Hacker News new | ask | show | jobs
by albntomat0 2178 days ago
Since this always comes up, here's an overview I made several weeks ago about where Project Zero focuses their efforts:

All counts are rough numbers. Project zero posts:

Google: 24

Apple: 28

Microsoft: 36

I was curious, so I poked around the project zero bug tracker to try to find ground truth about their bug reporting: https://bugs.chromium.org/p/project-zero/issues/list For all issues, including closed:

product=Android returns 81 results

product=iOS returns 58

vendor=Apple returns 380

vendor=Google returns 145 (bugs in Samsung's Android kernel,etc. are tracked separately)

vendor=Linux return 54

To be fair, a huge number of things make this not an even comparison, including the underlying bug rate, different products and downstream Android vendors being tracked separately. Also, # bugs found != which ones they choose to write about.
3 comments
londons_explore 2178 days ago
Project Zero has uncovered 2033 issues... The majority of those could be used alone to ruin your life. The rest might require 2 (Eg. one for the sandbox, one for the kernel).

Thats a team of ~10 security researchers over many years...

Considering how many are being discovered each day/month/year, chances are that there are at least hundreds undiscovered...

If it only takes one to ruin your life, and a good security researcher can find one in a few weeks, or months at most, the barrier to someone evil is really really low...

link
Avamander 2178 days ago
> good security researcher can find one in a few weeks

s/good/extremely good/

This doesn't change the fact that someone evil will still probably find one.

link
londons_explore 2178 days ago
Most experts have expertise on only one or two different OS's or bits of software.

The found issues will strongly depend who happens to be on the Google Project Zero team at the moment.

link
albntomat0 2178 days ago
I generally agree, although I think from what I’ve seen, their researchers are pretty flexible.

My post was to counter folks thinking P0 is a Google hit job, which seems to come up frequently on HN.

link
empath75 2177 days ago
Even if Project Zero exclusively focused on competitors, they'd still be providing a valuable service. Maybe Microsoft and Apple should have the same sort of project. If they're all competing at who can break each other's code the worst, that'll end up with better products from all of them.
link