Kaspersky Lab Launches Bug Bounty Program With HackerOne

The security firm allocates $50,000 to pay security researchers for responsibly disclosing flaws in its security products.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

bug bounty program

Kaspersky Lab is no stranger to the world of vulnerability research, but the company is now opening up and enabling third-party security researchers to disclose vulnerabilities about Kaspersky's own software.

The new effort is being conducted as a bug bounty program on the HackerOne platform. Kaspersky Lab is initially providing a total of $50,000 in bug bounties and is starting off with its Kaspersky Internet Security and Kaspersky Endpoint Security products as targets for researchers.

"The initial phase will last six months, and based on the results of this first phase, we will revise our offering in terms of budget, scope of products and types of vulnerabilities covered moving forward," Ryan Naraine, director of the Global Research & Analysis Team, U.S., at Kaspersky Lab, told eWEEK.

Cyber-security companies have a higher level of responsibility to make sure their products are secure and their customers remain protected, and a bug bounty program is one of the tools that can help vendors strengthen their products, according to Naraine. He noted that Kaspersky conducted a successful invite-only beta bug bounty program and has now decided to make its program open for everyone.

"The bug bounty program will supplement our overall internal strategy aimed at making our software products more secure," Naraine said.

Kaspersky Lab isn't the only cyber-security vendor using HackerOne to run a bug bounty program. HackerOne also hosts public bug bounty programs for Cylance and Glasswire and helped the U.S. Department of Defense with the Hack the Pentagon program earlier this year.

"Several other security vendors are still earlier in their programs with private, invitation-only programs on the platform," Alex Rice, CTO and co-founder of HackerOne, told eWEEK.

The market for bug bounty platforms is competitive, with several options beyond HackerOne available, including Bugcrowd and Synack. Rice said that Kaspersky Lab started out like most of its customers by running a private, or invitation-only, pilot with a select group of hackers. Following the success of this initial private pilot, Kaspersky's program and security team are ready for a public program.

Rice noted that HackerOne has more than 550 customers, yet only about quarter of those customers are running public programs. According to Rice, the fact that Kaspersky is now running a public program speaks to Kaspersky's maturity and ability to handle an increased volume of vulnerability reports.

In addition, Rice said that Kaspersky Lab has had a long-standing Vulnerability Reporting and Disclosure policy that has enabled it to build a positive relationship with the security community.

"When talking with the Kaspersky team, you are greeted with a genuine belief that security software should be held to a higher standard," he said. "They want to learn about as many weaknesses as possible so that they can be quickly eliminated and the bar raised."

Kaspersky has been the target of third-party researchers in the past, including Google Project Zero researcher Tavis Ormandy in 2015. One of the incredible strengths of the security research community is the diversity of motivations behind their work, Rice said.

"While many researchers—including Project Zero—are motivated primarily by the intellectual challenge and altruism, providing additional incentives to attract the broadest set of eyeballs is just good common sense," he said. "We look forward to working with any researchers who have identified a vulnerability."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.