Project Zero: Show Google's bug-hunting scheme some love
Google's efforts to address the problems of zero-day vulnerabilities should be applauded, claims Davey Winder
So Google reminds us that it has invested heavily in security, including encrypting data as it moves between datacentres, and is now looking towards securing stuff by other people on the Internet.
In a recent blog post, Google revealed researchers had already been spending time looking for vulnerabilities (the discovery of the well-publicised Heartbleed bug was largely down to Google's involvement) and that part-time researchers are becoming part of a full-time unit known as Project Zero.
The Google promise of responsible disclosure is a good one, with bug reports to the vendor only and no public disclosure until a patch has been released.
These folk will be employed to look for vulnerabilities within the wider Internet, zero-day hunters in other words. Bravo, you might think. Well done Google for doing something to make things more secure for all of us.
Yet the news was immediately pounced upon by the naysayers, with numerous comments from people telling Google to get its own house in order first before turning its attention outwards, with liberal mentions of Chrome vulnerabilities and NSA involvement being bandied around.
I, however, was not one of them. Sure, Google could have handled vulnerability discovery and patching in its own products better, but how does that invalidate it establishing a team of very experienced bug-hunters to go out there and find zero-days?
As for the NSA allegations, which centre around Google "willingly" co-operating with the US security agency to give them access to our data, that was merely Google reacting to its legal obligations when presented with a court order. And again, this has absolutely no impact upon whether Project Zero is a good thing or, indeed, a workable idea.
And there, dear reader, we find the real question that should be asked: can Project Zero deliver? Google has already hired some good people, with a well-documented track record in bug hunting, and that's a good start.
However, zero-day research teams are not a new thing, they have been around for many years and zero-days still exist. The Google promise of responsible disclosure is a good one, with bug reports to the vendor only and no public disclosure until a patch has been released. What worries me is how long that patch will take to roll out.
Maybe the haters had a point when talking about time to fix problems with Google Chrome, as that left users exposed to vulnerabilities in the meantime.
That's a hurdle any vulnerability research team has to clear. It's not just a matter of finding zero-days but getting vendors to patch them in as short a time as possible. Maybe Google, being the giant that it is, will have more clout in persuading vendors to act more quickly than they do presently.