Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Malwarebytes Launches Bug Bounty Program

In an effort to encourage researchers to responsibly disclose security flaws found in its products, anti-malware company Malwarebytes announced on Monday the launch of a bug bounty program.

In an effort to encourage researchers to responsibly disclose security flaws found in its products, anti-malware company Malwarebytes announced on Monday the launch of a bug bounty program.

The company is prepared to offer between $100 and $1,000 for eligible vulnerabilities, depending on how severe and exploitable they are. Bounty hunters are also offered an entry in the Malwarebytes Hall of Fame and “cool Malwarebytes swag.”

Malwarebytes’ Coordinated Vulnerability Disclosure program covers vulnerabilities found in the company’s products and web services, particularly weaknesses that can lead to remote code execution or sensitive information disclosure. Experts are also encouraged to report crashes and stability issues, but these are generally considered not eligible for a bounty.

In the case of vulnerabilities discovered by Malwarebytes in third-party products, the company’s standard public disclosure deadline is 150 days.

The launch of Malwarebytes’ bug bounty program comes after Google researcher Tavis Ormandy reported finding several vulnerabilities in the consumer version of Malwarebytes Anti-Malware in early November.

Marcin Kleczynski, the CEO of Malwarebytes, said his company patched several of the vulnerabilities server-side within days and is currently working on releasing a new version that will patch the client-side issues.

“The research seems to indicate that an attacker could use some of the processes described to insert their own code onto a targeted machine. Based on the findings, we believe that this could only be done by targeting one machine at a time,” Kleczynski said. “However, this is of sufficient enough a concern that we are seeking to implement a fix.”

Malwarebytes Anti-Malware Premium users can protect themselves against possible attacks leveraging the flaws reported by Ormandy by enabling the product’s self-protection feature.

Advertisement. Scroll to continue reading.

Malwarebytes is not the only security firm whose products have been analyzed by the Google researcher. The expert has reported finding serious vulnerabilities in security software from Trend MicroKaspersky Lab, AVG, FireEye and Avast.

Related: Tor Project to Launch Bug Bounty Program

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.