It turns out that flaw bounties won't do it on their own. Google is the first to realise this.
Germany had its post-WW2 Year Zero, New York has Ground Zero and now Google has added its name to the list with Project Zero, a crack security team the firm has set up to generally FIX THINGS.
Tasked with the job of hunting down the sort of fundamental security flaws and weaknesses that still plague Internet users, Google’s Richard Evans said in a blog that the firm was in the process of hiring a “well-staffed” SWAT roster, including (incredibly) celebrated PS3 hacker George Hotz.
What this means in practice is that Google will fill cubicles with security researchers who have a proven track record of finding zero-day vulnerabilities, reporting them to affected vendors (and only to vendors) before publishing the bare details to a public database the industry can use to gauge time-to-fix responsiveness.
“You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications,” said Evans, a man with a pretty impressive bug-finding record of his own.
“Yet in sophisticated attacks, we see the use of zero-day vulnerabilities to target, for example, human rights activists or to conduct industrial espionage. This needs to stop. We think more can be done to tackle this problem.”
It is easy to be cynical about altruistic announcements from large tech firms but Google’s move is curious more than anything. What problem is it solving? In common with a number of big firms, Google already has a bug bounty programme, a relatively recent initiative it bolstered in February with improved Patch Rewards. But this is limited in scope to flaws found by researchers in Google products; the role of Project Zero is, in theory, to look for big vulnerabilities in any product.
That’s a big step up and, some people have noticed, is more or less what a clutch of small but controversial bug-hunting outfits such as Vupen, Endgame Systems and ReVuln already do. The Project Zero template is to replicate the market these firms have cornered almost as if the firm is admitting that bounties on their own have not been enough to get hold of the best flaws.
On the other side of the market, everyone knows, are nation states, including the US, which have the resourses to find or buy vulnerabilities to craft exploits for targeted attacks.
“Google certainly has the resources to effect change and disrupt the current trends of exploit for sale and non-disclosure by government agencies. Combined with visibility of a large portion of the internet traffic and you can see how the Project Zero team has an opportunity to show some real leadership,” commented Will Semple or security firm Alert Logic in a comment emailed to press.
Let's face it, it’s a strange world in which the people who know the most about serious zero-day flaws affecting a billion people are secretive government hackers and a handful of small and unaccountable security firms nobody beyond the security industry has even heard of.
Google is right to take on this cartel but for it to become more than an interesting idea it needs others including Microsoft to do something similar. A single company, even one as large as Google, will never be enough to put a dent in a problem that spans everything from Heartbleed to everyday flaws swarming around the browser plug-ins for Java and Flash Player.
As Google’s Evans himself said, “Project Zero is our contribution, to start the ball rolling.” Let's hope the firm's peers get the same memo.