Kaspersky Lab launches public bug bounty program
Kaspersky Lab is asking researchers to look under the hood of two of its flagship security solutions and to report any bugs they might find.
Kaspersky’s bug bounty program, which was in private beta for months, will be now be opened to all outside researchers for a period of six months. The move was announced at Black Hat USA 2016.
Researchers are invited to look for security issues only in “Kaspersky Internet Security 2017 and Kaspersky Endpoint Security 10 SP1MR3 running on Microsoft Windows 8.1, or a more recent Microsoft desktop OS.”
The company will give out rewards for local privilege escalation and remote execution bugs, as well as vulnerabilities that could lead to user data compromise.
Average reward amounts go from $1,000 to $2,000, but higher rewards are possible if the vulnerability is considered to be important enough. Also, the rewards might be increased in future phases of the program. All in all, Kaspersky has set aside $50,000 for the bounties.
The program will complement the company’s internal security testing and evaluation processes.
“We feel as a security vendor that we have a higher level of responsibility to make sure our software is not an entry point for attacks,” Ryan Naraine, director of the Global Research and Analysis Team U.S. at Kaspersky Lab, explained.
“We should have that higher level of responsibility, and a public bounty program adds to everything we’ve been doing internally. This puts our software in front of a lot more eyes and it just makes sense to have a bounty program, and reward researchers for finding bugs.”
The bounty program has been set up on the HackerOne platform, which also hosts the bug bounty programs put in place by other security companies such as Avast, F-Secure, and Sucuri.
The zero-day flaw that researcher Tavis Ormandy responsibly reported in Kaspersky’s AV solution last September, and the company fixed in record time, was not reported through the bug bounty program.