Google To Combat Zero-day Attacks With Project Zero
Google has created a called Project Zero, a team of security researchers that will try to document and stop the latest zero-day threats before they can be exploited. You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications. Yet in sophisticated attacks, we see the use of "zero-day" vulnerabilities to target, for example, human rights activists or to conduct industrial espionage. This needs to stop. We think more can be done to tackle this problem.
With Project Zero, Google will try to significantly reduce the number of people harmed by targeted attacks. The team consists of practically-minded security researchers that will work toward improving security across the Internet.
Google is not placing any particular bounds on this project and will work to improve the security of any software depended upon by large numbers of people, paying attention to the techniques, targets and motivations of attackers. The company will use standard approaches such as locating and reporting large numbers of vulnerabilities. In addition, Google is willing to conduct new research into mitigations, exploitation, program analysis—and anything else that researchers decide is a worthwhile investment.
Every bug discovered will be filed in an external database, and bugs will be reported to the software's vendor-and no third parties. Once the bug report becomes public (typically once a patch is available), users will be able to monitor vendor time-to-fix performance, see any discussion about exploitability, and view historical exploits and crash traces.