In-depth

Project Zero: Show Google's bug-hunting scheme some love

Google's efforts to address the problems of zero-day vulnerabilities should be applauded, claims Davey Winder

So Google reminds us that it has invested heavily in security, including encrypting data as it moves between datacentres, and is now looking towards securing stuff by other people on the Internet.

 In a recent blog post, Google revealed researchers had already been spending time looking for vulnerabilities (the discovery of the well-publicised Heartbleed bug was largely down to Google's involvement) and that part-time researchers are becoming part of a full-time unit known as Project Zero.

The Google promise of responsible disclosure is a good one, with bug reports to the vendor only and no public disclosure until a patch has been released.

These folk will be employed to look for vulnerabilities within the wider Internet, zero-day hunters in other words. Bravo, you might think. Well done Google for doing something to make things more secure for all of us.

Yet the news was immediately pounced upon by the naysayers, with numerous comments from people telling Google to get its own house in order first before turning its attention outwards, with liberal mentions of Chrome vulnerabilities and NSA involvement being bandied around.

I, however, was not one of them. Sure, Google could have handled vulnerability discovery and patching in its own products better, but how does that invalidate it establishing a team of very experienced bug-hunters to go out there and find zero-days?

 As for the NSA allegations, which centre around Google "willingly" co-operating with the US security agency to give them access to our data, that was merely Google reacting to its legal obligations when presented with a court order. And again, this has absolutely no impact upon whether Project Zero is a good thing or, indeed, a workable idea.

And there, dear reader, we find the real question that should be asked: can Project Zero deliver? Google has already hired some good people, with a well-documented track record in bug hunting, and that's a good start.

However, zero-day research teams are not a new thing, they have been around for many years and zero-days still exist. The Google promise of responsible disclosure is a good one, with bug reports to the vendor only and no public disclosure until a patch has been released. What worries me is how long that patch will take to roll out.

Maybe the haters had a point when talking about time to fix problems with Google Chrome, as that left users exposed to vulnerabilities in the meantime.

That's a hurdle any vulnerability research team has to clear. It's not just a matter of finding zero-days but getting vendors to patch them in as short a time as possible. Maybe Google, being the giant that it is, will have more clout in persuading vendors to act more quickly than they do presently.

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

Lookout reveals mobile-first endpoint detection and response solution
Security

Lookout reveals mobile-first endpoint detection and response solution

21 Oct 2020
Cisco finds an increase in security concerns due to remote working
Security

Cisco finds an increase in security concerns due to remote working

21 Oct 2020
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020
'Robin Hood' hackers donate stolen Bitcoin to charity
ransomware

'Robin Hood' hackers donate stolen Bitcoin to charity

21 Oct 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
The enemy of security is complexity
Sponsored

The enemy of security is complexity

9 Oct 2020
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

5 Oct 2020