July 15, 2014

Announcing Project Zero

Posted by Chris Evans, Researcher Herder

Security is a top priority for Google. We've invested a lot in making our products secure, including strong SSL encryption by default for Search, Gmail and Drive, as well as encrypting data moving between our data centers. Beyond securing our own products, interested Googlers also spend some of their time on research that makes the Internet safer, leading to the discovery of bugs like Heartbleed.

The success of that part-time research has led us to create a new, well-staffed team called Project Zero.

You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications. Yet in sophisticated attacks, we see the use of "zero-day" vulnerabilities to target, for example, human rights activists or to conduct industrial espionage. This needs to stop. We think more can be done to tackle this problem.

Project Zero is our contribution, to start the ball rolling. Our objective is to significantly reduce the number of people harmed by targeted attacks. We're hiring the best practically-minded security researchers and contributing 100% of their time toward improving security across the Internet.

We're not placing any particular bounds on this project and will work to improve the security of any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers. We'll use standard approaches such as locating and reporting large numbers of vulnerabilities. In addition, we'll be conducting new research into mitigations, exploitation, program analysis—and anything else that our researchers decide is a worthwhile investment.

We commit to doing our work transparently. Every bug we discover will be filed in an external database. We will only report bugs to the software's vendor—and no third parties. Once the bug report becomes public (typically once a patch is available), you'll be able to monitor vendor time-to-fix performance, see any discussion about exploitability, and view historical exploits and crash traces. We also commit to sending bug reports to vendors in as close to real-time as possible, and to working with them to get fixes to users in a reasonable time.

We're hiring. We believe that most security researchers do what they do because they love what they do. What we offer that we think is new is a place to do what you love—but in the open and without distraction. We'll also be looking at ways to involve the wider community, such as extensions of our popular reward initiatives and guest blog posts. As we find things that are particularly interesting, we'll discuss them on our blog, which we hope you'll follow.


  1. Are there plans to allow other organizations/companies/individuals to submit zero-days to this database? What about FOSS projects?

    One issue my company faces is that if we perform testing of an FOSS solution, under the terms of most licenses, we are obligated to submit changes back to the project if we make changes. However, if our change introduces yet further problems, we could be potentially liable (perhaps not from a legal standpoint, but definitely from a media standpoint). Therefore, it is generally our policy not to disclose any findings we discover in any solution, but that really goes against ethics in some ways. It would be nice if there were a way to collaboratively and safely report vulns to all types of projects - FOSS, proprietary, or otherwise.

  2. Will this database be open to contributions from other companies/organizations/individuals? What about zero-days in FOSS solutions?

    One of the issues that my company has is that if we report findings in FOSS project and submit changes back to the community, we would be liable if these changes introduced yet further security flaws (perhaps no legally, but definitely from a media standpoint). Therefore, it's our policy to not report any findings in any solution we use, and vulnerability data is strictly for internal use only. This really becomes an ethical dilemma, though, and it would be great if we could report vulnerabilities to FOSS and proprietary solutions alike in a safe and responsible manner.

  3. [controversy]How does public know if it is for real? [/controversy]

  4. I have little experienc, can I get hired?

  5. Here is article from Wired Magazine written after interview with me


    What about these kind of problems?

  6. Chris, Thanks for sharing your thoughts on Security. Project Zero sounds amazing!

  7. You should create a hacking crawler that tries to gain root access to every server in the world, and for servers that it succeeds at gaining access to, re-configures their server in a more secure fashion.

  8. Why don't you get your own house in order first? Seriously, you left tens of thousands of Chrome users vulnerable for days to the recent Rosetta Flash Vulnerability because rather than allow users to update with a new release, you relied upon your dysfunctional Component Update System.

    Worse, the scores of Chrome user complaints were ignored on your Chrome Release blog.

    I am completely unimpressed with Google's idea of security, and will remain so until your team provides answers to why you left your loyal Chrome users both vulnerable and in the dark.

    To read what I'm talking about, go here: http://googlechromereleases.blogspot.com/2014/07/flash-player-update.html

  9. я взломал десятки аккаунтов гугл-почты
    возьмите меня в гугл и я расскажу как это делается

  10. Chris - We applaud Google's effort in this area. One question I have is regarding public report "typically once a patch is available."

    Like Google, we support and practice responsible disclosure. One concern we have in the mobile space is the slow pace at which many developers deal with security vulnerabilities once reported. We find even large companies taking 2 weeks to initially respond, and several weeks or even months after that to repair issues like man-in-the-middle vulnerability.

    At the same time, if a mobile app is vulnerable, in most cases end users can protect themselves immediately by uninstalling the vulnerable app. It is essentially different from OS or server software vulnerability.

    We believe responsible disclosure deserves timely remediation, and users deserve timely notification if their apps are insecure.

    I hope Google will help set a high expectation in the mobile space for security response and remediation.

    Again, great to hear about this initiative.

    Ted Eull, viaForensics

  11. umm, oops where you not doing this before? I mean come on what makes you think that is different from what you had and should have done before you launched the services? Here is food for thought, Where as I understand and completely agree with the threat landscape changing everyday, evolving our defenses takes some time. But as project such as your 'Porject Zero' which I believe is a holistic program to combat threats on internet that includes 0day vulnerabilities, encrypting traffic across communication channels and storage have been launched before and therefore forgive me for being a non-believer in your attempts to secure my online life. Meanwhile NSA is busy digging up dirt on me from the data that 'YOU' gave them.

    - Hilal

  12. Who should I contact about hiring? Thank you very much!

  13. That's extremely nice to hear but
    I'm wondering how to go about being a part of this team's mission.

  14. The biggest issue with zero-day exploits and waiting for patches to become public, is that until the vendor decides to release a patch, it is still a zero-day issue. And can remain that way for months or years, as we have seen.

    How will this Project Zero seek to minimize the disruptive impact of announcing vulnerabilities vs. the ability for people to block them if they know about them?

  15. Good to know. This is much needed.

  16. typo:

    s/criminal or state-sponsored actor/ criminal state-sponsored actor/

  17. Hardening the internet is a big goal, i believe disarming botnets and persistent chain attacks can be the first priority to make the world free of spam and DDOS. your thoughts?

  18. Without naming my once favorite XXX Droid phone vendor which left me with 4.1.1 with Heartbeat = on for TOO long, it is sad the Android ware is at the mercy of phone vendors who refuse to update their Open SSH/SSL until we share a lot of hate about them. Finally the short patch came along to stop Heartbeat. I'd hate to migrate to iOS for protection. Thnx Google

  19. Great initiative. I translated your post on my blog for the French community.

  20. Any intent or interest in coming up with uniform mechnisms to defeat persistent tracking mechanisms like those described recently here?


You are welcome to contribute comments, but they should be relevant to the conversation. We reserve the right to remove off-topic remarks in the interest of keeping the conversation focused and engaging. Shameless self-promotion is well, shameless, and will get canned.

Note: Only a member of this blog may post a comment.