Project Zero: Show Google's bug-hunting scheme some love

Google's efforts to address the problems of zero-day vulnerabilities should be applauded, claims Davey Winder

So Google reminds us that it has invested heavily in security, including encrypting data as it moves between datacentres, and is now looking towards securing stuff by other people on the Internet.

 In a recent blog post, Google revealed researchers had already been spending time looking for vulnerabilities (the discovery of the well-publicised Heartbleed bug was largely down to Google's involvement) and that part-time researchers are becoming part of a full-time unit known as Project Zero.

The Google promise of responsible disclosure is a good one, with bug reports to the vendor only and no public disclosure until a patch has been released.

These folk will be employed to look for vulnerabilities within the wider Internet, zero-day hunters in other words. Bravo, you might think. Well done Google for doing something to make things more secure for all of us.

Advertisement - Article continues below
Advertisement - Article continues below

Yet the news was immediately pounced upon by the naysayers, with numerous comments from people telling Google to get its own house in order first before turning its attention outwards, with liberal mentions of Chrome vulnerabilities and NSA involvement being bandied around.

I, however, was not one of them. Sure, Google could have handled vulnerability discovery and patching in its own products better, but how does that invalidate it establishing a team of very experienced bug-hunters to go out there and find zero-days?

 As for the NSA allegations, which centre around Google "willingly" co-operating with the US security agency to give them access to our data, that was merely Google reacting to its legal obligations when presented with a court order. And again, this has absolutely no impact upon whether Project Zero is a good thing or, indeed, a workable idea.

And there, dear reader, we find the real question that should be asked: can Project Zero deliver? Google has already hired some good people, with a well-documented track record in bug hunting, and that's a good start.

However, zero-day research teams are not a new thing, they have been around for many years and zero-days still exist. The Google promise of responsible disclosure is a good one, with bug reports to the vendor only and no public disclosure until a patch has been released. What worries me is how long that patch will take to roll out.

Maybe the haters had a point when talking about time to fix problems with Google Chrome, as that left users exposed to vulnerabilities in the meantime.

Advertisement - Article continues below

That's a hurdle any vulnerability research team has to clear. It's not just a matter of finding zero-days but getting vendors to patch them in as short a time as possible. Maybe Google, being the giant that it is, will have more clout in persuading vendors to act more quickly than they do presently.

Featured Resources

Digital Risk Report 2020

A global view into the impact of digital transformation on risk and security management

Download now

6 ways your business could suffer if you don’t backup Office 365

Office 365 makes it easy to lose valuable data regularly, unpredictably, unintentionally, and for good

Download now

Get the best out of your workforce

7 steps to unleashing their true potential with robotic process automation

Download now

8 digital best practices for IT professionals

Don't leave anything to chance when going digital

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular


How to use Chromecast without Wi-Fi

5 Feb 2020
artificial intelligence (AI)

AI identifies 11 earth-bound asteroids

18 Feb 2020
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020

The top ten password-cracking techniques used by hackers

10 Feb 2020