Earlier this year, a flaw in the SSL protocol led to widespread panic among systems administrators. Google employees — like Neel Mahta — were among the security researchers who helped discover and extinguish the Heartbleed fire, but they were acting in an unofficial capacity. On Tuesday, Google said it created a team, called Project Zero, dedicated to finding previously undiscovered vulnerabilities in third-party (i.e. non-Google) software.
What’s going to set Google’s in-house zero-day team apart is the quality of its security professionals, according to Wired. The group is headed by Chris Evans, a Google veteran who used to head up Chrome security. Also evidently joining the team are several names that won’t surprise anyone who keeps tabs on bug reports: Ben Hawkes, Tavis Ormandy, and Brit Ian — all of whom have already found flaws in Microsoft, Adobe, and Apple software. The team’s first intern will be George Hotz, a hacker famous for first cracking the iPhone’s carrier lock. Recently, he found an exploit that led to root access on almost any Android device.
What does Google get out of paying people to find flaws in, say, Microsoft software? At first glance, Project Zero is deeply self-interested: a zero-day exploit out of Google’s control — like a bug in Adobe Flash — can easily affect Google users, opening them up to attacks from corporate spies, government bodies, and run-of-the-mill criminals. Security is often only as good as its weakest link, and zero-day exploits represent a significant attack vector.
Google said it will take an ethical approach when it finds a bug in another company’s software: it will notify the company responsible — no third parties — and give it time to issue a fix. When the bug report is made public, usually with a security patch, Google will publicize the bug in an external database and publicize stats.
Google and other companies already pay “bug bounties” for friendly hackers who report zero-day vulnerabilities — George Hotz collected $150,000 for finding a Chrome flaw earlier this year. But for white hat hackers, such bounties are hard to rely on as primary income because finding security flaws is not a consistent, linear process. And although some zero-day exploits can fetch huge sums on the black market, that comes with moral issues.
Project Zero represents an interesting proposition for some of the world’s most talented hackers: a Google email address, the resources of a committed giant with the freedom to choose interesting projects, and most importantly, steady and presumably very competitive income. It will be interesting to see which security researchers decide to join the Google mothership — Project Zero is currently hiring.