Google has always invested in Internet security; however, recently it appears that helping create a safer web is their top priority. In addition to switching to always-on SSL by default for Google Search, Gmail, and Google Drive, they have paid “bug bounties” or rewards for individuals who report security flaws in their products.
But keeping their own products safe isn’t enough. Google has assembled a Project Zero team to hunt down security vulnerabilities and bugs in any software used by a large number of people.
[The Project Zero] objective is to significantly reduce the number of people harmed by targeted attacks. We’re hiring the best practically-minded security researchers and contributing 100% of their time toward improving security across the Internet.
— Chris Evans, Google Security Engineer
Following the independent discovery of the OpenSSL bug Heartbleed, interested individuals like Google have devoted more time and resources to research that identifies security vulnerabilities online and makes the Internet a safer place for users.
In the Dark Market, Vulnerabilities Are for Sale
The goal is to create an Internet where people across the world can use the web without “fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications,” said Chris Evans.
Despite programs that reward individuals who report security issues, in the dark market, those same vulnerabilities can be sold for $50k-$100k. Cybercriminals then use vulnerabilities to target large groups of consumers, human rights organizations, and even spy on corporations. The Google team has pledged transparency so that others can collaborate with them in their security research and eliminate the growing threats to data security online.
Fixing Real-Time Internet Security Threats
Project Zero team members have extensive experience in software security and are highly regarded in the security industry for their contributions in helping identify bugs in current popular applications and devices.
In addition to conducting research on public software, the project will create a repository of data that includes:
- Real-time bug reports to vendors
- Vendor time-to-fix performance
- Discussion on exploitability of bugs
- Historical exploits of security bugs
- Vulnerability mitigation resources
Collaborating to Manage Security and Threat Detection
SSL Encryption is at the core of data security. At DigiCert, we’ve built in security vulnerability detection into every major utility and service that we offer to our customers.
Services like Certificate Inspector, that allow administrators manage SSL Certificates used within their network, and our SSL Installation Checker automatically check websites for common security issues like Heartbleed, weak keys, and a number of other critical vulnerabilities reported by groups like Google’s ProjectZero.
True security today is independent of any single piece of software or device. The development of this security team and others who are doing similar work independently shows that keeping people and systems safe today takes a collective effort and depends on different parts and multiple vendors collaborating in real time to stay ahead of information security threats.