Last fall, we talked about our Global Transparency Initiative, and we also promised to extend the bug bounty program. Well, we just did it. Starting today, anyone who finds a particularly severe vulnerability in one of our products could receive a reward of $100,000.
We launched the bug bounty program in 2016. It encourages all comers — from budding IT experts to seasoned pros — to look for bugs in Kaspersky Lab products. Cash rewards, which, until now, ranged from $300 to $5,000, are paid out for vulnerabilities detected and disclosed in a responsible manner. The program has already led to more than 70 bug reports and timely action on our part to resolve the issues.
That’s right, even our products are not immune to bugs. We’re not afraid to say so. No one is perfect, for which reason the first bug bounty program appeared in 1995. Back then, Netscape wanted to test its latest browser. Today, Google, Microsoft, Facebook, Mozilla, and many other IT companies run such programs.
Starting March 1, we boosted the maximum payout by 20 times. The top reward of $100,000 is now available for the discovery of bugs that enable remote code execution through the product database update channel, with the launch of malware code taking place silently from the user in the product’s high privilege process and being able to survive the reboot of the system.
That is quite a complex task. But finding smaller bugs will pay off as well. Vulnerabilities allowing other types of remote code execution will be awarded bounties ranging from $5,000 to $20,000. Bounty payouts will also be awarded for bugs allowing local privilege escalation or leading to sensitive data disclosure.
We invite you to test the robustness of two of our newest products: Kaspersky Internet Security 2019 and Kaspersky Endpoint Security 11 (that is, the most recent beta versions of the upcoming products). Under the program terms and conditions, they must be running on Windows 8.1 or Windows 10 with the most recent updates installed. More details are available in the bug bounty program description on the HackerOne platform website.