Google “Project Zero” hopes to find zero-day vulnerabilities before the NSA

"You should be able to use the Web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets, or monitor your communications," writes Google security researcher Chris Evans. To help make that a reality, Google has put together a new team of researchers whose sole purpose is to find security flaws in software—any software—that's used on the Internet.

Google employees have found and reported security flaws in the past, but only as a part-time effort. The new "Project Zero" team will be dedicated to hunting for the kind of exploitable flaws that could be used to spy on human rights activists or conduct industrial espionage. Aiming to disrupt targeted attacks, the team will look at any software that's depended on by a large number of people.

Project Zero will report bugs it finds only to the software vendor, and it will give those vendors 60 to 90 days to issue patches before public disclosure. This time frame may be reduced for bugs that appear to be actively exploited.

Read 4 remaining paragraphs | Comments