Kaspersky Earmarks $50K for Bug Bounty Program

Kaspersky Lab has launched a bug bounty program with HackerOne, initially putting $50,000 up for grabs.

Bug bounty participants will examine the Russian firm’s flagship desktop products, Kaspersky Internet Security and Kaspersky Endpoint Security, for inherent software vulnerabilities. But the program has a dual purpose: It’s also meant to enhance Kaspersky’s relationships with external security researchers.

 “Our bug bounty program will help amplify the current internal and external mitigation measures we use to continuously improve the resiliency of our products,” said Nikita Shvetsov, CTO at Kaspersky Lab. “We think it’s time for all security companies, large and small, to work more closely with external security researchers by embracing bug bounty programs as an effective and necessary tool to help keep their products secure and their customers protected.”

The program will reward the discovery of any of three vulnerability types: Local privilege escalation (average reward $1,000); user data compromise (i.e., passwords and another sensitive information), (average reward $2,000); and remote code execution (average reward $2,000).

Kaspersky Lab’s online services, websites and other network services are out of scope.

 The first phase of the Kaspersky Lab bug bounty program will last for a six-month period, where Kaspersky Lab will offer a total of $50,000 in bounty rewards to security researchers. After the preliminary phase is complete, the company will evaluate the results to determine what additional products and rewards should be included in the second phase of the program.

 “Vulnerabilities are inevitable and bug bounty programs are proven to supplement traditional security best practices with the help of the incredibly diverse global hacker community,” said Alex Rice, CTO and co-founder, HackerOne. “We look forward to partnering with Kaspersky Lab to help them run the most competitive bug bounty program and continue to protect customers.”

Kaspersky Lab is offering bounties for flaws in the desktop products only, running on Microsoft Windows 8.1 or a more recent Microsoft desktop OS.

Photo © Lagarto Film

What’s Hot on Infosecurity Magazine?