The complexity of technology makes vulnerabilities and failures inevitable. Still it is we, humans, who develop the technology, and we who make use of it, and it is our responsibility to plan for this contingency. We firmly believe that inevitable failures in technology development must be fixed.
Responsible Vulnerability Management and Disclosure as a process, not an event, serves as an important indicator of Kaspersky’s commitment to product quality and ‘compensates for this inevitability’. As part of the global cybersecurity ecosystem, we work with vendors, researchers, users and other stakeholders for the mutual benefit of the ecosystem and society at large. Below we share policies and processes that outline our definition of good faith and make sure that we act in a transparent, responsible and consistent manner.
We appreciate the important work of security researchers who identify and report vulnerabilities in our products. If you have discovered a security flaw in Kaspersky’s products, please report it to us so we can take the necessary measures to rectify the vulnerability as quickly as possible. Please report a vulnerability via HackerOne. You can also report a vulnerability by emailing us at Vulnerability@kaspersky.com. To encrypt your message, please use this PGP key.
We kindly request that you do not publish any information about the vulnerability until it has been fixed by our specialists. Kaspersky will analyze the information you provide, provide a timely initial response to your submission, work to remediate vulnerabilities in a timely manner, and inform you of the results.
We offer awards for the following products:
• Kaspersky Internet Security, latest public version;
• Kaspersky Endpoint Security, latest public version;
• Kaspersky VPN Secure Connection.
• Kaspersky Endpoint Security for Linux.
| remote (no direct access to host, i.e. behind nat) | LAN (network access to host in the same broadcast domain) | local vector (direct access to host operating system with user privileges)
:-------- | :-------------: | :-------------: | :--------:
RCE in product high privilege process| $5 000¹ – $20 000² | $5 000¹ – $10 000² | -
Other RCE in product| $2 000¹ – $10 000² | $2 000¹ – $5 000² | -
Local Privilege Escalation| - | - | $1 000¹ – $5 000²
Sensitive³ user data disclosure | $2 000¹ – $10 000² | $2 000¹ – $5 000² | $500¹ – $2 000²
Comments:
[1]
– A report with test cases that includes a detailed step by step description of the vulnerability implementation.
[2]
– A high quality report (HackerOne recommendations) with a proof of concept (should demonstrate that vulnerability is possible). Exploits that take an excessive amount of time to run or are otherwise not credible may not be accepted.
[3]
– Sensitive data: user passwords, payment data (if applicable), authentication tokens.
Based on our product’s threat model, attacks on the communication channel within remote management services (configuration, updates, etc.) can be implemented on any target system regardless of user activity. Thus, by using a man-in-the-middle attack, arbitrary code can be remotely executed in high privilege AV processes. As a result, the malware code will work as part of an AV product and bypass detection technologies. We take this possibility very seriously.
A special bounty of $100 000 will be awarded for a high-quality report with PoC that implements this attack vector.
• Kaspersky's online services, websites, and other network services.
• Third-party software, except Pango modules that are part of the Kaspersky VPN Secure Connection.
• Local bypassing and attacks started with administrative (or higher) privileges; and.
• Messages about undetected malware (you can email to: newvirus@kaspersky.com).
Kaspersky provides rewards for qualifying vulnerability reports at its discretion. We use the Common Vulnerability Scoring System (CVSS), version 3.1 to assess the severity of vulnerabilities reported. Kaspersky retains sole discretion in determining which submissions are qualified, actionable, and eligible for reward. Reports for which any portion has been disclosed to any party other than Kaspersky, as well as complete exploits, are ineligible.
All researchers are welcome to participate in Kaspersky’s bug bounty program, except for:
• Individuals younger than 13 (thirteen) years of age at the time of entry; and
• Employees of Kaspersky and its subsidiaries, as well as their immediate family members.
When working with Kaspersky according to this policy, researchers can expect us to:
• Extend Safe Harbor protections for researchers’ vulnerability research related to this policy;
• Work with researchers to understand and validate their reports;
• Work to remediate discovered vulnerabilities in a timely manner – fixing vulnerabilities is our top priority, and we use the CVSS score to determine the severity of a vulnerability reported and potential impact level on our customers;
• Recognize researchers’ contributions to improving our security if a researcher is the first to report a unique vulnerability, and their report triggers a code or configuration change.
When conducting vulnerability research according to this policy, Kaspersky considers such research to be:
• Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or other similar laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
• Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
• Exempt from restrictions in our Terms and Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
• Lawful and helpful to the overall security of the ICT ecosystem, and conducted in good faith.
If you are not sure whether your conduct complies with this policy, please contact us first at Vulnerability@kaspersky.com, and we will do our best to clarify. If you would like to encrypt the information, please use our PGP key. Security researchers are expected, as always, to comply with all applicable laws.
Once the vulnerability discovered and reported is remediated and the corresponding research is finalized, we issue an advisory to document the type of the vulnerability, its description, list of affected products, versions fixed, and acknowledgements. The list of advisories can be accessed here.
Kaspersky provides rewards for qualifying vulnerability reports at its discretion. We use Common Vulnerability Scoring System (CVSS) version 3.0 to assess the severity of reported vulnerabilities. Kaspersky retains sole discretion in determining which submissions are qualified, actionable, and eligible for reward. Reports for which any portion has been disclosed to any party other than Kaspersky, as well as complete exploits, are ineligible.
To encourage vulnerability research and to avoid any confusion between good-faith research and malicious activity, we ask researchers to:
• Follow this policy, as well as any other relevant agreements. If there is any inconsistency between this policy and any other relevant terms, the terms of this policy will prevail;
• Report every discovered vulnerability promptly and with sufficient detail;
• Act in good faith to avoid privacy violations, destroying data, and/or disruption to our systems;
• Use only official channels to discuss vulnerability information with us;
• Keep details of any discovered vulnerabilities confidential until they are fixed, according to the HackerOne Disclosure Guidelines;
• Perform testing only on in-scope products, and respect products and services which are out-of-scope;
• Contact us immediately if you inadvertently encounter user data. Please do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability;
• Interact only with test accounts you own or with explicit permission from the account holder;
• Not to engage in extortion; and
• Otherwise comply with all applicable laws.
Security researchers are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time. We will not apply any changes we make to these program terms retroactively.
This program have been found on Hackerone on 2016-08-02.
FireBounty © 2015-2024