Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Kaspersky in Search of Hackers for New Bug Bounty Program

Kaspersky Lab Launches New Bug Bounty Program on HackerOne Platform

Kaspersky Lab Launches New Bug Bounty Program on HackerOne Platform

Kaspersky Lab is ready to pay up to $50,000 in bounty rewards to hackers that find security vulnerabilities in its products, thanks to a new bug bounty program launched today in partnership with HackerOne.

During an initial six-month phase which begins today, security researchers are encouraged to examine Kaspersky’s flagship products for consumers and businesses, Kaspersky Internet Security and Kaspersky Endpoint Security.

Vulnerability types in scope include local privilege escalation, unauthorized access of user data and remote code execution, Kaspersky Lab told SecurityWeek.

Launched to coincide with the Black Hat conference in Las Vegas this week, the program will be run on the software-as-a-service platform from HackerOne, which provides the technology and automation to help organizations run their own vulnerability management and bug bounty programs.

“With this program, Kaspersky Lab will not only further bolster its mitigation strategy for addressing inherent software vulnerabilities, but also continue enhancing its relationship with external security researchers,” Kaspersky Lab said in a statement.

After the initial six-month phase is complete, the Kaspersky says it will evaluate the results to determine what additional products and rewards should be included in the second phase of its bounty program.

“Based on the results of this first phase, we will revise our offering in terms of budget, scope of products and types of vulnerabilities covered moving forward,” the company told SecurityWeek.

“Our bug bounty program will help amplify the current internal and external mitigation measures we use to continuously improve the resiliency of our products,” said Nikita Shvetsov, chief technology officer, Kaspersky Lab. “We think it’s time for all security companies, large and small, to work more closely with external security researchers by embracing bug bounty programs as an effective and necessary tool to help keep their products secure and their customers protected.”

While the Moscow-based security firm may now just be launching its bug bounty program, security researchers have already poked holes it its products over the years.

In October 2015, Google researcher Tavis Ormandy, discovered an issue that affected “Network Attack Blocker,” a component in Kaspersky’s software designed to protect devices against dangerous network activity, including port scanning, denial-of-service (DoS), and buffer-overrun attacks.

Ormandy also identified a critical security hole affecting both the 2015 and 2016 versions of Kaspersky antivirus products.

In December 2015, researchers from enSilo discovered a critical vulnerability found in several security products from multiple vendors that could have been exploited by malicious actors to bypass Windows protection features, data exfiltration. Kaspersky’s Anti-Virus 2015 MR2 and Internet Security 2015 MR2 products were affected. 

Security vulnerabilities in endpoint security software products are not rare, unfortunately, and Kaspersky Lab is not alone when it comes to having issues.

Researchers have discovered dangerous vulnerabilities in many security software products, including AVG, McAfee (Intel), Symantec, Trend Micro, Comodo, Malwarebytes, Avast, and FireEye, among others.     

Other companies running bug bounty programs with HackerOne include Twitter, Adobe, Yahoo!, Uber, and The U.S. Department of Defense. General Motors launched a vulnerability disclosure program in early 2016, but the carmaker is currently not offering any rewards.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.