Project Zero: Ten Years of 'Make 0-Day Hard'

Project Zero was founded in 2014 as a dedicated effort to combat zero-day vulnerabilities through public security research and vulnerability disclosure

The team’s 90-day disclosure policy helped improve vendor patching times dramatically, though patch distribution remains inconsistent especially for Android devices

Browser security has significantly improved over 10 years - deprecation of Flash and IE, along with engine consolidation has reduced attack surface

Exploitation costs have increased substantially, with high-end zero-days now costing millions, though “exploitation-as-a-service” has made attacks more accessible

Memory tagging and other new mitigations show promise, but mitigations alone aren’t enough - they must be combined with robust software quality practices

Around 40% of zero-days detected in the wild are variants of previously patched vulnerabilities, highlighting the importance of comprehensive patching

Major progress has been made on transparency, with most vendors now providing security advisories and engaging in public security research

Project Zero’s vulnerability research has led to structural improvements like Apple’s BlastDoor sandbox for iMessage

The team stays vendor-agnostic and focuses on end-user targeted attacks rather than IoT or B2B software

Despite progress, zero-day attacks continue and new challenges like “security gap” between vendors’ security capabilities have emerged as problems