Kaspersky Lab is running its public Bug Bounty Program from August 1, 2016. All researchers are welcome to participate.
In accordance with our Global Transparency initiative __, we have updated our Bug Bounty Program. The program is open to individuals who comply with the following criteria: (1) are over the age of thirteen (13) at the time of entry; (2) employees of Kaspersky Lab, their subsidiaries, and their immediate families are not eligible to participate in the program.
Eligible participants may enter by submitting a report as detailed in the requirements below to the Kaspersky Bug Bounty Program at Hackerone.
• Kaspersky Internet Security 2019 Beta
• Kaspersky Endpoint Security 11 ( https://www.kaspersky.com/small-to-medium- business-security/downloads/endpoint __).
Platform: Desktop Windows version 8.1+ operating system, with the latest updates installed
• Entries for which any portion has been disclosed to any party other than Kaspersky Lab are ineligible.
| remote (no direct access to host, i.e. behind nat) | LAN (network access to
host in the same broadcast domain) | local vector (direct access to host
operating system with user privileges)
RCE in product high privilege process | $5 000¹ – $20 000² | $5 000¹ – $10 000² | -
Other RCE in product | $2 000¹ – $10 000² | $2 000¹ – $5 000² | -
Local Privilege Escalation | - | - | $1 000¹ – $5 000²
Sensitive³ user data disclosure | $2 000¹ – $10 000² | $2 000¹ – $5 000² | $500¹ – $2 000²
Based on our product’s threat model, attacks on the communication channel
within remote management services (configuration, update, etc.) can be
implemented on any target system regardless of user activity. Thus, by using a
man in the middle attack, arbitrary code can be remotely executed in high
privilege AV processes. As a result, malware code will work as part of AV
product and bypass detection technologies. We take this possibility very
A special bounty of $100,000 will be awarded for high-quality report with PoC that implements this attack vector.
 – A report with test cases that includes a detailed step by step
description of the vulnerability implementation.
 – A high quality report with a proof of concept (should demonstrate that
vulnerability is possible). Exploits that take an excessive amount of time to
run or are otherwise not credible may not be accepted (HackerOne
 – Sensitive data: user passwords, payment data (if applicable),
Rewards for qualifying reports will be paid out at Kaspersky Lab’s discretion. We are using CVSSv3 for vulnerability priorities. Kaspersky Lab retains sole discretion in determining which submissions are qualified, actionable, and eligible for reward.
• Kaspersky Lab’s online services, websites, and other network services.
• 3rd party software (libs, operating system, etc.) vulnerabilities.
• Local bypass and attacks started with administrative (or higher) privileges.
Researchers participating in the Kaspersky Lab program, must adhere to the Disclosure Policy (https://hackerone.com/disclosure-guidelines). The program prohibits disclosure of any vulnerability discovered in products in scope, to any party, publicly or privately, until the vulnerability fix is released. Complete exploit is not subject to disclosure.
Contact us if you want more information.