Can Google make the Internet bug-free?

Google is recruiting top-tier cybersecurity experts for 'Project Zero,' which aims to find and fix bugs across the Internet. 

The Canada Revenue Agency website is seen on a computer screen displaying information about an internet security vulnerability called the 'Heartbleed Bug' in Toronto, April 9.

Mark Blinch/Reuters

July 15, 2014

Google announced Tuesday a new project it says will make the Internet more secure.

How exactly will the search giant take on the seemingly never-ending task of locating and fixing the bugs and hacks that proliferate across the Web? Through its very own team of hackers.

Google is calling this team Project Zero, a group tasked with researching and improving the security of any software used by large numbers of people on the Internet. 

Tracing fentanyl’s path into the US starts at this port. It doesn’t end there.

"You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications," writes Chris Evans, who has recruited and put together the team for Project Zero, in a Google security blog post.

Mr. Evans explains that what are known as "zero-day" attacks – attacks that exploit vulnerabilities in patches of software that developers have not been able to fix – have proven a major threat to both companies and individual actors, such as human rights activists, who rely on the Internet. Project Zero's goal is to counter these types of attacks.

"Our objective is to significantly reduce the number of people harmed by targeted attacks," Evans writes in the post. "We're hiring the best practically-minded security researchers and contributing 100% of their time toward improving security across the Internet."

Evans notes that the part-time work undertaken by security researchers has led to important discoveries like Heartbleed, the security vulnerability that made vast swaths of the Internet susceptible to attack. Now, Google wants security experts working full-time to monitor these types of problems. 

According to Wired, Google is still searching for team members and intends to ultimately assemble more than 10 full-time security researchers. Among those who have already been tapped for Project Zero include New Zealander Ben Hawkes, the UK's Tavis Ormandy and Ian Beer, and American George Hotz, who made a name for himself by hacking Google's Chrome OS defenses at the Pwnium hacking competition in March, Wired reports. The team will be led by Evans, who previously helmed Google's Chrome security team, and be mainly based in Google's headquarters of Mountain View, Calif. 

Google emphasizes that Project Zero will dedicate its talents to fixing bugs found in any corner of the Internet, not just Google software. Why? For starters, Google says this effort is for the general betterment of the Internet. Then again, if the Internet wins, so does Google. After all, Google's bread and butter is targeted advertising. And that comes from users feeling safe enough to surf the Web – and click on ads. 

“If we increase user confidence in the internet in general, then in a hard-to-measure and indirect way, that helps Google too,” Evans told Wired. 

But this project also follows recent trends taken by Google to resist government surveillance in the wake of revelations of National Security Agency spying made last year by former government contractor Edward Snowden. Mr. Snowden's leaks revealed that the US government was spying on information from Google's users, Wired points out. In response, Google has taken initiatives like the End-to-End Chrome extension, a security tool to let users encrypt their e-mails as they move from a Web browser to a recipient's inbox by turning them into a series of unreadable characters. In addition, Google's bug bounty program awards cash prizes to security researchers who find bugs in Google-owned Web properties. 

For Project Zero, bugs will be reported to the software's vendor, not to third parties. Then, in the spirit of transparency, after the vendors have had the chance to deal with the bug, all bugs will be filed in an external database where users will be able to "monitor vendor time-to-fix performance, see any discussion about exploitability, and view historical exploits and crash traces," Evans writes in the security blog post. 

"We also commit to sending bug reports to vendors in as close to real-time as possible, and to working with them to get fixes to users in a reasonable time," he adds.