Kaspersky Lab Creates Bug Bounty Program

Kaspersky Lab has announced the creation of a Bug Bounty Program with HackerOne, a bug bounty platform provider, at the Black Hat USA Conference in Las Vegas.

The development comes after the discovery of vulnerabilities with products from a number of leading security vendors.

The vendor believes the move will “not only further bolster its mitigation strategy for addressing inherent software vulnerabilities, but also continue enhancing its relationship with external security researchers.”

Bug Bounty

It admitted that the current cyber threat landscape is becoming increasingly complex, which means that security firms have to “continuously identify and implement effective tools in order to provide the most robust level of protection.”

Bug bounty programs were once considered controversial, but are nowadays are regarded as an effective security measure that encourages external researchers to safely find and disclose software vulnerabilities to the companies concerned.

The bug bounty program at Kaspersky Lab will officially begin on 2 August and last for a six-months. The firm will offer a total of $50,000 (£37,428) to security researchers for disclosing flaws.

Researchers will be tasked with analysing Kaspersky Internet Security and Kaspersky Endpoint Security for vulnerabilities.

After the preliminary phase of the bug bounty program is complete, Kaspersky Lab will gauge the results to determine what additional products and rewards should be included in the second phase.

Kaspersky Lab

“Our bug bounty program will help amplify the current internal and external mitigation measures we use to continuously improve the resiliency of our products,” said Nikita Shvetsov, chief technology officer, Kaspersky Lab.

“We think it’s time for all security companies, large and small, to work more closely with external security researchers by embracing bug bounty programs as an effective and necessary tool to help keep their products secure and their customers protected.”

“We feel as a security vendor that we have a higher level of responsibility to make sure our software is not an entry point for attacks,” added Ryan Naraine, director of the Global Research and Analysis Team US at Kaspersky Lab.

“We should have that higher level of responsibility, and a public bounty program adds to everything we’ve been doing internally,” said Naraine. “This puts our software in front of a lot more eyes and it just makes sense to have a bounty program, and reward researchers for finding bugs.”

It should be noted that the bounty program is intended to augment Kaspersky’s internal processes for evaluating its software. Its internal measures includes code reviews and audits.

Security Flaws

The move by Kaspersky Lab will be viewed by many as a responsible measure in light of the growing number of vulnerability disclosures about security products.

In June Google’s Project Zero team revealed that Symantec had really “dropped the ball” after it uncovered a series of critical vulnerabilities in Symantec’s antivirus products.

Data protection company enSilo also recently revealed that end-point security vendors, specifically anti-virus (AV) products, and anti-exploitation products contain a serious “code-hooking” vulnerability.

FireEye’s security product was apparently hacked by Los Angeles-based researcher Kristian Erik Hermansen, who revealed on Twitter that he had found ‘at least four’ security flaws in the company’s core product.

Google security researcher Travis Ormandy meanwhile hacked Kaspersky’s anti-virus product last year.

Are you a security pro? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Russia Accused Of Cyberattack On Germany’s Ruling Party, Defence Firms

German foreign minister warns Russia will face consequences for “absolutely intolerable” cyberattack on ruling party,…

2 days ago

Alphabet Axes Hundreds Of Staff From ‘Core’ Organisation

Google is reportedly laying off at least 200 staff from its “Core” organisation, including key…

2 days ago

Apple Announces Record Share Buyback, Amid iPhone Sales Decline

Investor appeasement? Apple unveils huge $110 billion share buyback program, as sales of iPhone decline…

3 days ago

Tesla Backs Away From Gigacasting Manufacturing – Report

Tesla retreats from pioneering gigacasting manufacturing process, amid cost cutting and challenges at EV giant

3 days ago

US Urges No AI Control Of Nuclear Weapons

No skynet please. After the US, UK and France pledge human only control of nuclear…

3 days ago