With an aim to make the Internet a safer place, Google yesterday announced Project Zero, a new cybersecurity effort focused on hunting down zero-day vulnerabilities and preventing the most advanced cyber attacks.
"You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications", Chris Evans, a Google Researcher Herder, wrote in a blog post announcing the project.
The Project Zero team will work to improve the security of any software depended upon by large numbers of people, not just Google products. The team will find and report bugs, details of which will be filed in an external database.
After the team finds a bug, they'll alert the vendor responsible for a fix, giving it 60-90 days to issue a patch before publicly revealing the flaw on the Google Project Zero blog. The time frame could be reduced to as little as 7 days in case the bug is being actively exploited.
The project was started after some Googlers started spending "some of their time on research that makes the Internet safer, leading to the discovery of bugs like Heartbleed", Evans said.
Google has already recruited some of the brightest minds from within the company. These include Ben Hawkes, who has been credited with discovering dozens of bugs in software like Adobe Flash and Microsoft Office apps in last year alone; Tavis Ormandy, an English researcher who recently exposed flaws in Sophos software; and more. George Hotz, who hacked Google’s Chrome OS to win the company's Pwnium hacking competition last March, will be the team’s intern.
Evans says the team is still hiring, hoping to have more than 10 full time members, who will work from Google's office in Mountain View, California.
While it may seem strange, spending its own resources on improving third party software could have some benefits for Google. After all, products like Chrome often depends on third-party software like Adobe’s Flash or elements of the underlying OS. The other, and not so direct, reason could be ad revenue, as safe Internet means people will feel less uneasy about clicking on ads.