Security Experts:

Kaspersky in Search of Hackers for New Bug Bounty Program

Kaspersky Lab Launches New Bug Bounty Program on HackerOne Platform

Kaspersky Lab is ready to pay up to $50,000 in bounty rewards to hackers that find security vulnerabilities in its products, thanks to a new bug bounty program launched today in partnership with HackerOne.

During an initial six-month phase which begins today, security researchers are encouraged to examine Kaspersky’s flagship products for consumers and businesses, Kaspersky Internet Security and Kaspersky Endpoint Security.

Vulnerability types in scope include local privilege escalation, unauthorized access of user data and remote code execution, Kaspersky Lab told SecurityWeek.

Launched to coincide with the Black Hat conference in Las Vegas this week, the program will be run on the software-as-a-service platform from HackerOne, which provides the technology and automation to help organizations run their own vulnerability management and bug bounty programs.

“With this program, Kaspersky Lab will not only further bolster its mitigation strategy for addressing inherent software vulnerabilities, but also continue enhancing its relationship with external security researchers,” Kaspersky Lab said in a statement.

After the initial six-month phase is complete, the Kaspersky says it will evaluate the results to determine what additional products and rewards should be included in the second phase of its bounty program.

“Based on the results of this first phase, we will revise our offering in terms of budget, scope of products and types of vulnerabilities covered moving forward,” the company told SecurityWeek.

“Our bug bounty program will help amplify the current internal and external mitigation measures we use to continuously improve the resiliency of our products,” said Nikita Shvetsov, chief technology officer, Kaspersky Lab. “We think it’s time for all security companies, large and small, to work more closely with external security researchers by embracing bug bounty programs as an effective and necessary tool to help keep their products secure and their customers protected.”

While the Moscow-based security firm may now just be launching its bug bounty program, security researchers have already poked holes it its products over the years.

In October 2015, Google researcher Tavis Ormandy, discovered an issue that affected “Network Attack Blocker,” a component in Kaspersky’s software designed to protect devices against dangerous network activity, including port scanning, denial-of-service (DoS), and buffer-overrun attacks.

Ormandy also identified a critical security hole affecting both the 2015 and 2016 versions of Kaspersky antivirus products.

In December 2015, researchers from enSilo discovered a critical vulnerability found in several security products from multiple vendors that could have been exploited by malicious actors to bypass Windows protection features, data exfiltration. Kaspersky’s Anti-Virus 2015 MR2 and Internet Security 2015 MR2 products were affected. 

Security vulnerabilities in endpoint security software products are not rare, unfortunately, and Kaspersky Lab is not alone when it comes to having issues.

Researchers have discovered dangerous vulnerabilities in many security software products, including AVG, McAfee (Intel), Symantec, Trend Micro, Comodo, Malwarebytes, Avast, and FireEye, among others.     

Other companies running bug bounty programs with HackerOne include Twitter, Adobe, Yahoo!, Uber, and The U.S. Department of Defense. General Motors launched a vulnerability disclosure program in early 2016, but the carmaker is currently not offering any rewards.

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.