Security Blog

The latest news and insights from Google on security and safety on the Internet

Announcing Project Zero

15 juillet 2014
Share on Twitter Share on Facebook
Google

26 commentaires :

Andrew a dit…

Are there plans to allow other organizations/companies/individuals to submit zero-days to this database? What about FOSS projects?

One issue my company faces is that if we perform testing of an FOSS solution, under the terms of most licenses, we are obligated to submit changes back to the project if we make changes. However, if our change introduces yet further problems, we could be potentially liable (perhaps not from a legal standpoint, but definitely from a media standpoint). Therefore, it is generally our policy not to disclose any findings we discover in any solution, but that really goes against ethics in some ways. It would be nice if there were a way to collaboratively and safely report vulns to all types of projects - FOSS, proprietary, or otherwise.

15 juillet 2014 à 09:09
Andrew a dit…

Will this database be open to contributions from other companies/organizations/individuals? What about zero-days in FOSS solutions?

One of the issues that my company has is that if we report findings in FOSS project and submit changes back to the community, we would be liable if these changes introduced yet further security flaws (perhaps no legally, but definitely from a media standpoint). Therefore, it's our policy to not report any findings in any solution we use, and vulnerability data is strictly for internal use only. This really becomes an ethical dilemma, though, and it would be great if we could report vulnerabilities to FOSS and proprietary solutions alike in a safe and responsible manner.

15 juillet 2014 à 09:22
Unknown a dit…

Wow, this is incredible!

15 juillet 2014 à 10:29
Unknown a dit…

How to apply?

15 juillet 2014 à 10:59
Michal Stefanow a dit…

[controversy]How does public know if it is for real? [/controversy]

15 juillet 2014 à 11:01
Unknown a dit…

I have little experienc, can I get hired?

15 juillet 2014 à 11:33
fimafimovich a dit…

Here is article from Wired Magazine written after interview with me

http://archive.wired.com/techbiz/it/news/2004/05/63391?currentPage=all

What about these kind of problems?

15 juillet 2014 à 13:12
Marco Esquandolas a dit…

Chris, Thanks for sharing your thoughts on Security. Project Zero sounds amazing!

15 juillet 2014 à 13:31
gargeya a dit…

Just awesome !

15 juillet 2014 à 14:01
Andrew a dit…

You should create a hacking crawler that tries to gain root access to every server in the world, and for servers that it succeeds at gaining access to, re-configures their server in a more secure fashion.

15 juillet 2014 à 14:11
Ianso a dit…

Item 1, OpenSSL :-)

15 juillet 2014 à 15:34
MarkM a dit…

Why don't you get your own house in order first? Seriously, you left tens of thousands of Chrome users vulnerable for days to the recent Rosetta Flash Vulnerability because rather than allow users to update with a new release, you relied upon your dysfunctional Component Update System.

Worse, the scores of Chrome user complaints were ignored on your Chrome Release blog.

I am completely unimpressed with Google's idea of security, and will remain so until your team provides answers to why you left your loyal Chrome users both vulnerable and in the dark.

To read what I'm talking about, go here: http://googlechromereleases.blogspot.com/2014/07/flash-player-update.html

15 juillet 2014 à 16:01
Anonyme a dit…

я взломал десятки аккаунтов гугл-почты
возьмите меня в гугл и я расскажу как это делается

15 juillet 2014 à 17:35
Unknown a dit…

Chris - We applaud Google's effort in this area. One question I have is regarding public report "typically once a patch is available."

Like Google, we support and practice responsible disclosure. One concern we have in the mobile space is the slow pace at which many developers deal with security vulnerabilities once reported. We find even large companies taking 2 weeks to initially respond, and several weeks or even months after that to repair issues like man-in-the-middle vulnerability.

At the same time, if a mobile app is vulnerable, in most cases end users can protect themselves immediately by uninstalling the vulnerable app. It is essentially different from OS or server software vulnerability.

We believe responsible disclosure deserves timely remediation, and users deserve timely notification if their apps are insecure.

I hope Google will help set a high expectation in the mobile space for security response and remediation.

Again, great to hear about this initiative.

Ted Eull, viaForensics

15 juillet 2014 à 18:34
Hilal a dit…

umm, oops where you not doing this before? I mean come on what makes you think that is different from what you had and should have done before you launched the services? Here is food for thought, Where as I understand and completely agree with the threat landscape changing everyday, evolving our defenses takes some time. But as project such as your 'Porject Zero' which I believe is a holistic program to combat threats on internet that includes 0day vulnerabilities, encrypting traffic across communication channels and storage have been launched before and therefore forgive me for being a non-believer in your attempts to secure my online life. Meanwhile NSA is busy digging up dirt on me from the data that 'YOU' gave them.

- Hilal

15 juillet 2014 à 23:00
Anonyme a dit…

Who should I contact about hiring? Thank you very much!

15 juillet 2014 à 23:25
Unknown a dit…

That's extremely nice to hear but
I'm wondering how to go about being a part of this team's mission.

16 juillet 2014 à 11:10
ak_hepcat a dit…

The biggest issue with zero-day exploits and waiting for patches to become public, is that until the vendor decides to release a patch, it is still a zero-day issue. And can remain that way for months or years, as we have seen.

How will this Project Zero seek to minimize the disruptive impact of announcing vulnerabilities vs. the ability for people to block them if they know about them?

16 juillet 2014 à 14:50
Unknown a dit…

Good to know. This is much needed.

17 juillet 2014 à 06:30
Alessandro Moretti a dit…

How to apply?

17 juillet 2014 à 07:24
Unknown a dit…

typo:

s/criminal or state-sponsored actor/ criminal state-sponsored actor/

17 juillet 2014 à 11:08
Mrityunjoy a dit…

Hardening the internet is a big goal, i believe disarming botnets and persistent chain attacks can be the first priority to make the world free of spam and DDOS. your thoughts?

17 juillet 2014 à 12:51
Ev Batey WA6CRE a dit…

Without naming my once favorite XXX Droid phone vendor which left me with 4.1.1 with Heartbeat = on for TOO long, it is sad the Android ware is at the mercy of phone vendors who refuse to update their Open SSH/SSL until we share a lot of hate about them. Finally the short patch came along to stop Heartbeat. I'd hate to migrate to iOS for protection. Thnx Google

18 juillet 2014 à 17:46
BdC a dit…

Great initiative. I translated your post on my blog for the French community.

21 juillet 2014 à 09:21
Jan Galkowski a dit…

Any intent or interest in coming up with uniform mechnisms to defeat persistent tracking mechanisms like those described recently here?

21 juillet 2014 à 13:24
Ilja van Sprundel a dit…

Whoa, this is a great initiative!

22 juillet 2014 à 11:31

Enregistrer un commentaire

  

Libellés


  • #sharethemicincyber
  • #supplychain #security #opensource
  • android
  • android security
  • android tr
  • app security
  • big data
  • biometrics
  • blackhat
  • C++
  • chrome
  • chrome enterprise
  • chrome security
  • connected devices
  • CTF
  • diversity
  • encryption
  • federated learning
  • fuzzing
  • Gboard
  • google play
  • google play protect
  • hacking
  • interoperability
  • iot security
  • kubernetes
  • linux kernel
  • memory safety
  • Open Source
  • pha family highlights
  • pixel
  • privacy
  • private compute core
  • Rowhammer
  • rust
  • Security
  • security rewards program
  • sigstore
  • spyware
  • supply chain
  • targeted spyware
  • tensor
  • Titan M2
  • VDP
  • vulnerabilities
  • workshop


Archive


  •     2025
    • mai
    • avr.
    • mars
    • févr.
    • janv.
  •     2024
    • déc.
    • nov.
    • oct.
    • sept.
    • août
    • juil.
    • juin
    • mai
    • avr.
    • mars
    • févr.
    • janv.
  •     2023
    • déc.
    • nov.
    • oct.
    • sept.
    • août
    • juil.
    • juin
    • mai
    • avr.
    • mars
    • févr.
    • janv.
  •     2022
    • déc.
    • nov.
    • oct.
    • sept.
    • août
    • juil.
    • juin
    • mai
    • avr.
    • mars
    • févr.
    • janv.
  •     2021
    • déc.
    • nov.
    • oct.
    • sept.
    • août
    • juil.
    • juin
    • mai
    • avr.
    • mars
    • févr.
    • janv.
  •     2020
    • déc.
    • nov.
    • oct.
    • sept.
    • août
    • juil.
    • juin
    • mai
    • avr.
    • mars
    • févr.
    • janv.
  •     2019
    • déc.
    • nov.
    • oct.
    • sept.
    • août
    • juil.
    • juin
    • mai
    • avr.
    • mars
    • févr.
    • janv.
  •     2018
    • déc.
    • nov.
    • oct.
    • sept.
    • août
    • juil.
    • juin
    • mai
    • avr.
    • mars
    • févr.
    • janv.
  •     2017
    • déc.
    • nov.
    • oct.
    • sept.
    • juil.
    • juin
    • mai
    • avr.
    • mars
    • févr.
    • janv.
  •     2016
    • déc.
    • nov.
    • oct.
    • sept.
    • août
    • juil.
    • juin
    • mai
    • avr.
    • mars
    • févr.
    • janv.
  •     2015
    • déc.
    • nov.
    • oct.
    • sept.
    • août
    • juil.
    • juin
    • mai
    • avr.
    • mars
    • févr.
    • janv.
  •     2014
    • déc.
    • nov.
    • oct.
    • sept.
    • août
    • juil.
    • juin
    • avr.
    • mars
    • févr.
    • janv.
  •     2013
    • déc.
    • nov.
    • oct.
    • août
    • juin
    • mai
    • avr.
    • mars
    • févr.
    • janv.
  •     2012
    • déc.
    • sept.
    • août
    • juin
    • mai
    • avr.
    • mars
    • févr.
    • janv.
  •     2011
    • déc.
    • nov.
    • oct.
    • sept.
    • août
    • juil.
    • juin
    • mai
    • avr.
    • mars
    • févr.
  •     2010
    • nov.
    • oct.
    • sept.
    • août
    • juil.
    • mai
    • avr.
    • mars
  •     2009
    • nov.
    • oct.
    • août
    • juil.
    • juin
    • mars
  •     2008
    • déc.
    • nov.
    • oct.
    • août
    • juil.
    • mai
    • févr.
  •     2007
    • nov.
    • oct.
    • sept.
    • juil.
    • juin
    • mai

Feed

Follow
Give us feedback in our Product Forums.
  • Google
  • Privacy
  • Terms