To prevent another Heartbleed, Google hires hackers to find bugs

In this Oct. 8, 2010 file photo, the Google logo is displayed outside Google headquarters in Mountain View, Calif. AP Photo/Paul Sakuma

If you can't beat them, hire them. That's the approach Google is taking in announcing the development of a team of hackers to discover bugs, making the Internet safer.

Google says its new Project Zero will work to prevent security vulnerabilities that allow attacks online. A part-time research team at first, Google decided to make it a full-time team to seek out and combat vulnerabilities like the so-called "Heartbleed bug" that surfaced in April, a security hole in the open-sourced software used to encrypt Web communications that allowed targeted attacks on users' online data.

People should be able to use the Internet "without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications," Chris Evans, a researcher at Google, posted on the company's blog.

"Yet in sophisticated attacks, we see the use of "zero-day" vulnerabilities to target, for example, human rights activists or to conduct industrial espionage. This needs to stop. We think more can be done to tackle this problem," Evans wrote. "Project Zero is our contribution, to start the ball rolling."

Zero-day vulnerabilities refer to newly discovered security gaps in software that programmers have not had a chance to patch.

The team already includes hacking wunderkind George Hotz, Ben Hawkes and Travis Ormandy, a security researcher, according to Wired. Hotz is most known for unlocking the iPhone in 2007, hacking the PlayStation 3, and uncovering flaws in Google's Chrome operating system. Google is still looking for people to join the team, says Evans.

"We're hiring. We believe that most security researchers do what they do because they love what they do. What we offer that we think is new is a place to do what you love--but in the open and without distraction," he writes.

Evans told CNET that Project Zero differs from other zero-day projects, such as Hewlett-Packard's Zero-Day Initiative (ZDI), because it's hiring "the best security researchers in the world" to work on it full-time.

"Project Zero researchers will be hunting and eliminating vulnerabilities, but also doing more than that," he told CNET. "Researchers will have [license] to investigate whatever defensive or analysis technologies they think can bring security wins to the table."

The Project Zero team will report any bugs it finds to the software vendors, while noting the techniques, targets and motivations of attackers. Once news of a bug becomes public, the team will post updates so users can monitor vendors' time-to-fix performance.

Project Zero will be updating their blog with any interesting finds.

Comments