Zero-day exploits are the bane of IT security professionals. Google says it will fight them with Project Zero.
The search company said last week that it has created a new “well-staffed” team to hunt out software bugs and report them to software vendors.
“You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications,” Google said in the blog. “Yet in sophisticated attacks, we see the use of “zero-day” vulnerabilities to target, for example, human rights activists or to conduct industrial espionage. This needs to stop. We think more can be done to tackle this problem.”
The company says its objective “is to significantly reduce the number of people harmed by targeted attacks. We’re hiring the best practically-minded security researchers and contributing 100% of their time toward improving security across the Internet.”
Every bug will be reported in a publicly-available database once a patch is available. That way, Google says, people will be able to see vendor time-to-fix performance, discussions of exploitability and view historical exploits and crash traces.
Writing on the security blog of a vendor, columnist and analyst Graham Cluley said Google’s approach is better than some security researchers, who rush to put out news of a vulnerability before it has been patched and therefore giving hackers an opportunity to exploit it.