity report and allowed pseudonyms on Google Plus.
[Photo by Nyshita Talluri]