Good Guy Google —

Google “Project Zero” hopes to find zero-day vulnerabilities before the NSA

Team of security researchers will strive to make the Internet safer for all.

"You should be able to use the Web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets, or monitor your communications," writes Google security researcher Chris Evans. To help make that a reality, Google has put together a new team of researchers whose sole purpose is to find security flaws in software—any software—that's used on the Internet.

Google employees have found and reported security flaws in the past, but only as a part-time effort. The new "Project Zero" team will be dedicated to hunting for the kind of exploitable flaws that could be used to spy on human rights activists or conduct industrial espionage. Aiming to disrupt targeted attacks, the team will look at any software that's depended on by a large number of people.

Project Zero will report bugs it finds only to the software vendor, and it will give those vendors 60 to 90 days to issue patches before public disclosure. This time frame may be reduced for bugs that appear to be actively exploited.

The group hopes that the bugs it finds will tend to overlap with the bugs that security agencies and malicious hackers tend to find. This might seem far-fetched, but simultaneous discovery is something that has been repeatedly observed within the security community, with multiple researchers finding and reporting bugs at about the same time.

In addition to finding bugs, the team will also research mitigation strategies and program analysis techniques. These are important particularly to developers as they can be used to provide a kind of defense in depth; better analysis tools can help catch bugs earlier, and mitigation strategies can reduce the impact of bugs in the wild.

Evans is still building the Project Zero team. Some members are being recruited from within Google. For example, Tavis Ormandy, who has reported numerous flaws in Microsoft's software, will now be looking for vulnerabilities full time.

The team has also recruited George "geohot" Hotz as an intern. Hotz gained fame for first developing an unlock for the iPhone, allowing it to be used on carriers other than AT&T and later a jailbreak for Apple's phone. He was later sued by Sony for jailbreaking the PlayStation 3. Most recently, Google awarded him $150,000 for a four-flaw exploit of Chrome OS.

Channel Ars Technica