Google builds elite hacker squad to hunt for bugs

Google is setting up an expert team of hackers whose task will be to search the internet for security vulnerabilities, in an effort to protect the general public from cyber attacks.

The 'Project Zero' squad will be made up of the "best practically-minded security researchers" and will aim to reduce the number of people affected by targeted attacks, the search giant announced last night.

Early Project Zero staffers include George "Geohot" Hotz, a hacker who reverse engineered the Playstation 3 and was sued by Sony for his troubles.

New Zealander Ben Hawkes, who specialises in Adobe Flash and Microsoft Office vulnerabilities and who has been with Google since 2010, is also part of the team, as is Briton Tavis Ormandy, who has discovered exploits in the Windows operating system kernel.

The team will search for vulnerabilities and holes in popular software programs, and will conduct research into mitigation and exploitation techniques. 

Google security executive Chris Evans said the project had no set perimeters and the team would work on improving the security of any software proudtc used by lots of people.

The team will in particular focus on finding and reporting zero-day vulnerabilities - previously unknown bugs that are discovered and exploited by threat actors before developers are able to fix them.

Unlike private security firms which hunt for bugs but do not always make their findings available, and in some cases choose to sell the information to other parties, Google said every bug discovered by the team would be made public through an external dedicated database.

Vulnerabilties would also be reported first to the affected software vendor, Google said.

A bug would become public typically after a patch is available, at which point the general public will be able to monitor the vendor's response to the vulnerability, view discussions around exploitability, and access historical exploits and crash traces.

"We also commit to sending bug reports to vendors in as close to real-time as possible, and to working with them to get fixes to users in a reasonable time," Evans said.

He said the public should be able to use the internet without worrying about being harmed by exploitation of software holes.

"Yet in sophisticated attacks, we see the use of "zero-day" vulnerabilities to target, for example, human rights activists or to conduct industrial espionage. This needs to stop. We think more can be done to tackle this problem," Evans wrote.

The move comes following the pivotal role played by Google researchers in discovering the Heartbleed vulnerability, a serious bug in the popular OpenSSL cryptographic library which left large amounts of private keys and and other secrets exposed to anyone wanting to access them.