This article's lead section may be too short to adequately summarize the key points. Please consider expanding the lead to provide an accessible overview of all important aspects of the article. (August 2023)

Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities.[1] It was announced on 15 July 2014.[2]

History

After finding a number of flaws in software used by many end-users while researching other problems, such as the critical "Heartbleed" vulnerability, Google decided to form a full-time team dedicated to finding such vulnerabilities, not only in Google software but any software used by its users. The new project was announced on 15 July 2014 on Google's security blog.[2] When it launched, one of the principal innovations that Project Zero provided was a strict 90-day disclosure deadline along with a publicly visible bugtracker where the vulnerability disclosure process is documented.[3]

While the idea for Project Zero can be traced back to 2010, its establishment fits into the larger trend of Google's counter-surveillance initiatives in the wake of the 2013 global surveillance disclosures by Edward Snowden. The team was formerly headed by Chris Evans, previously head of Google's Chrome security team, who subsequently joined Tesla Motors.[4] Other notable members include security researchers Ben Hawkes, Ian Beer and Tavis Ormandy.[5] Hawkes eventually became the team's manager and then resigned on 4 May 2022.

The team's focus is not just on finding bugs and novel attacks, but also on researching and publicly documenting how such flaws could be exploited in practice. This is done to ensure that defenders have sufficient understanding of attacks; the team keeps an extensive research blog with articles that describe individual attacks in detail.[6]

Bug finding and reporting

Bugs found by the Project Zero team are reported to the manufacturer and only made publicly visible once a patch has been released[2] or if 90 days have passed without a patch being released.[7] The 90-day-deadline is Google's way of implementing responsible disclosure, giving software companies 90 days to fix a problem before informing the public so that users themselves can take necessary steps to avoid attacks.[7] There have been cases where the vendor does not produce any solution for the discovered flaws within 90 days, before the public disclosure by the team, increasing the risk to already-vulnerable users.[8]

Notable members

Past members

Notable discoveries

See also

References

  1. ^ Greenberg, Andy (15 July 2014). "Meet 'Project Zero,' Google's Secret Team of Bug-Hunting Hackers". Wired. ISSN 1059-1028. Retrieved 6 March 2019.
  2. ^ a b c Evans, Chris (15 July 2014). "Announcing Project Zero". Google Online Security Blog. Retrieved 4 January 2015.
  3. ^ "Project Zero Bug Tracker". Retrieved 11 April 2019.
  4. ^ "Chris Evans on Twitter". Retrieved 22 September 2015.
  5. ^ a b c d e f Greenberg, Andy (15 July 2014). "Meet 'Project Zero,' Google's Secret Team of Bug-Hunting Hackers". Wired.com. Retrieved 4 January 2015.
  6. ^ "Project Zero Research Blog". Retrieved 11 April 2019.
  7. ^ a b c d Dent, Steven (2 January 2015). "Google posts Windows 8.1 vulnerability before Microsoft can patch it". Engadget. Retrieved 4 January 2015.
  8. ^ Fingas, John (4 March 2019). "Google discloses 'high severity' Mac security flaw ahead of patch". Engadget. Retrieved 6 March 2019.
  9. ^ a b Davies, Chris (3 January 2018). "Google reveals CPU security flaw Meltdown and Spectre details". SlashGear. Retrieved 4 January 2018.
  10. ^ "Google says it's too easy for hackers to find new security flaws". Retrieved 3 February 2021.
  11. ^ a b "aPAColypse now: Exploiting Windows 10 in a Local Network with WPAD/PAC and JScript". 18 December 2017. Retrieved 18 December 2017.
  12. ^ "iOS zero-day let SolarWinds hackers compromise fully updated iPhones". 14 July 2021. Retrieved 14 July 2021.
  13. ^ "Over The Air: Exploiting Broadcom's Wi-Fi Stack (Part 1)". 4 April 2017. Retrieved 12 April 2019.
  14. ^ "Lawfareblog Hard National Security Choices Matt Tait". Retrieved 9 March 2017.
  15. ^ TIME Cybersecurity: Hacking, the Dark Web and You. Time Inc. Books. 19 January 2018. ISBN 9781547842414.
  16. ^ "Issue 118: Windows: Elevation of Privilege in ahcache.sys/NtApphelpCacheControl". 30 September 2014. Retrieved 4 January 2015.
  17. ^ "Exploiting the DRAM rowhammer bug to gain kernel privileges". 9 March 2015. Retrieved 11 April 2019.
  18. ^ a b "Issue 1139: cloudflare: Cloudflare Reverse Proxies are Dumping Uninitialized Memory". 19 February 2017. Retrieved 24 February 2017.
  19. ^ "Incident report on memory leak caused by Cloudflare parser bug". Cloudflare. 23 February 2017. Retrieved 24 February 2017.
  20. ^ "Another hole opens up in LastPass that could take weeks to fix". Naked Security. 29 March 2017. Retrieved 29 March 2017.
  21. ^ Siegrist, Joe (31 March 2017). "Security Update for the LastPass Extension". LastPass Blog. Archived from the original on 7 April 2018. Retrieved 2 May 2017.
  22. ^ Greenberg, Andy (3 January 2018). "A Critical Intel Flaw Breaks Basic Security for Most Computers". WIRED. Retrieved 4 January 2018.
  23. ^ Tim (29 August 2019). "Project Zero: A very deep dive into iOS Exploit chains found in the wild". Project Zero. Retrieved 30 August 2019.
  24. ^ Cox, Joseph (30 August 2019). "Google Says Malicious Websites Have Been Quietly Hacking iPhones for Years". Vice. Retrieved 30 August 2019.
  25. ^ Goodin, Dan (7 September 2019). "Apple takes flak for disputing iOS security bombshell dropped by Google". Ars Technica.
  26. ^ "Issue 1826: iMessage: malformed message bricks iPhone". bugs.chromium.org. 18 April 2019. Retrieved 9 September 2019.
  27. ^ Beer, Ian; Groß, Samuel (15 December 2021). "Project Zero: A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution". Google Project Zero. Retrieved 16 December 2021.

External links

Google
Categories