Kaspersky Lab Creates Bug Bounty Program

Claims to be first time a security vendor has offered rewards for disclosures of vulnerabilities with its products

Kaspersky Lab has announced the creation of a Bug Bounty Program with HackerOne, a bug bounty platform provider, at the Black Hat USA Conference in Las Vegas.

The development comes after the discovery of vulnerabilities with products from a number of leading security vendors.

The vendor believes the move will “not only further bolster its mitigation strategy for addressing inherent software vulnerabilities, but also continue enhancing its relationship with external security researchers.”

Bug Bounty

Software BugIt admitted that the current cyber threat landscape is becoming increasingly complex, which means that security firms have to “continuously identify and implement effective tools in order to provide the most robust level of protection.”

Bug bounty programs were once considered controversial, but are nowadays are regarded as an effective security measure that encourages external researchers to safely find and disclose software vulnerabilities to the companies concerned.

The bug bounty program at Kaspersky Lab will officially begin on 2 August and last for a six-months. The firm will offer a total of $50,000 (£37,428) to security researchers for disclosing flaws.

Researchers will be tasked with analysing Kaspersky Internet Security and Kaspersky Endpoint Security for vulnerabilities.

After the preliminary phase of the bug bounty program is complete, Kaspersky Lab will gauge the results to determine what additional products and rewards should be included in the second phase.

Kaspersky Lab

“Our bug bounty program will help amplify the current internal and external mitigation measures we use to continuously improve the resiliency of our products,” said Nikita Shvetsov, chief technology officer, Kaspersky Lab.

“We think it’s time for all security companies, large and small, to work more closely with external security researchers by embracing bug bounty programs as an effective and necessary tool to help keep their products secure and their customers protected.”

“We feel as a security vendor that we have a higher level of responsibility to make sure our software is not an entry point for attacks,” added Ryan Naraine, director of the Global Research and Analysis Team US at Kaspersky Lab.

“We should have that higher level of responsibility, and a public bounty program adds to everything we’ve been doing internally,” said Naraine. “This puts our software in front of a lot more eyes and it just makes sense to have a bounty program, and reward researchers for finding bugs.”

It should be noted that the bounty program is intended to augment Kaspersky’s internal processes for evaluating its software. Its internal measures includes code reviews and audits.

Security Flaws

hpThe move by Kaspersky Lab will be viewed by many as a responsible measure in light of the growing number of vulnerability disclosures about security products.

In June Google’s Project Zero team revealed that Symantec had really “dropped the ball” after it uncovered a series of critical vulnerabilities in Symantec’s antivirus products.

Data protection company enSilo also recently revealed that end-point security vendors, specifically anti-virus (AV) products, and anti-exploitation products contain a serious “code-hooking” vulnerability.

FireEye’s security product was apparently hacked by Los Angeles-based researcher Kristian Erik Hermansen, who revealed on Twitter that he had found ‘at least four’ security flaws in the company’s core product.

Google security researcher Travis Ormandy meanwhile hacked Kaspersky’s anti-virus product last year.

Are you a security pro? Try our quiz!