Google is hiring full-time staff to try to hunt down zero-day vulnerabilities across all systems. It’s going to publish the results in a way it believes will be responsible but put pressure on firms to plug gaps quickly.
The company’s Chris Evans says some of the company’s staff who work on securing Google services have been working part time on researching security flaws in other systems and products.
Now it is launching Project Zero, which will involve a “well-staffed” department of full-time workers who will attempt to improve online security. They’ll not only use common methods of hunting down and tracking loopholes, but will be charged with developing and testing new approaches.
Evans says there’s no limit on which software the staff can explore, though the emphasis will be on those applications and services which have a large number of users.
The plan is to only report the details of security flaws directly to the people behind the software concerned, usually as soon as the flaw is discovered. Once the company concerned develops and releases a patch, Google will then publish the details in a public database (which appears to need a little work at the moment.)
As well as detailing the flaw, how it could be exploited, and whether it is known to have been exploited, the database will list how long it took for the company to issue a patch after Google told it about the problem.
The idea here is to shame slow-acting companies into picking up their pace. One potential problem is that whenever you check the database, really slow-acting firms — the ones who still haven’t fixed a problem at all — won’t be reflected in the data.
It’s certainly a worthy project and fits into Google’s philosophy that anything that makes Internet use easier or safer will ultimately benefit its own business. There’s still the problem that even a company with deep pockets like Google may be unable to justify salaries that compete with potential earnings of those who choose to find and exploit loopholes for more nefarious means.