That is the principle behind Google’s “Project Zero”, described by Andy Greenberg of Wired as “an elite team of full-time hackers paid to hunt security vulnerabilities in every popular piece of software that touches the internet”.
For a long time Google and other internet companies have offered “bug bounties” to “white hat hackers”, as they’re sometime called, who identify vulnerabilities in their code.
The difference with Project Zero – named because they are focused on “zero-day” flaks, “the most insidious security flaws in the world’s software – is that they’re integral to the Google operation, and they’re tasked with probing any software, not just Google’s.
When they identify a bug “they say they’ll alert the company responsible for a fix and give it between 60 and 90 days to issue a patch before publicly revealing the flaw on the Google Project Zero blog”.
The “dream team”, which includes the New Zealander Ben Hawkes, apparently a graduate of Victoria University, “credited with discovering dozens of bugs in software like Adobe Flash and Microsoft Office apps in 2013 alone”, isn’t simply bothered with small-time cyber-crooks.
It represent an acceleration of Google’s “counter-surveillance measures” following revelations from whistleblower Edward Snowden’s that showed the extent to which the NSA and other agencies were able to snoop by exploiting zero-day vulnerabilities.
One of Project Zero’s principal objectives, says Greenberg, is to “starve spies of the bugs their intrusions require.”