Internet giant Google has built a “team of security researchers” which will move forward towards the organization’s newest target – “making the Internet safer by reducing the number of people harmed during zero-day attacks“, according to a recent article published on the Hosting News website. The article indicates that this team, named “Project Zero” is a collection of “highly skilled, full-time researchers” working diligently to locate and report “large numbers of security threats.”
Google’s Chris Evans – the company “Researcher Herder” – was quoted in the article saying, “You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications. We think more can be done to tackle this problem.” Google and Evans clarify that the focus of Project Zero is not only on “finding vulnerabilities in only Google products” but is also tasked to “discover bugs” in other widely used software and to pay attention to “techniques, targets and motivations of attackers“, according to the report.
According to the article, all information found by the group “will be stored in an external database where the vendors of the compromised software will be notified” then prompting the team to generate and release reports to the public so discussions about the vulnerability can begin with all concerned. The article states that Google is in search of “researchers for Project Zero” but no information on how to apply for these roles has yet to be released. The website 9to5google.com published the following statements from Google regarding Project Zero as well:
“We’re not placing any particular bounds on this project and will work to improve the security of any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers. We’ll use standard approaches such as locating and reporting large numbers of vulnerabilities. In addition, we’ll be conducting new research into mitigations, exploitation, program analysis—and anything else that our researchers decide is a worthwhile investment. Every bug we discover will be filed in an external database. We will only report bugs to the software’s vendor—and no third parties. Once the bug report becomes public (typically once a patch is available), you’ll be able to monitor vendor time-to-fix performance, see any discussion about exploitability, and view historical exploits and crash traces.”