An aggressive new policy on security is getting some major IT players angry at Google, according to a Globe and Mail article by Christ Strohm and Jordan Robertson. Essentially, Google is publicly calling out its rivals on security flaws in their software.
Google’s approach isn’t quite draconian, though: When a security flaw is found, the company gives the party at fault 90 days to fix it before going public. The thing is, Google has dedicated resources to this endeavour; called Project Zero, it was started last summer and its team’s raison d’être is to find these security flaws.
It’s easy to see how a company’s focus on finding flaws in its competitors’ products could rankle them. And it has been quite strict about its deadlines; Strohm and Robertson cite instances in which both Apple and Microsoft pleaded for extra time to fix their bugs – asking only for extra days, not weeks – and were refused. It could be argued that in those cases, Google was actively endangering the online security of its rivals’ customers.
For Google’s part, the company says its policy is aimed at the greater good. At the project’s outset, the company argued that its “objective is to significantly reduce the number of people harmed by targeted attacks.” One security expert interviewed for the article said that the strictness of the policy is “good for the industry”. And Google has been perfectly transparent about its activities here; it’s not a stretch to imagine that its rivals might look for security flaws in its software in secret, to get a competitive advantage.
Whether for good or ill, Project Zero could have increasingly significant implications as two major trends continue: The shift of financial transactions into the digital and mobile sphere, and the proliferation of the Internet of Things. Both of these will put an enormous amount of sensitive data online, and the exploitation of software security vulnerabilities could become all the more devastating. A lot is at stake – and that’s the same point being made by Google and its rivals alike.