Google Launches Project Zero to Protect Users From Zero-Day Vulnerabilities


Google is making it’s next move in becoming either a superhero or supervillian organization. Under the title Project Zero, Google is hiring a team of elite hackers to locate vulnerabilities in the software of the globe. Jeez, just take over the world already.

Project Zero is Google’s response to the zero-day vulnerabilities that continue threaten their software. A zero-day vulnerability is an unforeseen flaw in a given computer application that allows an attacker to access information, sell it, alter it, anything. The Heartbleed Bug is a perfect example of the type of security flaw the Project Zero team would work to identify.

The team would focus on Google’s software, but are going expand their horizons to third-party code that influences Google users. Chrome, for instance, requires software like Adobe Flash and operating systems like Mac, Windows, and Linux to run. The Project Zero team would search for flaws in these types of software and systems to eliminate the tenuousness of relying upon other companies to protect their users.

Once the flaws were located, the information would be stored in an external database and reported to the software’s vendor as quickly as possible. The company responsible would then have 60 to 90 days to fix it before the the flaw would be publicly revealed on the Project Zero Blog (but would be pressured them to fix it in as few as seven).

Chris Evans, a security engineer at Google, is the head of the team. Ben Hawkes––a New Zealander who discovered bugs in Adobe Flash and Microsoft office––Tavis Ormandy––a renowned English bug-hunter who demonstrated that some antivirus software can actually make users more vulnerable–– and George Hotz––a hacker prodigy who broke through Chrome’s defenses and was given a $150,000 reward by Google for it–– are the confirmed team members as of now. The goal is to have over ten full-time hacking researchers, so Project Zero is still hiring.

The motivation for Google to put together this task-force is fairly clear. But Evans puts it particularly well: “If we increase user confidence in the internet in general, then in a hard-to-measure and indirect way, that helps Google too.” Google is a company that lives and breathes off the internet, and people are increasingly tired of feeling unsafe with their information. Trust in the company was pretty low when people learned that the NSA was using Google to spy users, and Project Zero feels like a direct response to that. 

Every time something new comes out, the risk of a zer0-day threat is present. Is this process going to be a vicious cycle, or will one side beat the other? Really, I have no doubts that the Project Zero team is going to be effective, but I get the feeling that the scope of their goals is going to expand. It’s entirely possible that team could be hired by other companies or, dare I say it, the government. This project is very fresh, but so far I like the looks of it. I don’t mind the concept of this team expanding in the future because their aims seem to be noble. And since it’s beneficial to Google, I have a feeling they’ll stay that way.

Source: Wired.com