Google to tech firms: Fix your security flaws or we'll expose them

Google has become the enfant terrible of the technology industry by threatening to expose security flaws in other companies' software unless they're fixed within 90 days.

The effort by Google's elite hacker team — known as Project Zero – is creating controversy in Silicon Valley at a time of rising concern about cybersecurity threats.


Some support Google hackers' effort to find bugs, arguing that security vulnerabilities can go unnoticed or unaddressed for years, placing users' data at risk.

At the same time, few companies have openly welcomed Google's brash effort to play referee.

Critics say Project Zero is a campaign best left for government regulators, not a company that competes with some of the firms it vets. Plus, they argue, publicizing bugs creates its own set of problems for security.

Project Zero has ratcheted up tensions between Google and other major tech firms. In one example, the company publicized several flaws in Apple and Microsoft operating systems despite pleas from the firms for more time to patch the security.

The issue could come up Friday at President Obama's cybersecurity summit, a first-of-its-kind event at Stanford University designed to advance conversation about cyber threats.

Project Zero has spotted roughly 100 vulnerabilities between Apple, Microsoft and Adobe projects, according to an analysis by Richmond-based firm Risk Based Security.