14 DAY TRIAL // Google has announced today Project Zero, a group of elite hackers formed to hunt down zero-day security risks in various pieces of software, not just in Google products.
The members of the group are led by security engineer Chris Evans and all of them have proved their skills on numerous occasions, being credited for finding numerous security bugs in products developed by heavy-weight companies such as Google, Adobe, Microsoft, Apple or Sony.
At the moment, the dream team is composed of Ben Hawkes, Tavis Ormandy, Ian Beer, and the latest addition, George Hotz, who has been given the status of “intern,” according to Wired.
“You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications. Yet in sophisticated attacks, we see the use of ‘zero-day’ vulnerabilities to target, for example, human rights activists or to conduct industrial espionage. This needs to stop,” said Chris Evans in the first blog post for the project.
Project Zero is not limited to just these five super-hackers and is open for new talent. The team is expected to exceed ten full-time researchers working in an office equipped with all the necessary tools for finding software security glitches.
The purpose of the project is touted as being primarily altruistic, but there is more to the idea behind it. Evans told Wired that increased user confidence in the security of the web also benefits Google “in a hard-to-measure and indirect way.”
Security vulnerabilities are not leveraged by cybercriminals alone, as Snowden’s revelations showed that government organizations also used them for spying purposes.
As such, Project Zero also increases the general confidence in Google’s posture for improving the privacy protection of customer information.
Moreover, since a chain is as strong as its weakest link, Google products are also vulnerable if third-party content included in them presents a security risk.
The security researcher told the online publication that “it’s a major source of frustration for people writing a secure product to depend on third party code,” and that a serious and skilled attacker would always go for the weakest spot.
Project Zero offers companies whose product has been found vulnerable a tolerance of 60 to 90 days to issue a patch. After this period, the flaw will be disclosed publicly. If the flaw is already exploited in the wild, the tolerance limit drops to a week, since a larger period of time could mean more victims.
The hacker dream team concentrates on bugs in specific areas to make sure that an exploit is rendered unsuccessful. Most of the time, defeating the protection measures implies leveraging a sequence of flaws, and if one of them is patched, exploitation is no longer possible.
The team is confident that they’ll be able to successfully hunt down zero-day bugs and “step on some toes,” as Ben Hawkes puts it.