Just days before its annual information security training summit starts in Cancun, Mexico, Kaspersky Lab announced an extension to its bug bounty program and plan to pay rewards of up to $100,000 for severe vulnerabilities in some of its products.
Launched in 2016, the HackerOne-powered bug bounty program initially promised a total of $50,000 in bounties and resulted in the discovery of more than 20 flaws in the first six months. To date, the program allowed Kaspersky to address more than 70 bugs in its products and services.
Last year, the Moscow-based information security firm announced the addition of Kaspersky Password Manager 8 to the bounty program, along with an increase in the maximum reward for remote code execution vulnerabilities from $2,000 to $5,000.
The new payouts represent a 20-fold increase on existing rewards available toinformation security training researchers who participate in the company’s bug bounty program, which is available to all members of the HackerOne platform.
The biggest bounty will be offered for the discovery and coordinated disclosure of vulnerabilities that enable remote code execution via the product database update channel, Kaspersky says. Another requirement is that the launch of the code takes place in the product’s high privilege process and silently from the user, and that persistence is also achieved.
Security vulnerabilities leading to other types of remote code execution will receive rewards ranging from $5,000 to $20,000, depending on their complexity level. The company also announced it is willing to pay researchers who discover bugs allowing local privilege escalation or leading to sensitive data disclosure.
Only unknown vulnerabilities discovered in Kaspersky Internet Security 2019 and Kaspersky Endpoint Security 11 qualify for the bug bounties. Supported platforms include desktop Windows 8.1 and higher, with the most recent updates installed.
“Finding and fixing bugs is a priority for us as a software company. We invite information security researchers to make sure there are no vulnerabilities in our products. The immunity of our code and highest levels of protection that we offer customers is a core principal of our business and a fundamental pillar of our Global Transparency Initiative,” Eugene Kaspersky, CEO of Kaspersky Lab, said.
The Global Transparency Initiative was meant to clear Kaspersky’s name after reports suggested it had ties to the Russian government and the Department of Homeland Security (DHS) ordered all government agencies to stop using the products of theinformation security training company.
Kaspersky filed a lawsuit against the U.S. government in December, after President Donald Trump reinforced the ban. Last month, the company filed another lawsuit over the ban.