Banner object (1)

Hack and Take the Cash !

713 bounties in database
Kaspersky Lab logo


Kaspersky Lab

Kaspersky Lab is running its public Bug Bounty Program from August 1, 2016. All researchers are welcome to participate.

In accordance with our Global Transparency initiative __, we have updated our Bug Bounty Program. The program is open to individuals who comply with the following criteria: (1) are over the age of thirteen (13) at the time of entry; (2) employees of Kaspersky Lab, their subsidiaries, and their immediate families are not eligible to participate in the program.

How to Participate:

Eligible participants may enter by submitting a report as detailed in the requirements below to the Kaspersky Bug Bounty Program at Hackerone.

Scope products:

Platform: Desktop Windows version 8.1+ operating system, with the latest updates installed
• Kaspersky Internet Security 2019 ( __)
• Kaspersky Endpoint Security 11 ( business-security/downloads/endpoint __).
• Kaspersky Password Manager ( manager#installation __)

Platform: Linux operating system (requirements __)
• Kaspersky Endpoint Security for Linux ( __)


• Entries for which any portion has been disclosed to any party other than Kaspersky Lab are ineligible.

Scope of program:

| remote (no direct access to host, i.e. behind nat) | LAN (network access to host in the same broadcast domain) | local vector (direct access to host operating system with user privileges)
RCE in product high privilege process | $5 000¹ – $20 000² | $5 000¹ – $10 000² | -
Other RCE in product | $2 000¹ – $10 000² | $2 000¹ – $5 000² | -
Local Privilege Escalation | - | - | $1 000¹ – $5 000²
Sensitive³ user data disclosure | $2 000¹ – $10 000² | $2 000¹ – $5 000² | $500¹ – $2 000²

Based on our product’s threat model, attacks on the communication channel within remote management services (configuration, update, etc.) can be implemented on any target system regardless of user activity. Thus, by using a man in the middle attack, arbitrary code can be remotely executed in high privilege AV processes. As a result, malware code will work as part of AV product and bypass detection technologies. We take this possibility very seriously.
A special bounty of $100,000 will be awarded for high-quality report with PoC that implements this attack vector.


[1] – A report with test cases that includes a detailed step by step description of the vulnerability implementation.
[2] – A high quality report with a proof of concept (should demonstrate that vulnerability is possible). Exploits that take an excessive amount of time to run or are otherwise not credible may not be accepted (HackerOne recommendations __).
[3] – Sensitive data: user passwords, payment data (if applicable), authentication tokens.

Qualifying vulnerability:

Rewards for qualifying reports will be paid out at Kaspersky Lab’s discretion. We are using CVSSv3 for vulnerability priorities. Kaspersky Lab retains sole discretion in determining which submissions are qualified, actionable, and eligible for reward.

Out of scope:

• Kaspersky Lab’s online services, websites, and other network services.
• 3rd party software (libs, operating system, etc.) vulnerabilities.
• Local bypass and attacks started with administrative (or higher) privileges.

Disclosure Policy:

Researchers participating in the Kaspersky Lab program, must adhere to the Disclosure Policy ( The program prohibits disclosure of any vulnerability discovered in products in scope, to any party, publicly or privately, until the vulnerability fix is released. Complete exploit is not subject to disclosure.

Hall of Fame

List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2019