Kaspersky ups bug bounty to $100,000
Kaspersky Lab looking for exploits that could hide malware in update process
Kaspersky Lab has increased the bug bounty for certain of its product lines to $100,000.
The new bounty, which is nearly twenty-times more than many other such schemes, is intended to speed discovery of severe vulnerabilities in the latest version of Kaspersky's security applications.
The increased bounty is for bugs that would enable a hacker to use Kaspersky's own updating of virus definitions and similar privileged process to launch an attack.
The bounty is only for bugs that enable remote code execution via the product database update channel, with the launch of malware code taking place silently from the user in the product's high privilege process and being able to survive the reboot of the system.
The bounty is for in the latest versions/betas of Kaspersky Internet Security and Endpoint Security. The bounty is only open to members of HackerOne, the vulnerability coordination and bug bounty platform.
Bounties for other vulnerabilities from Kaspersky will range from $5,000 to $20,000 depending on complexity.
Eugene Kaspersky, CEO of Kaspersky Lab, commented: "Finding and fixing bugs is a priority for us as a software company. We invite security researchers to make sure there are no vulnerabilities in our products. The immunity of our code and highest levels of protection that we offer customers is a core principal of our business - and a fundamental pillar of our Global Transparency Initiative."
The company's bug bounty program, launched in 2016, encourages independent security researchers to supplement the company's own work in vulnerability detection and mitigation. The program has already led to more than 70 bug reports related to Kaspersky Lab products and services, the company said.