Google today announced that it is launching Project Zero, an internal team of security specialists tasked with finding vulnerabilities in third-party software — not to exploit them, but to alert the developers and avoid the next Heartbleed.
The Heartbleed bug put the whole software industry on heightened alert, and Google, Facebook, Microsoft and many others already formed a foundation earlier this year that aimed to work with popular open-source projects to audit and improve their security. Project Zero is different, though.
Google says it is creating what it calls a “well-staffed team” to “significantly reduce the number of people harmed by targeted attacks.” The idea is to improve the security of any software that a large number of people depend on. To do this, Google is hiring security researchers to staff Project Zero, and it’s looking to expand its bounties for external researchers who find security bugs in third-party software.
All of the bug reports will be filed in an external database (there is nothing in it yet), and the company will report its bugs to the vendors only — not to any third parties.
At first, it may seem odd that Google would put this amount of resources into finding bugs in third-party software. But almost every modern piece of software, whether it’s a mobile, desktop or web app, depends on lots of different parts from multiple vendors. Maybe it’s a security solution that is meant to keep web surfers safe, or a mobile framework that developers use to build their Android apps. Those kind of security issues may hit Google’s users and maybe even its own infrastructure.