Google’s Project Zero – You’ve Got 90 Days

Minor flaws in coding can leave users exposed to a world of cyber criminals. To help find these vulnerabilities, software companies often have their own team of hackers and programmers who try and exploit the system before going live. One team known as Project Zero has expanded these security practices outside of their own companies software and are now threatening to expose vulnerabilities in their rivals software if not fixed within 90 days.

Self Appointed Security Police

zeroGoogle’s Project Zero, a crack team of hackers and programmers named after the feared “zero day” security flaw, scrub both their own and competitor’s software looking for vulnerabilities. When one is spotted, they contact the company and make them aware of it as well as give them a deadline of 90 days to patch it. Google has remained firm in their 90 day policy, even denying a request from Microsoft not to reveal the security bug for an additional 48 hours because it had been corrected in a patch release schedule to go out the next morning.

While the idea of finding security flaws and pressuring companies to fix them is a good idea, perhaps its unfair that Google is turning into the security police. While Microsoft and Apple have declined to comment on the subject, Chris Betz, the Senior Director of Microsoft Security Response Center, wrote a strongly worded blog post. In his post, Betz expressed anger at the fact that Google made public a security flaw that was going to be patched the next day, giving hackers a narrow window to exploit it.

Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result.

Apple has declined to comment on the matter and Microsoft has only pointed inquiries to the statement made by Betz. Others in the industry have not been as closed lipped, suggesting Google is overstepping it’s bounds and taking on a role best left to government or a neutral body. John Dickson, a principal with software security company Denim Group Ltd. spoke out saying that while he thought it concept was a good idea, he wasn’t so sure on Google spearheading the venture.

“I’m not sure who made Google the official referee of the marketplace for vulnerability notification… What noble motives they had in mind could be called into question given the fact that they essentially outed vulnerabilities for two of their biggest rivals.” – John Dickson

Other in the industry have questioned if Google’s motives are truly as altruistic as the are claiming. To many, it appears they are simply trying to stamp out competition. Having a strict 90-day policy may, in fact, hurt customers more than it will help them. By exposing security flaws that would have otherwise gone unnoticed, Google may be helping hackers. Microsoft and others have suggested there are better, more productive ways to handle these issues rather than making them public.

Images from Shutterstock.

A UNC Chapel Hill graduate, blockchain enthusiast and analyst. I have a background in programming and IT, strong studies in econ, stats and game theory. I'm interested in online privacy and privacy laws.