Google Inc. has a elite team of hackers and programmers called Project Zero so named after the “zero day” security flaws that are exploited before developers learn of them.
Project Zero scrubs their own and competitors’ software for security flaws, giving companies a deadline, more specifically a 90 day ultimatum to patch their software vulnerabilities or they will make them public knowledge.
In an effort to “motivate” competitors like Microsoft Corp. and Apple Inc. to fix their buggy software before the real cyber criminals take advantage of the flaws in their unpatched code. Of course, both Microsoft and Apple are not keen on this.
Opponents of Google’s Project Zero’s practice say it puts online security at risk by revealing gaps before they can be plugged. Of course, hackers in the know work fast to purposefully exploit software flaws when they become known.
Consider when the Chinese-backed intruders exploited a Web-security flaw known as Heartbleed to attack Community Health Systems Inc. after only a week after the software flaw was publicized.
Even, Apple pleaded with Google to wait before going public so it could fix their flaws in the Mac OS X operating system. Google knew the fix was coming and had possession of the updated source software because they also served as a developer for Apple at the time. Google refused and released any details to the public of the flaws. Microsoft, also, requested additional time to fix a flaw in their Windows OS. Google, again, refused and publicized the bug.
Google supporters say the Project Zero’s 90 day hard-line approach may motivate the software industry to focus on better security patching practices in which companies can take months or years to patch their bugs.
To date, Google’s Project Zero has identified 39 vulnerabilities in Apple products and 20 in Microsoft products. The team also has found 37 flaws in Adobe Systems Inc. software and 22 in the FreeType software development library for rendering fonts..
It is a good thing for consumers that Google’s Project Zero has taken the role of patch it or we’ll report it task master as many of these companies products can leave users vulnerable to hacks that can create more grief and deeper problems if they are not put in check.
Project Zero just drew the line in the sand, how the effected companies react to this will determine what products you can really trust with your data in the future.