Google has unveiled an all-star team of hackers and security researchers it is calling “Project Zero.”
According to a post on Google’s security blog, the company is hoping to use its security research muscle to investigate the security of “any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers.”
Research like Google employee Neel Mehta’s, which helped expose the “Heartbleed” vulnerability in OpenSSL is a good example of the kinds of stuff Project Zero will do. Researchers will devote their time to finding and reporting software vulnerabilities and researching new exploits, mitigations and “program analysis.”
The company said it plans to disclose any vulnerabilities it finds to the vendor first, then to the public in an external database. The public can monitor “time to patch” (given that the vulnerability is disclosed ahead of a patch).
Project Zero brings Google’s elite hackers under a single roof. According to a profile by Andy Greenberg in Wired, the group will be headed by Chris Evans and include celebrated researchers like Tavis Ormandy, Ben Hawkes, Ian Beer and George Hotz (@GeoHot), the 24 year-old known for defeating the security of Apple’s iPhone, who will intern with Project Zero.
While Evans couched the group’s mission as altruistic, Greenberg notes that Project Zero serves more than one purpose. One of them is to help Google identify holes in common platforms that might undermine their own offerings, or provide an entree for nation-state backed spies from China or the U.S. National Security Agency (NSA).
Google’s reputation for technical prowess was badly damaged both by malicious hacks dubbed “Aurora” that exposed information on prominent users of its Gmail web-based email. More recently, in October, the company was stung by revelations that the NSA had compromised communications between Google data centers to siphon off information about hundreds of millions of Google users – many of them U.S. citizens.
The NSA revelations – derived from documents leaked by former Booz Allen Hamilton contractor Edward Snowden were a call to arms for Google, which has taken step sin recent months to extend its use of encryption and make it easier for users of its services and Chrome web browser to do the same.
Finally, with the U.S.’s largest hacker conferences, Black Hat and DEFCON, just weeks away, companies of all stripes are liberating their resident hackers from the darkened, screen-lit rooms they inhabit and trotting them out into the sunlight.
By announcing Project Zero now and making clear that the company is recruiting top talent, Google can take advantage of the August gathering of some of the nation’s top hacking talent to add to its rands.
You can read more here: Meet ‘Project Zero,’ Google’s Secret Team of Bug-Hunting Hackers | Threat Level | WIRED.