Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Kaspersky Lab Offers $100,000 for Critical Vulnerabilities

Just days before its annual Security Analyst Summit kicks off in Cancun, Mexico, Kaspersky Lab this week announced an extension to its bug bounty program and plans to pay rewards of up to $100,000 for severe vulnerabilities in some of its products. 

Just days before its annual Security Analyst Summit kicks off in Cancun, Mexico, Kaspersky Lab this week announced an extension to its bug bounty program and plans to pay rewards of up to $100,000 for severe vulnerabilities in some of its products. 

Launched in August 2016, the HackerOne-powered bug bounty program initially promised a total of $50,000 in bounties and resulted in the discovery of more than 20 flaws in the first six months. To date, the program allowed Kaspersky to address more than 70 bugs in its products and services. 

In April last year, the Moscow-based security firm announced the addition of Kaspersky Password Manager 8 to the bounty program, along with an increase in the maximum reward for remote code execution vulnerabilities from $2,000 to $5,000. 

The newly announced larger payouts represent a 20-fold increase on existing rewards available to researchers who participate in the company’s bug bounty program, which is available to all members of the HackerOne platform.

The largest rewards will be offered for the discovery and coordinated disclosure of bugs that enable remote code execution via the product database update channel, Kaspersky says. Another requirement is that the launch of the code takes place in the product’s high privilege process and silently from the user, and that persistence is also achieved. 

Security flaws leading to other types of remote code execution will receive rewards ranging from $5,000 to $20,000, depending on their complexity level. The company also announced it is willing to pay researchers who discover bugs allowing local privilege escalation or leading to sensitive data disclosure. 

Only previously unknown vulnerabilities discovered in Kaspersky Internet Security 2019 (the most recent beta) and Kaspersky Endpoint Security 11 (the most recent beta) qualify for the bug bounties. Supported platforms include desktop Windows 8.1 and higher, with the most recent updates installed.  

“Finding and fixing bugs is a priority for us as a software company. We invite security researchers to make sure there are no vulnerabilities in our products. The immunity of our code and highest levels of protection that we offer customers is a core principal of our business – and a fundamental pillar of our Global Transparency Initiative,” Eugene Kaspersky, CEO of Kaspersky Lab, said.

Announced in October 2017, the Global Transparency Initiative was meant to clear Kaspersky’s name after reports suggested it had ties to the Russian government and the Department of Homeland Security (DHS) ordered all government agencies to stop using the company’s products. 

Kaspersky filed a lawsuit against the U.S. government in December, after President Donald Trump reinforced the ban. Last month, the company filed another lawsuit over the ban.

Related: Kaspersky Adds Password Manager to Bug Bounty Program

Related: Kaspersky Aims to Clear Its Name With New Transparency Initiative

Related: Kaspersky in Search of Hackers for New Bug Bounty Program

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.