Because security is the critical to everything we do, Kaspersky launched its public bug bounty program August 1, 2016, and in 2018, the company updated the program in accordance with its Global Transparency Initiative __. We recognize the value that security researchers can provide in helping us maintain the high standard of security and privacy for our customers. This includes coordinating vulnerability research, mitigation, and disclosure. This policy outlines Kaspersky’s definition of good faith in the context of finding and reporting vulnerabilities, as well as what researchers can expect from us in return.
When working with Kaspersky according to this policy, researchers can expect
• Extend Safe Harbor protections for researchers’ vulnerability research that is related to this policy;
• Work with researchers to understand and validate their reports;
• Work to remediate discovered vulnerabilities in a timely manner;
• Recognize researchers’ contributions to improving our security if a researcher is the first to report a unique vulnerability, and their report triggers a code or configuration change.
All researchers are welcome to participate in our bug bounty program. However,
the following groups are ineligible to participate:
• Individuals younger than thirteen (13) years of age at the time of entry; and
• Employees of Kaspersky and its subsidiaries, as well as their immediate family members.
Platform: Desktop Windows version 8.1+ operating system, with the latest
• Kaspersky Internet Security 2020 (https://www.kaspersky.com/downloads/thank-you/internet-security-free-trial __)
• Kaspersky Endpoint Security 11 (https://www.kaspersky.com/small-to-medium- business-security/downloads/endpoint __).
• Kaspersky Password Manager (https://www.kaspersky.com/password- manager#installation __)
Platform: Linux operating system (requirements
• Kaspersky Endpoint Security for Linux (https://support.kaspersky.com/kes10linux#downloads __)
| remote (no direct access to host, i.e. behind nat) | LAN (network access to
host in the same broadcast domain) | local vector (direct access to host
operating system with user privileges)
RCE in product high privilege process | $5 000¹ – $20 000² | $5 000¹ – $10 000² | -
Other RCE in product | $2 000¹ – $10 000² | $2 000¹ – $5 000² | -
Local Privilege Escalation | - | - | $1 000¹ – $5 000²
Sensitive³ user data disclosure | $2 000¹ – $10 000² | $2 000¹ – $5 000² | $500¹ – $2 000²
Based on our product’s threat model, attacks on the communication channel
within remote management services (configuration, update, etc.) can be
implemented on any target system regardless of user activity. Thus, by using a
man in the middle attack, arbitrary code can be remotely executed in high
privilege AV processes. As a result, malware code will work as part of AV
product and bypass detection technologies. We take this possibility very
A special bounty of $100,000 will be awarded for high-quality report with PoC that implements this attack vector.
 – A report with test cases that includes a detailed step by step
description of the vulnerability implementation.
 – A high quality report with a proof of concept (should demonstrate that
vulnerability is possible). Exploits that take an excessive amount of time to
run or are otherwise not credible may not be accepted (HackerOne
 – Sensitive data: user passwords, payment data (if applicable),
Kaspersky provides rewards for qualifying vulnerability reports at its discretion. We use Common Vulnerability Scoring System (CVSS) version 3.0 to assess the severity of reported vulnerabilities. Kaspersky retains sole discretion in determining which submissions are qualified, actionable, and eligible for reward. Reports for which any portion has been disclosed to any party other than Kaspersky, as well as complete exploits, are ineligible.
• Kaspersky's online services, websites, and other network services.
• 3rd party software (libraries, operating system, etc.) vulnerabilities.
• Local bypass and attacks started with administrative (or higher) privileges.
When conducting vulnerability research according to this policy, Kaspersky
considers this research to be:
Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or other similar laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
Exempt from restrictions in our Terms and Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws.
Please submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.
If you are not sure whether your conduct complies with this policy, please contact us first at Vulnerability@kaspersky.com, and we will do our best to clarify. If you would like to encrypt the information, please use our PGP key __.
To encourage vulnerability research and to avoid any confusion between good-
faith research and malicious activity, we ask that researchers:
• Follow this policy, as well as any other relevant agreements. If there is any inconsistency between this policy and any other relevant terms, the terms of this policy will prevail;
• Report any discovered vulnerability promptly and with sufficient detail;
• Act in good faith to avoid to avoid privacy violations, destroying data, and/or disruption to our systems;
• Use only official channels to discuss vulnerability information with us;
• Keep details of any discovered vulnerabilities confidential until they are fixed, according to the HackerOne Disclosure Guidelines;
• Perform testing only on in-scope products, and respect products and services which are out-of-scope;
• Contact us immediately if you inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability;
• Interact only with test accounts you own or with explicit permission from the account holder;
• Do not engage in extortion; and
• Otherwise comply with all applicable laws.
You are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time. We will not apply any changes we make to these program terms retroactively.
This program have been found on Hackerone on 2016-08-02.