Kaspersky offers hackers $100,000 for spotting bugs

The new rewards form part of the antivirus firm's attempts to counteract spying accusations

code

Kaspersky has upped its bug bounty programme to $100,000 for the discovery and disclosure of critical vulnerabilities in its applications, as part of its efforts to rebuild trust following allegations of spying.

The move comes at a time when the Moscow-based antivirus company faces international pressure over its alleged connections with the Russian government, leading to many high profile boycotts of its products, including by the US government, while the UK's national infosecurity authority has recommended government bodies avoid using Russian antivirus tools.

Kaspersky's top prize reward those finding 'remote code execution' bugs that allow malware to take over a user's system by using Kaspersky's automatic database update channel. The discovery of any other remote execution bugs will be eligible for rewards between $5,000 and $20,000 depending on their severity, while bugs allowing for elevation of privileges, or the leak of sensitive data, can be worth up to $5,000.

The new scheme is applicable to any vulnerabilities found in Kaspersky Internet Security 2019 and Kaspersky Endpoint Security 11, running on the desktop version of Windows 8.1 or later.

CEO Eugene Kaspersky said: "Finding and fixing bugs is a priority for us as a software company. We invite security researchers to make sure there are no vulnerabilities in our products. The immunity of our code and highest levels of protection that we offer customers is a core principal of our business - and a fundamental pillar of our Global Transparency Initiative."

Kaspersky has worked alongside bug bounty coordination platform Hackerone since the launch of the scheme in 2016, resulting in 70 bug reports qualifying for rewards.

The company's Global Transparency Initiative, announced in October last year, was an attempt to prove to the international security community that it was working to maintain the integrity of its software and rebuke claims that its tools could be unwittingly exploited by the Russian government to target foreign states.

As part of that initiatives launch, Kaspersky invited independent security analysts to review the source code in its products, and upped its bug bounty to $75,000. The results of that review have yet to be released, but the company has said it will share those with IT Pro when they are available.

Since then, the US government has moved to make it illegal to use Kaspersky software in any department or agency of the federal government, prompting a legal challenge from the antivirus firm after it claimed the decision harmed its reputation and commercial operations.

The UK's National Cyber Security Centre issued warnings to government departments in December advising they ditch Kaspersky products, as well as other Russian antivirus tools, as they pose a potential risk to national security.

Kaspersky has always maintained its innocence and independence from the Russian government.

Picture: Bigstock

04/12/2017:NCSC: Kaspersky antivirus could risk national security

The UK's National Cyber Security Centre (NCSC) has issued fresh warnings to all government departments against using Russian-based antivirus software, as fears mount that they could pose a risk to national security.

Official NCSC advice, updated over the weekend, claims that software such as Kaspersky Lab's antivirus suite could be exploited by the Russian government, at a time when the company is being investigated in the US.

Although the company denies any wrongdoing or any ties with Moscow, and planned to open up its source code for independent review, the US has since moved to ban the software from all government departments.

The source code review is currently ongoing, although the company has stated it would updateIT Prowith the findings when they are available.

Until now, the UK government has been quiet about its use of Russian-based products, however, in a letter addressed to department secretaries last Friday, NCSC CEO Ciaran Martin said that Russian products "should not be chosen".

"The NCSC advises that Russia is a highly capable cyber threat actor which uses cyber as a tool of statecraft," he wrote. "This includes espionage, disruption and influence operations. Russia has the intent to target UK central government and the UK's critical national infrastructure."

The advice, which also provides guidance for best security practices with cloud services, suggests that the government is willing to work alongside the likes of Kaspersky rather than seek an outright ban.

"We are in discussions with Kaspersky Lab, by far the largest Russian player in the UK, about whether we can develop a framework that we and others can independently verify, which would give the government assurance about the security of their involvement in the wider UK market," the letter added.

It added that the initial guidance was only aimed at central government departments, and it doesn't recommend any action in by public bodies outside of Westminster, nor does it suggest companies or the public stop using Kaspersky products.

However, as a result of the updated guidelines, Barclays has stopped offering the option of free Kaspersky software to its new customers as a "precautionary decision", and has advised those who have yet to install the suite to look for an alternative provider.

"Even though this new guidance isn't directed at members of the public, we have taken the decision to withdraw the offer," said a Barclays spokesperson, speaking to the BBC.

A spokesperson for Kaspersky Lab told IT Pro that the company was "disappointed" by Barclay's decision to discontinue giving free versions of its software to new customers, although was keen to reiterate that the NCSC is not discouraging people from using its products.

Simon Edwards, European cyber security architect at Trend Micro, said that any vulnerability in antivirus products is likely to be targeted at government, rather than the public.

"Reading into the research carried out by the US, it would seem that the vulnerability posed by Kaspersky was one that could only be used by the most sophisticated of attackers (i.e. state-sponsored)," said Edwards, speaking to IT Pro. "Therefore, if the organisation feels that they could be targeted by such a threat actor (i.e. government agencies), then there is a potential risk that should be addressed."

The NCSC's new stance comes a week after the newly formed Intelligence and Security Committee announced it was considering launching an investigation into Russian meddling against the UK.

Many MPs, including Labour's Mary Creagh, have suggested that Russia was behind a series of fake social media accounts created to try and influence the Brexit referendum result by spreading fake news.

CEO Eugene Kaspersky said in a tweet: "Let me stress: there is *no* ban for KL products in the UK. We are in touch with @NCSC regarding our Transparency Initiative and I am sure we will find the way to work together."

This initiative involves openingthree "Transparency Centres" in Asia, Europe and the US by 2020.

Picture: Bigstock

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Leading the data race

The trends driving the future of data science

Download now

How to create 1:1 customer experiences at scale

Meet the technology capable of delivering the personalisation your customers crave

Download now

How to achieve daily SAP releases

Accelerate the pace of SAP change to support your digital strategy

Download now

Recommended

The Ritz suffers data breach after hackers pose as staff
data breaches

The Ritz suffers data breach after hackers pose as staff

17 Aug 2020
Russia hacked Liam Fox's personal email to steal trade documents
phishing

Russia hacked Liam Fox's personal email to steal trade documents

4 Aug 2020
British teenager charged over Twitter hack
hacking

British teenager charged over Twitter hack

3 Aug 2020
Mid-year report says vulnerabilities up 22% in 2020
hacking

Mid-year report says vulnerabilities up 22% in 2020

30 Jul 2020

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
Microsoft hints at stand-alone successor to Office 2019 suite
Microsoft Office

Microsoft hints at stand-alone successor to Office 2019 suite

24 Sep 2020