Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Kaspersky in Search of Hackers for New Bug Bounty Program

Kaspersky Lab Launches New Bug Bounty Program on HackerOne Platform

Kaspersky Lab Launches New Bug Bounty Program on HackerOne Platform

Kaspersky Lab is ready to pay up to $50,000 in bounty rewards to hackers that find security vulnerabilities in its products, thanks to a new bug bounty program launched today in partnership with HackerOne.

During an initial six-month phase which begins today, security researchers are encouraged to examine Kaspersky’s flagship products for consumers and businesses, Kaspersky Internet Security and Kaspersky Endpoint Security.

Vulnerability types in scope include local privilege escalation, unauthorized access of user data and remote code execution, Kaspersky Lab told SecurityWeek.

Launched to coincide with the Black Hat conference in Las Vegas this week, the program will be run on the software-as-a-service platform from HackerOne, which provides the technology and automation to help organizations run their own vulnerability management and bug bounty programs.

“With this program, Kaspersky Lab will not only further bolster its mitigation strategy for addressing inherent software vulnerabilities, but also continue enhancing its relationship with external security researchers,” Kaspersky Lab said in a statement.

After the initial six-month phase is complete, the Kaspersky says it will evaluate the results to determine what additional products and rewards should be included in the second phase of its bounty program.

“Based on the results of this first phase, we will revise our offering in terms of budget, scope of products and types of vulnerabilities covered moving forward,” the company told SecurityWeek.

Advertisement. Scroll to continue reading.

“Our bug bounty program will help amplify the current internal and external mitigation measures we use to continuously improve the resiliency of our products,” said Nikita Shvetsov, chief technology officer, Kaspersky Lab. “We think it’s time for all security companies, large and small, to work more closely with external security researchers by embracing bug bounty programs as an effective and necessary tool to help keep their products secure and their customers protected.”

While the Moscow-based security firm may now just be launching its bug bounty program, security researchers have already poked holes it its products over the years.

In October 2015, Google researcher Tavis Ormandy, discovered an issue that affected “Network Attack Blocker,” a component in Kaspersky’s software designed to protect devices against dangerous network activity, including port scanning, denial-of-service (DoS), and buffer-overrun attacks.

Ormandy also identified a critical security hole affecting both the 2015 and 2016 versions of Kaspersky antivirus products.

In December 2015, researchers from enSilo discovered a critical vulnerability found in several security products from multiple vendors that could have been exploited by malicious actors to bypass Windows protection features, data exfiltration. Kaspersky’s Anti-Virus 2015 MR2 and Internet Security 2015 MR2 products were affected. 

Security vulnerabilities in endpoint security software products are not rare, unfortunately, and Kaspersky Lab is not alone when it comes to having issues.

Researchers have discovered dangerous vulnerabilities in many security software products, including AVG, McAfee (Intel), Symantec, Trend Micro, Comodo, Malwarebytes, Avast, and FireEye, among others.     

Other companies running bug bounty programs with HackerOne include Twitter, Adobe, Yahoo!, Uber, and The U.S. Department of Defense. General Motors launched a vulnerability disclosure program in early 2016, but the carmaker is currently not offering any rewards.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.