LAS VEGAS – Kaspersky Lab today at Black Hat USA 2016 announced the launch of a public bug bounty, one of the few offered by a software vendor in the computer security industry.
The bounty begins tomorrow on the HackerOne platform, and the first phase will run for six months. The company said that during the first phase, $50,000 would be available for rewards to researchers finding vulnerabilities in the vendor’s flagship consumer and business products, Kaspersky Internet Security and Kaspersky Endpoint Security respectively. In scope will be local privilege escalation, unauthorized access of user data, and remote code execution flaws in each product.
“We feel as a security vendor that we have a higher level of responsibility to make sure our software is not an entry point for attacks,” said Ryan Naraine, director of the Global Research and Analysis Team U.S. at Kaspersky Lab. “We should have that higher level of responsibility, and a public bounty program adds to everything we’ve been doing internally. This puts our software in front of a lot more eyes and it just makes sense to have a bounty program, and reward researchers for finding bugs.”
The bounty program augments Kaspersky’s internal processes for evaluating its software, which includes code reviews and audits under its secure development lifecycle, Naraine said. He added that the company spent time during a months-long private beta with HackerOne allocating internal resources and refining processes for accepting bug reports.
“Bring them all, that’s the point of going public,” Naraine said of the anticipated volume of bugs. “The more bugs we get, the better we are and the better our software is. If you find a bug we want it.”
HackerOne cofounder and chief technology officer Alex Rice said that bug bounties are quickly becoming a best practice among companies in many industries, but security vendors are lagging.
“This is a strong testament to the level of maturity an organization has in terms of existing practices and strong relationships with the research community,” Rice said. “Kaspersky Lab is one of the first to go public ahead of others, and it’s an indication of the maturity of their program.” HackerOne, which has 60,000 hackers registered on its platform and resolved more than 26,000 vulnerabilities, said that Kaspersky joins a relatively small number of security vendors on its platform alongside Cylance and Glasswire.
Last September, Google Project Zero researcher Tavis Ormandy found and privately disclosed to Kaspersky Lab a critical remotely exploitable vulnerability, which was patched within a day and promptly pushed to customers. While Ormandy chose not to work through the existing private beta program, his disclosure directly through Kaspersky and Project Zero put internal processes through their paces, Naraine said.
“The last thing you want is to learn a hard lesson publicly, or respond on the fly and have to scramble,” Naraine said. “We were able to use our existing systems to deal with the Project Zero vulnerabilities and Tavis said we set the bar in terms of responsiveness.”
The up-front work necessary to be able to receive external bug reports has always been one of the biggest eye-openers for those venturing into bug bounties for the first time.
“Bug bounty programs are a sign that everything under it is mature and in shape,” Rice said. “You can’t launch unless you have architectural reviews, a SDLC and other critical processes in place. Organizations think they have it, but don’t really know until they try it out. Some organizations that have bounty programs and their processes are less mature than they thought, the first 10 hackers they’ve invited have created six months worth of work.”