A license to hunt bugs

August 2, 2016

In the very near future, we will use the HackerOne platform to launch the Kaspersky Lab Bug Bounty program, which will give outside experts an opportunity to seek bugs in Kaspersky Lab’s products and be rewarded for vulnerabilities they might find. We have been contemplating this option for quite some time. In 2015, we ran a closed bug bounty program, and after reviewing its results decided to make the program public and allow outside researchers to participate.

All software developers want to create an ideal product. But nobody has made a truly perfect piece of software yet. With effort and know-how, you can find a few flaws or glitches in any program. The primary questions are how serious these deficiencies are and when they are likely to be found in the wild. Bugs obviously need to be detected before they give users any troubles — and, most important, before troublemakers find and exploit them.

As we said, perfect software simply does not yet exist, and though our programs are not an exception, we must keep trying. To minimize vulnerabilities in our products, we at Kaspersky Lab have already implemented a multilevel approach to testing our products as part of a secure software development life cycle. Before release, every Kaspersky Lab solution undergoes a rigorous internal audit. A team of professional testers from our quality assurance (QA) department analyzes the software, and our internal pen testers run penetration tests, too. In some cases, pilot deployments follow before we release our product to market. But to minimize the chance of criminals being able to find and exploit flaws, we decided to add another level of reliability testing.


We believe that, because of their mission, security solutions must be picked over for vulnerabilities with the utmost care. Flaws in an office or entertainment application are problematic and can be annoying or even dangerous, but to exploit a regular software vulnerability, cybercriminals first have to bypass the defenses of information security solutions.

Kaspersky Lab software has a definite advantage over that of most software developers because we pioneered instant updates. It is the nature of security solutions to require frequent updates — and I’m not just talking about updating databases. Several years ago, Kaspersky Lab’s products adopted a new method of supplying end users with instant updates, not only to databases but to the software itself. It enables instant installation of updated modules on most products and thereby quickly fixes any vulnerabilities. Thanks to this system (actually, thanks to the coordinated work of Kaspersky Lab developers and researchers), last year we managed to fix a few serious bugs within 24 hours.

The Kaspersky Lab Bug Bounty program — in concert with HackerOne, a specialized platform for detecting vulnerabilities — officially starts on August 2, 2016. The program will last through February 2017.

For more information on the program, the types of vulnerabilities bug hunters should focus on, and other conditions of participation see here. We look forward to seeing how fresh eyes can help us make our products even better and more reliable.