Google Project Zero is a security research unit within Google Inc.
The role of the Project Zero team is to find vulnerabilities in popular software products, including those created by Google itself. When the research team discovers and validates the existance of a vulnerability, the team quietly reports the bug to the company responsible for the software and gives the company 90 days to fix the problem.
If the vulnerability has not been fixed after 90 days, the Project Zero team automatically releases information about the bug and provides the general public with sample attack code. The intent of the 90-day disclosure policy is to encourage companies to fix the problem in a timely manner before attackers discover the same vulnerability and exploit it. Critics of the automated disclosure policy have asked why Google has the Project Zero team policing third-party products. They also wonder whether the Project Zero team is as quick to disclose vulnerabilities in Google products as they are to release information about third-party software bugs. Proponents of Project Zero maintain that the general public benefits by all security research and Google has a responsibility to research software products that are likely to be used in conjunction with Google products. Google announced the existance of Project Zero to the public on July 15, 2014.
In February 2015, Project Zero adjusted its disclosure policy after it inadvertently caused controversy within the security community by automatically disclosing a security flaw in Windows 8, even though Microsoft had notifed Google they were about to release a patch to fix the problematic code. The revised Project Zero policy now allows for a human being to intervene and extend disclosure up to 14 additional business days as long as the vendor has notified Google that a patch will be released on a specific day within the 14 day grace period. The team also announced it would begin assigning each vulnerability a unique CVE identifier. CVE-IDs ensure that vendors, network administrators and other interested parties can gather information from many sources and be assured that all information about a particular CVE-ID addresses the exact same vulnerability.