Google announces team of zero day bug-hunters
When the Heartbleed security flaw was detected earlier this year, it was estimated that two-thirds of the world's servers were vulnerable to attack. Flaws such as this, that exist before they are detected, are known as "zero day" flaws. Now, Google has set up a team to combat them.
Google was one of the parties involved in the discovery and subsequent reporting of the Heartbleed vulnerability, as part of its "part-time" security research program. The firm says that the success of that research has led it to setting up what's described as a "new, well-staffed team called Project Zero."
The aim of Project Zero is to "significantly reduce the number of people harmed by targeted attacks." Google says there will be no constraints placed on the project and that it will cover any software used by large numbers of people.
In addition to detecting flaws, the team will pay attention to the techniques, targets and motivations of attackers. All bugs discovered will be reported to the vendor and then logged in an external, public database. Database users will be able to monitor vendor time-to-fix performance, see discussions about exploitability and view historical exploits and crash traces.
"We’ll use standard approaches such as locating and reporting large numbers of vulnerabilities," says Google research herder Chris Evans in a blog post. "In addition, we’ll be conducting new research into mitigations, exploitation, program analysis – and anything else that our researchers decide is a worthwhile investment."
In addition to notifying vendors of any bugs, Google says it will work with them to produce and apply fixes in a reasonable time.