Fear not, citizen: Google is looking out for you.
Today (July 15) Google announced Project Zero, an in-house team of
security researchers dedicated to finding flaws in non-Google software
"across the Internet." Google says Project Zero will let the company
more directly address zero-day flaws (newly discovered bugs) and other
security issues in third-party software that affect Google users and
Google products.
Among the members of Project Zero is George Hotz, a.k.a GeoHot, who
was the first to carrier-unlock an iPhone in 2007 when he was 17, showed
other how to hack a PlayStation 3 in 2010 (Sony sued him) and more
recently found a Chrome OS exploit for which Google gave him a $150,000
reward -- and a job.
"Our objective is to significantly reduce the number of people
harmed by targeted attacks," said Google security expert (and newly
minted head of Project Zero) Chris Evans in a blog post.
"We're hiring the best practically-minded security researchers and
contributing 100 percent of their time toward improving security across
the Internet."
Google says it created Project Zero to improve Internet security for
all Internet users. Others in the security industry are a bit more
skeptical.
"Google's Project Zero amounts to little more than a PR stunt," said
Aaron Portnoy, vice president of Exodus Intelligence, a security company
that specializes in discovering zero-day vulnerabilities and disclosing
them only to its clients.
"Bug-bounty programs, such as HP's Zero Day Initiative, have upwards
of 1,500 researchers submitting vulnerability reports to their program,"
Portnoy told Tom's Guide, referring to funds that pay rewards to the
finders of software flaws.
Portnoy, who once ran the Zero Day Initiative, pointed out that
Google isn't the first major corporation to create an in-house team of
researchers focused on finding flaws in software other than its own.
"Google adding 10 more researchers to the mix isn't really going to affect our business," he said.
Chaouki Bekrar of VUPEN, a French company that finds and sells zero-day security flaws, also weighed in.
"What Google did not understand is that killing a few zero-days will
make Google's researchers/shareholders feel better but it will
definitely not kill the market of zero-day exploits, instead it will
make it even more lucrative," he told Tom's Guide.
Evans says Project Zero's researchers will first report any flaws
they find directly to the affected software's developers. Once the
report becomes public (which Evans says is "typically once a patch is
available") the bug will be filed in a public database (found here), where people can see how much time passed between a bug's reporting and its patching.
"We also commit to sending bug reports to vendors in as close to
real-time as possible, and to working with them to get fixes to users in
a reasonable time," Evans added.
The other members of Project Zero include Ben Hawkes, Tavis Ormandy
and Ian Beer, well-regarded Google employees with multiple bug
discoveries to their names.
Google researchers have been finding security bugs in non-Google products for several years. Often, when researchers find a security flaw and report it to the company in question, the company will pay the researchers a "bug bounty" for their trouble — as Google did for Hotz's Chrome OS bug.
Google researchers have been finding security bugs in non-Google products for several years. Often, when researchers find a security flaw and report it to the company in question, the company will pay the researchers a "bug bounty" for their trouble — as Google did for Hotz's Chrome OS bug.
Some freelance researchers depend on these bug bounties for income.
Project Zero's salaried researchers (and they're hiring, according to
Evans) may cut into their business.
Post a Comment
Pls Comment And Sup ME