Project Zero: Show Google's bug-hunting scheme some love

So Google reminds us that it has invested heavily in security, including encrypting data as it moves between datacentres, and is now looking towards securing stuff by other people on the Internet.

In a recent blog post, Google revealed researchers had already been spending time looking for vulnerabilities (the discovery of the well-publicised Heartbleed bug was largely down to Google's involvement) and that part-time researchers are becoming part of a full-time unit known as Project Zero.

The Google promise of responsible disclosure is a good one, with bug reports to the vendor only and no public disclosure until a patch has been released.

These folk will be employed to look for vulnerabilities within the wider Internet, zero-day hunters in other words. Bravo, you might think. Well done Google for doing something to make things more secure for all of us.

Yet the news was immediately pounced upon by the naysayers, with numerous comments from people telling Google to get its own house in order first before turning its attention outwards, with liberal mentions of Chrome vulnerabilities and NSA involvement being bandied around.

I, however, was not one of them. Sure, Google could have handled vulnerability discovery and patching in its own products better, but how does that invalidate it establishing a team of very experienced bug-hunters to go out there and find zero-days?

As for the NSA allegations, which centre around Google "willingly" co-operating with the US security agency to give them access to our data, that was merely Google reacting to its legal obligations when presented with a court order. And again, this has absolutely no impact upon whether Project Zero is a good thing or, indeed, a workable idea.

And there, dear reader, we find the real question that should be asked: can Project Zero deliver? Google has already hired some good people, with a well-documented track record in bug hunting, and that's a good start.

However, zero-day research teams are not a new thing, they have been around for many years and zero-days still exist. The Google promise of responsible disclosure is a good one, with bug reports to the vendor only and no public disclosure until a patch has been released. What worries me is how long that patch will take to roll out.

Maybe the haters had a point when talking about time to fix problems with Google Chrome, as that left users exposed to vulnerabilities in the meantime.

That's a hurdle any vulnerability research team has to clear. It's not just a matter of finding zero-days but getting vendors to patch them in as short a time as possible. Maybe Google, being the giant that it is, will have more clout in persuading vendors to act more quickly than they do presently.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at