Google has enlisted a team of security researchers to discover bugs under Project Zero, a full-time research team at Google dedicated to uncovering the next Heartbleed.
According to a blog post on Tuesday by Google research lead Chris Evans, Project Zero doesn’t have a specific aim, but rather intends to “significantly reduce the number of people harmed by targeted attacks.” The team will work to improve security of “any software depended upon by large numbers of people” and will pay close attention to techniques, targets and motivations of hackers.
This kind of role is becoming more common as security teams need to think like hackers in order to find holes in their systems. More security professionals are becoming certified ethical hackers in order to work with companies to find security vulnerabilities.
According to Evans, Project Zero will use “standard approaches such as locating and reporting large numbers of vulnerabilities.” The team will also conduct new research into mitigation, exploitation and program analysis.
Project Zero is a good marketing move for Google, who has been more focused on security recently, including the launch of its end-to-end encryption extension for Chrome.
By promising transparency, the work of Project Zero will be beneficial to other vendors and service providers.
Still, there are some skeptics who don’t see Project Zero as anything but a marketing ploy. According to a report by Forbes, “killing a few zero-days” may make Google and its shareholders feel better, but it will certainly not kill the market for zero-day exploits.
Project Zero will file every bug it discovers in an external database and will report bugs to the software’s vendor – no third parties. It plans to send bug reports to vendors in “as close to real-time as possible” and to work with them to “get fixes to users in a reasonable time.”
Aside from the full-time team working on Project Zero, Google plans to look at ways to involve the wider community, such as extending its reward initiatives and guest blog posts. Google founded its Vulnerability Reward Program in 2010 for its own properties.