In-depth

Project Zero: Show Google's bug-hunting scheme some love

Google's efforts to address the problems of zero-day vulnerabilities should be applauded, claims Davey Winder

So Google reminds us that it has invested heavily in security, including encrypting data as it moves between datacentres, and is now looking towards securing stuff by other people on the Internet.

 In a recent blog post, Google revealed researchers had already been spending time looking for vulnerabilities (the discovery of the well-publicised Heartbleed bug was largely down to Google's involvement) and that part-time researchers are becoming part of a full-time unit known as Project Zero.

Advertisement - Article continues below

The Google promise of responsible disclosure is a good one, with bug reports to the vendor only and no public disclosure until a patch has been released.

These folk will be employed to look for vulnerabilities within the wider Internet, zero-day hunters in other words. Bravo, you might think. Well done Google for doing something to make things more secure for all of us.

Yet the news was immediately pounced upon by the naysayers, with numerous comments from people telling Google to get its own house in order first before turning its attention outwards, with liberal mentions of Chrome vulnerabilities and NSA involvement being bandied around.

I, however, was not one of them. Sure, Google could have handled vulnerability discovery and patching in its own products better, but how does that invalidate it establishing a team of very experienced bug-hunters to go out there and find zero-days?

Advertisement
Advertisement - Article continues below

 As for the NSA allegations, which centre around Google "willingly" co-operating with the US security agency to give them access to our data, that was merely Google reacting to its legal obligations when presented with a court order. And again, this has absolutely no impact upon whether Project Zero is a good thing or, indeed, a workable idea.

Advertisement - Article continues below

And there, dear reader, we find the real question that should be asked: can Project Zero deliver? Google has already hired some good people, with a well-documented track record in bug hunting, and that's a good start.

However, zero-day research teams are not a new thing, they have been around for many years and zero-days still exist. The Google promise of responsible disclosure is a good one, with bug reports to the vendor only and no public disclosure until a patch has been released. What worries me is how long that patch will take to roll out.

Maybe the haters had a point when talking about time to fix problems with Google Chrome, as that left users exposed to vulnerabilities in the meantime.

That's a hurdle any vulnerability research team has to clear. It's not just a matter of finding zero-days but getting vendors to patch them in as short a time as possible. Maybe Google, being the giant that it is, will have more clout in persuading vendors to act more quickly than they do presently.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement

Recommended

Visit/security/355013/10-quick-tips-to-identifying-phishing-emails
Security

10 quick tips to identifying phishing emails

16 Mar 2020
Visit/business-strategy/mergers-and-acquisitions/354941/panda-security-to-be-acquired-by-watchguard
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020
Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/software/video-conferencing/355138/zoom-beaming-ios-user-data-to-facebook-for-targeted-ads
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Visit/mobile/mobile-phones/355088/apple-lifts-iphone-purchase-restrictions
Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020