Google starts zero-day research group

Summary:Through Project Zero, Google will pay researchers to report information about vulnerabilities in third-party programs.

Google has created a new project for funding vulnerability research, Project Zero.

According to Chris Evans, "Researcher Herder" at Google, the objective of Project Zero is to reduce the number of people harmed by zero-day attacks.

Google already has a bug bounty program for its own products. The point of Project Zero is to fund vulnerability research on "any software depended upon by large numbers of people," according to Evans. In addition to vulnerabilities, Project Zero will research "mitigations, exploitation, program analysis — and anything else that our researchers decide is a worthwhile investment."

The announcement says Google is hiring outsiders to join in, although it does not explain how researchers can sign up.

Google has established an external database to house the research. The company will report bugs only to the software vendor and release the information only when the vulnerability becomes public, which typically is when the vendor issues a patch for it. Researcher discussions about the vulnerability, including its exploitability, will be public as well as the time it took the vendor to patch (assuming it had been patched yet).

Google researchers already have a large track record of research into other vendors' software. Microsoft and Apple disclosures often credit Google researchers for reporting vulnerabilities. 

There are many third-party research groups, such as HP's TippingPoint Zero Day Initiative, that work in ways similar to Project Zero, paying third-party researchers to submit bugs in others' products. Microsoft has a program for research into vulnerabilities in third-party products. It accepts reports from third-party researchers, but doesn't pay for them.

Topics: Security, Google


Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.