Microsoft Corporation and Google, Incorporated are at it again. This time it involves the notification by Google security researchers on the team called “Project Zero.” Project Zero is the name of Google’s new software bug bounty hunters.
Project Zero’s bug hunters were developed to uncover attacks before malicious intent has occurred. They are also hunting software bugs so that software companies are immediately setting to work on patching and fixing the software security flaw. Google prepares these details of such vulnerabilities so that they can be published on an open database for transparency to the general public for increased awareness, thus enforcing a vendor to be more responsible when producing and distributing such software. Google’s Project Zero Team will also work with other vendors to update and secure software. Google’s Project Zero team has stringent publishing policies once the vulnerability has been discovered. Yes, they do give the software company time to repair the flaw before publishing. However, the Google bug hunter team is to report on the vulnerability if the software flaw is not patched or fixed by the publisher of the software within ninety (90) days. Google isn’t giving their team any wiggle room for the deadline of publishing such software security flaws.
Unfortunately, it has been reported that Microsoft was about to patch a known Escalation of Privilege (EoP) vulnerability in its Windows 7 and 8.1 operating system software just two days after Google’s Project Zero team had announced and published the software security flaw to the public as stated in their standard operating procedures of adhering to the ninety (90) day reporting policy.
Google has stated that they are not trying to cause any problems and that they are only trying to ensure the safety of all software users. The Project Zero team and their security chief also stated that they will look further into protecting all users of some of the web’s most commonly used software, operating systems, and operating system tools, such as their own Google Chrome, as well as Microsoft’s Internet Explorer and other such connected software and operating systems.
Although this seems like a great effort put forward by Google, there are some cybersecurity experts that believe, while such initiatives are great, more emphasis needs to go into the software developers themselves. They need to be better at coding more security into their software products way before the software hits the market. Google states further, “As an industry we still need to drive the message home to many software companies that they have a duty of care and responsibility to ensure their code has security built into it from the very beginning.”