Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Blogs

War on Error

John E. Dunn

Google's Project Zero flaw programme - do-gooding spin or a much-needed evolution?

Article comments

It turns out that flaw bounties won't do it on their own. Google is the first to realise this.

It turns out that flaw bounties won't do it on their own. Google is the first to realise this.

Germany had its post-WW2 Year Zero, New York has Ground Zero and now Google has added its name to the list with Project Zero, a crack security team the firm has set up to generally FIX THINGS.

Tasked with the job of hunting down the sort of fundamental security flaws and weaknesses that still plague Internet users, Google’s Richard Evans said in a blog that the firm was in the process of hiring a “well-staffed” SWAT roster, including (incredibly) celebrated PS3 hacker George Hotz.

What this means in practice is that Google will fill cubicles with security researchers who have a proven track record of finding zero-day vulnerabilities, reporting them to affected vendors (and only to vendors) before publishing the bare details to a public database the industry can use to gauge time-to-fix responsiveness.

“You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications,” said Evans, a man with a pretty impressive bug-finding record of his own.

“Yet in sophisticated attacks, we see the use of zero-day vulnerabilities to target, for example, human rights activists or to conduct industrial espionage. This needs to stop. We think more can be done to tackle this problem.”

It is easy to be cynical about altruistic announcements from large tech firms but Google’s move is curious more than anything. What problem is it solving? In common with a number of big firms, Google already has a bug bounty programme, a relatively recent initiative it bolstered in February with improved Patch Rewards. But this is limited in scope to flaws found by researchers in Google products; the role of Project Zero is, in theory, to look for big vulnerabilities in any product.

That’s a big step up and, some people have noticed, is more or less what a clutch of small but controversial bug-hunting outfits such as Vupen, Endgame Systems and ReVuln already do. The Project Zero template is to replicate the market these firms have cornered almost as if the firm is admitting that bounties on their own have not been enough to get hold of the best flaws.
On the other side of the market, everyone knows, are nation states, including the US, which have the resourses to find or buy vulnerabilities to craft exploits for targeted attacks.

“Google certainly has the resources to effect change and disrupt the current trends of exploit for sale and non-disclosure by government agencies. Combined with visibility of a large portion of the internet traffic and you can see how the Project Zero team has an opportunity to show some real leadership,” commented Will Semple or security firm Alert Logic in a comment emailed to press.

Let's face it, it’s a strange world in which the people who know the most about serious zero-day flaws affecting a billion people are secretive government hackers and a handful of small and unaccountable security firms nobody beyond the security industry has even heard of.

Google is right to take on this cartel but for it to become more than an interesting idea it needs others including Microsoft to do something similar. A single company, even one as large as Google, will never be enough to put a dent in a problem that spans everything from Heartbleed to everyday flaws swarming around the browser plug-ins for Java and Flash Player.

As Google’s Evans himself said, “Project Zero is our contribution, to start the ball rolling.” Let's hope the firm's peers get the same memo.





Share:

More from Techworld

More relevant IT news

Comments

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *