Are there plans to allow other organizations/companies/individuals to submit zero-days to this database? What about FOSS projects?
One issue my company faces is that if we perform testing of an FOSS solution, under the terms of most licenses, we are obligated to submit changes back to the project if we make changes. However, if our change introduces yet further problems, we could be potentially liable (perhaps not from a legal standpoint, but definitely from a media standpoint). Therefore, it is generally our policy not to disclose any findings we discover in any solution, but that really goes against ethics in some ways. It would be nice if there were a way to collaboratively and safely report vulns to all types of projects - FOSS, proprietary, or otherwise.
Will this database be open to contributions from other companies/organizations/individuals? What about zero-days in FOSS solutions?
One of the issues that my company has is that if we report findings in FOSS project and submit changes back to the community, we would be liable if these changes introduced yet further security flaws (perhaps no legally, but definitely from a media standpoint). Therefore, it's our policy to not report any findings in any solution we use, and vulnerability data is strictly for internal use only. This really becomes an ethical dilemma, though, and it would be great if we could report vulnerabilities to FOSS and proprietary solutions alike in a safe and responsible manner.
You should create a hacking crawler that tries to gain root access to every server in the world, and for servers that it succeeds at gaining access to, re-configures their server in a more secure fashion.
Why don't you get your own house in order first? Seriously, you left tens of thousands of Chrome users vulnerable for days to the recent Rosetta Flash Vulnerability because rather than allow users to update with a new release, you relied upon your dysfunctional Component Update System.
Worse, the scores of Chrome user complaints were ignored on your Chrome Release blog.
I am completely unimpressed with Google's idea of security, and will remain so until your team provides answers to why you left your loyal Chrome users both vulnerable and in the dark.
To read what I'm talking about, go here: http://googlechromereleases.blogspot.com/2014/07/flash-player-update.html
Chris - We applaud Google's effort in this area. One question I have is regarding public report "typically once a patch is available."
Like Google, we support and practice responsible disclosure. One concern we have in the mobile space is the slow pace at which many developers deal with security vulnerabilities once reported. We find even large companies taking 2 weeks to initially respond, and several weeks or even months after that to repair issues like man-in-the-middle vulnerability.
At the same time, if a mobile app is vulnerable, in most cases end users can protect themselves immediately by uninstalling the vulnerable app. It is essentially different from OS or server software vulnerability.
We believe responsible disclosure deserves timely remediation, and users deserve timely notification if their apps are insecure.
I hope Google will help set a high expectation in the mobile space for security response and remediation.
umm, oops where you not doing this before? I mean come on what makes you think that is different from what you had and should have done before you launched the services? Here is food for thought, Where as I understand and completely agree with the threat landscape changing everyday, evolving our defenses takes some time. But as project such as your 'Porject Zero' which I believe is a holistic program to combat threats on internet that includes 0day vulnerabilities, encrypting traffic across communication channels and storage have been launched before and therefore forgive me for being a non-believer in your attempts to secure my online life. Meanwhile NSA is busy digging up dirt on me from the data that 'YOU' gave them.
The biggest issue with zero-day exploits and waiting for patches to become public, is that until the vendor decides to release a patch, it is still a zero-day issue. And can remain that way for months or years, as we have seen.
How will this Project Zero seek to minimize the disruptive impact of announcing vulnerabilities vs. the ability for people to block them if they know about them?
Hardening the internet is a big goal, i believe disarming botnets and persistent chain attacks can be the first priority to make the world free of spam and DDOS. your thoughts?
Without naming my once favorite XXX Droid phone vendor which left me with 4.1.1 with Heartbeat = on for TOO long, it is sad the Android ware is at the mercy of phone vendors who refuse to update their Open SSH/SSL until we share a lot of hate about them. Finally the short patch came along to stop Heartbeat. I'd hate to migrate to iOS for protection. Thnx Google
Follow
26 תגובות :
Are there plans to allow other organizations/companies/individuals to submit zero-days to this database? What about FOSS projects?
One issue my company faces is that if we perform testing of an FOSS solution, under the terms of most licenses, we are obligated to submit changes back to the project if we make changes. However, if our change introduces yet further problems, we could be potentially liable (perhaps not from a legal standpoint, but definitely from a media standpoint). Therefore, it is generally our policy not to disclose any findings we discover in any solution, but that really goes against ethics in some ways. It would be nice if there were a way to collaboratively and safely report vulns to all types of projects - FOSS, proprietary, or otherwise.
Will this database be open to contributions from other companies/organizations/individuals? What about zero-days in FOSS solutions?
One of the issues that my company has is that if we report findings in FOSS project and submit changes back to the community, we would be liable if these changes introduced yet further security flaws (perhaps no legally, but definitely from a media standpoint). Therefore, it's our policy to not report any findings in any solution we use, and vulnerability data is strictly for internal use only. This really becomes an ethical dilemma, though, and it would be great if we could report vulnerabilities to FOSS and proprietary solutions alike in a safe and responsible manner.
Wow, this is incredible!
How to apply?
[controversy]How does public know if it is for real? [/controversy]
I have little experienc, can I get hired?
Here is article from Wired Magazine written after interview with me
http://archive.wired.com/techbiz/it/news/2004/05/63391?currentPage=all
What about these kind of problems?
Chris, Thanks for sharing your thoughts on Security. Project Zero sounds amazing!
Just awesome !
You should create a hacking crawler that tries to gain root access to every server in the world, and for servers that it succeeds at gaining access to, re-configures their server in a more secure fashion.
Item 1, OpenSSL :-)
Why don't you get your own house in order first? Seriously, you left tens of thousands of Chrome users vulnerable for days to the recent Rosetta Flash Vulnerability because rather than allow users to update with a new release, you relied upon your dysfunctional Component Update System.
Worse, the scores of Chrome user complaints were ignored on your Chrome Release blog.
I am completely unimpressed with Google's idea of security, and will remain so until your team provides answers to why you left your loyal Chrome users both vulnerable and in the dark.
To read what I'm talking about, go here: http://googlechromereleases.blogspot.com/2014/07/flash-player-update.html
я взломал десятки аккаунтов гугл-почты
возьмите меня в гугл и я расскажу как это делается
Chris - We applaud Google's effort in this area. One question I have is regarding public report "typically once a patch is available."
Like Google, we support and practice responsible disclosure. One concern we have in the mobile space is the slow pace at which many developers deal with security vulnerabilities once reported. We find even large companies taking 2 weeks to initially respond, and several weeks or even months after that to repair issues like man-in-the-middle vulnerability.
At the same time, if a mobile app is vulnerable, in most cases end users can protect themselves immediately by uninstalling the vulnerable app. It is essentially different from OS or server software vulnerability.
We believe responsible disclosure deserves timely remediation, and users deserve timely notification if their apps are insecure.
I hope Google will help set a high expectation in the mobile space for security response and remediation.
Again, great to hear about this initiative.
Ted Eull, viaForensics
umm, oops where you not doing this before? I mean come on what makes you think that is different from what you had and should have done before you launched the services? Here is food for thought, Where as I understand and completely agree with the threat landscape changing everyday, evolving our defenses takes some time. But as project such as your 'Porject Zero' which I believe is a holistic program to combat threats on internet that includes 0day vulnerabilities, encrypting traffic across communication channels and storage have been launched before and therefore forgive me for being a non-believer in your attempts to secure my online life. Meanwhile NSA is busy digging up dirt on me from the data that 'YOU' gave them.
- Hilal
Who should I contact about hiring? Thank you very much!
That's extremely nice to hear but
I'm wondering how to go about being a part of this team's mission.
The biggest issue with zero-day exploits and waiting for patches to become public, is that until the vendor decides to release a patch, it is still a zero-day issue. And can remain that way for months or years, as we have seen.
How will this Project Zero seek to minimize the disruptive impact of announcing vulnerabilities vs. the ability for people to block them if they know about them?
Good to know. This is much needed.
How to apply?
typo:
s/criminal or state-sponsored actor/ criminal state-sponsored actor/
Hardening the internet is a big goal, i believe disarming botnets and persistent chain attacks can be the first priority to make the world free of spam and DDOS. your thoughts?
Without naming my once favorite XXX Droid phone vendor which left me with 4.1.1 with Heartbeat = on for TOO long, it is sad the Android ware is at the mercy of phone vendors who refuse to update their Open SSH/SSL until we share a lot of hate about them. Finally the short patch came along to stop Heartbeat. I'd hate to migrate to iOS for protection. Thnx Google
Great initiative. I translated your post on my blog for the French community.
Any intent or interest in coming up with uniform mechnisms to defeat persistent tracking mechanisms like those described recently here?
Whoa, this is a great initiative!
הוסף רשומת תגובה