Kaspersky Lab Kicks Off Its First Bug Bounty Program

Security software is no stranger to security flaws and a major anti-virus company today launched a bug bounty program that opens up its products to outside scrutiny by researchers.

Kaspersky Lab has teamed up with bug bounty platform vendor HackerOne to o /admin/.http:/googleprojectzero.blogspot.com/2015/09/kaspersky-mo-unpackers-mo-problems.ht ffer $50,000 in rewards to white-hat hackers who find vulnerabilities in its Kaspersky Internet Security and Kaspersky Endpoint Security products. The bug bounty program, which begins today and runs for six months, could be expanded into a long-term program covering additional Kaspersky software products, the company says.

Security vendors such as Symantec, McAfee, Kaspersky, and Trend Micro, all have been the subject of vulnerability discoveries in their software. Most recently, Kaspersky last fall patched multiple flaws exposed by Google’s Tavis Ormand, who at the time pointed out how antivirus exploits are a hot commodity in the black market. “We have strong evidence that an active black market trade in antivirus exploits exists. Research shows that it’s an easily accessible attack surface that dramatically increases exposure to targeted attacks,” Ormandy said in a Sept. blog post, where he also gave Kaspersky Lab kudos for their rapid fixes. “For this reason, the vendors of security products have a responsibility to uphold the highest secure development standards possible to minimise the potential for harm caused by their software.”

Kaspersky’s new bug bounty program follows an internal “ad hoc” type approach the security firm used for rewarding researchers who found flaws in its software, says Ryan Naraine, head of Kaspersky Lab’s global research & analysis team in the US. “We already had an internal system for dealing with” vulnerability reporting, Naraine says. "But we never had a process that actively encourages researchers to come with us with bugs."

Naraine says he hopes more security vendors will also launch bug bounty programs. “Security vendors as a whole have a higher level of responsibility” here, he says. “In one year, my hope is that a bug bounty launch will not be a news story” anymore, he says.

Software security experts say bug bounty programs are a key element of checking code with a fresh set of eyes outside the organization; HackerOne recently worked with the Defense Department on its pilot bug bounty program—the very first for the US federal government.

“Kaspersky has a long history of collaborating with the research community and with their public bug bounty program we anticipate they will be able to find and resolve even more vulnerabilities with the help of external hackers," says Alex Rice, CTO and co-founder of HackerOne.