Kaspersky offers hackers $100,000 for spotting bugs

Bright blue code appearing on screen to denote hacking
(Image credit: Bigstock)

Kaspersky has upped its bug bounty programme to $100,000 for the discovery and disclosure of critical vulnerabilities in its applications, as part of its efforts to rebuild trust following allegations of spying.

The move comes at a time when the Moscow-based antivirus company faces international pressure over its alleged connections with the Russian government, leading to many high profile boycotts of its products, including by the US government, while the UK's national infosecurity authority has recommended government bodies avoid using Russian antivirus tools.

Kaspersky's top prize reward those finding 'remote code execution' bugs that allow malware to take over a user's system by using Kaspersky's automatic database update channel. The discovery of any other remote execution bugs will be eligible for rewards between $5,000 and $20,000 depending on their severity, while bugs allowing for elevation of privileges, or the leak of sensitive data, can be worth up to $5,000.

The new scheme is applicable to any vulnerabilities found in Kaspersky Internet Security 2019 and Kaspersky Endpoint Security 11, running on the desktop version of Windows 8.1 or later.

CEO Eugene Kaspersky said: "Finding and fixing bugs is a priority for us as a software company. We invite security researchers to make sure there are no vulnerabilities in our products. The immunity of our code and highest levels of protection that we offer customers is a core principal of our business - and a fundamental pillar of our Global Transparency Initiative."

Kaspersky has worked alongside bug bounty coordination platform Hackerone since the launch of the scheme in 2016, resulting in 70 bug reports qualifying for rewards.

The company's Global Transparency Initiative, announced in October last year, was an attempt to prove to the international security community that it was working to maintain the integrity of its software and rebuke claims that its tools could be unwittingly exploited by the Russian government to target foreign states.

As part of that initiatives launch, Kaspersky invited independent security analysts to review the source code in its products, and upped its bug bounty to $75,000. The results of that review have yet to be released, but the company has said it will share those with IT Pro when they are available.

Since then, the US government has moved to make it illegal to use Kaspersky software in any department or agency of the federal government, prompting a legal challenge from the antivirus firm after it claimed the decision harmed its reputation and commercial operations.

The UK's National Cyber Security Centre issued warnings to government departments in December advising they ditch Kaspersky products, as well as other Russian antivirus tools, as they pose a potential risk to national security.

Kaspersky has always maintained its innocence and independence from the Russian government.

Picture: Bigstock

04/12/2017:NCSC: Kaspersky antivirus could risk national security

The UK's National Cyber Security Centre (NCSC) has issued fresh warnings to all government departments against using Russian-based antivirus software, as fears mount that they could pose a risk to national security.

Official NCSC advice, updated over the weekend, claims that software such as Kaspersky Lab's antivirus suite could be exploited by the Russian government, at a time when the company is being investigated in the US.

Although the company denies any wrongdoing or any ties with Moscow, and planned to open up its source code for independent review, the US has since moved to ban the software from all government departments.

The source code review is currently ongoing, although the company has stated it would updateIT Prowith the findings when they are available.

Until now, the UK government has been quiet about its use of Russian-based products, however, in a letter addressed to department secretaries last Friday, NCSC CEO Ciaran Martin said that Russian products "should not be chosen".

"The NCSC advises that Russia is a highly capable cyber threat actor which uses cyber as a tool of statecraft," he wrote. "This includes espionage, disruption and influence operations. Russia has the intent to target UK central government and the UK's critical national infrastructure."

The advice, which also provides guidance for best security practices with cloud services, suggests that the government is willing to work alongside the likes of Kaspersky rather than seek an outright ban.

"We are in discussions with Kaspersky Lab, by far the largest Russian player in the UK, about whether we can develop a framework that we and others can independently verify, which would give the government assurance about the security of their involvement in the wider UK market," the letter added.

It added that the initial guidance was only aimed at central government departments, and it doesn't recommend any action in by public bodies outside of Westminster, nor does it suggest companies or the public stop using Kaspersky products.

However, as a result of the updated guidelines, Barclays has stopped offering the option of free Kaspersky software to its new customers as a "precautionary decision", and has advised those who have yet to install the suite to look for an alternative provider.

"Even though this new guidance isn't directed at members of the public, we have taken the decision to withdraw the offer," said a Barclays spokesperson, speaking to the BBC.

A spokesperson for Kaspersky Lab told IT Pro that the company was "disappointed" by Barclay's decision to discontinue giving free versions of its software to new customers, although was keen to reiterate that the NCSC is not discouraging people from using its products.

Simon Edwards, European cyber security architect at Trend Micro, said that any vulnerability in antivirus products is likely to be targeted at government, rather than the public.

"Reading into the research carried out by the US, it would seem that the vulnerability posed by Kaspersky was one that could only be used by the most sophisticated of attackers (i.e. state-sponsored)," said Edwards, speaking to IT Pro. "Therefore, if the organisation feels that they could be targeted by such a threat actor (i.e. government agencies), then there is a potential risk that should be addressed."

The NCSC's new stance comes a week after the newly formed Intelligence and Security Committee announced it was considering launching an investigation into Russian meddling against the UK.

Many MPs, including Labour's Mary Creagh, have suggested that Russia was behind a series of fake social media accounts created to try and influence the Brexit referendum result by spreading fake news.

CEO Eugene Kaspersky said in a tweet: "Let me stress: there is *no* ban for KL products in the UK. We are in touch with @NCSC regarding our Transparency Initiative and I am sure we will find the way to work together."

This initiative involves openingthree "Transparency Centres" in Asia, Europe and the US by 2020.

Picture: Bigstock

Dale Walker

Dale Walker is the Managing Editor of ITPro, and its sibling sites CloudPro and ChannelPro. Dale has a keen interest in IT regulations, data protection, and cyber security. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.