Tech giant Google announced a new team of security researchers aimed at making the web a safer place by discovering "zero day" vulnerabilities Tuesday. But if you're not a security researcher, you might be asking what exactly zero day vulnerabilities are. Don't worry, we're here to help.
What is a zero day vulnerability?
Essentially, it's an unknown bug in a computer application. Software companies are pretty much constantly working to find and fix problems in their programs, but coding can be a messy business and mistakes often slip through. When a company finds a problem, they release a patch for it -- that's why you're probably pretty used to your operating system or a plug-in asking you to apply updates.
But the companies aren't always the first people to discover a problem. And when one of these bugs is discovered in the digital wild, programmers are expected to fix them as soon as possible -- hence the term "zero day" because that's how much time there is to patch the problem before cybercriminals or other adversaries can potentially exploit it.
Can you give me an example?
The easiest recent example is Heartbleed -- the coding bug found in the widely-used encryption library OpenSSL earlier this spring. That flaw went undetected for two years before it was discovered by security researchers and fixed. But there's no telling if someone else with less noble intentions uncovered and exploited the bug during those two years.
So what happens when a hacker discovers a bug?
That really depends. White hat, or good guy, hackers are likely to report the issue to the software company so they can fix it -- some software firms offer financial incentives called "bug bounties" to hackers who find problems. However, sometimes when a hacker discloses a vulnerability, he or she ends up being threatened with legal action by the software firm.
Some hackers aren't so interested in being honest and will try to sell their discovery of the bug to someone who wants to exploit it--and who will want to pay much more than a bug bounty fee. There is a fairly robust grey market of sorts where bugs in popular programs are sold for tens or even hundreds of thousands of dollars. Sometimes the buyers are governments that use the zero days to infiltrate the accounts of human rights activists or target corporate networks to conduct industrial espionage.
The United States even gets in on the game: A contract released by MuckRock in response to a Freedom of Information Act request last year revealed that the National Security Agency purchased information from French security company Vupen about zero-day vulnerabilities and software.
Of course, if the hacker is a full-fledged cybercriminal, he might just exploit the bug himself for profit.
How (and why) is Google trying to fight this exactly?
Basically, the company is trying to recruit an all-star team of security researchers who will work on trying to discover bugs around the web before the bad guys do.
We're not placing any particular bounds on this project and will work to improve the security of any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers. We'll use standard approaches such as locating and reporting large numbers of vulnerabilities. In addition, we'll be conducting new research into mitigations, exploitation, program analysis—and anything else that our researchers decide is a worthwhile investment.
In a broad sense, this is good for users and for Google. Consumers will have more people trying to protect them online. Plus if the web is more secure, consumers will be more likely to trust online services -- and by extension, Google services.
There's also another potential long-term benefit for Google: Having free range to chase down bugs anywhere online is very attractive to a lot of talented white hat hackers. And if Google can get them in the door, they might end up helping out with internal security or helping develop other Google services down the line.