When launched their Project Zero initiative in July of 2014 it was met with a rather chilly response from the software development community. The last thing developers wanted was a competitor monitoring their software for potential security flaws. Now, with more than 8 months under their belt and more than a few public disclosures to their credit (or discredit as the case may be), Google continues to come under fire for exposing security flaws in other firm’s products. Software developers, Microsoft and Apple among them, are claiming that Project Zero is actually doing more harm than good, and that Google’s public disclosures of security vulnerabilities are putting the public at risk.

Project Zero – A Short Primer

Google Project Zero


For those unfamiliar with Project Zero, it is Google’s attempt to uncover software vulnerabilities that can be exploited by hackers and cyber criminals. Google’s research team is tasked with discovering these vulnerabilities, after which the developer is notified of the flaw and given 90 days in which to develop a suitable patch that addresses the problem. If the software developer fails to provide a solution within 90 days, Google goes public with the vulnerability. These public disclosures are intended to act as an incentive for software firms to fix potential security flaws in a timely manner.

The Project Zero Controversy

The controversy over Project Zero’s public disclosure policies began in December when Google disclosed a bug in Microsoft’s Windows 8.1 operating system. Things quickly escalated when Google went on to reveal three security vulnerabilities in Apple’s Mac OS X operating system. In both cases, Google maintained that they had notified the firms and given them 90 days in which to provide a patch that would address the security flaws. True to their word, when Apple and Microsoft failed to meet the deadline Google went public and revealed the bugs.

Understandably, Apple and Microsoft were outraged at the disclosures. But they weren’t alone. Lamar Bailey, director of security research and development at Tripwire, called the disclosures “irresponsible”. Bailey claims that the flaws were minor, and that it is unlikely that hackers would have even noticed them had it not been for Google’s public disclosures. Bailey went on to say that Google was leaving Apple and Microsoft users “with no way to protect themselves while giving hackers all they need to exploit these vulnerable systems”.

Support for Google

While the Microsoft and Apple disclosures stirred up controversy, Google did find some support from the development community. Timo Hirvonen, a researcher for F-Secure, acknowledged that “Google’s Project Zero team is a group of very talented vulnerability researchers”. He went on to say that the “policy of automatically disclosing vulnerabilities after 90 days is a strong incentive for vendors to quickly patch the vulnerabilities that have been reported to them”. K. T. Keanin, chief security officer for Lancope in the States, agrees, arguing that Project Zero’s intentions are sound and that they do provide some security benefits.

Google Responds to the Controversy

In response to the mounting controversy, Google has responded by offering to work with developers who are actively creating patches for their flawed software. Moving forward, if a developer notifies Project Zero that they have a software patch in the works, Google will allow an additional 14 day grace period before making any public disclosures. For many software vendors this is too little, too late. But Google is holding firm that no further concessions will be made. If a vendor is notified that there are vulnerabilities in their software, they must address the issues in a timely manner or risk full public disclosure.

Will Google’s Project Zero improve security for smartphone and tablet users? Only time will tell. But it is clear that, controversy or no, Project Zero has no intention of backing away from their original remit. Software developers must put the security of their customers first, or suffer the consequences.

http://techhowdy.com/wp-content/uploads/2015/04/Google-Project-Zero2.jpghttp://techhowdy.com/wp-content/uploads/2015/04/Google-Project-Zero2-150x150.jpgRajNew Technologyanger,anger software,google,,project,project zeroWhen Google launched their Project Zero initiative in July of 2014 it was met with a rather chilly response from the software development community. The last thing developers wanted was a competitor monitoring their software for potential security flaws. Now, with more than 8 months under their belt and...Latest technology news