The Daily Swig Web security digest

Kaspersky RCE bug bounty increased to $100k

Jessica Haworth | 08 March 2018 at 11:58

The antivirus lab has upped the reward for severe vulnerabilities allowing remote code execution in its products.

Kaspersky Lab has increased its bug bounty reward to $100,000 for the discovery of serious remote code execution (RCE) flaws in its products.

The company is offering the maximum reward to researchers who can identify severe vulnerabilities that allow RCE through the database update channel.

It is specifically targeting bugs that can silently launch malware code in certain products’ high privilege process, which can also survive a system reboot.

The products identified as being at risk of these bugs are Kaspersky Internet Security 2019 and Kaspersky Endpoint Security running on Windows 8.1 or higher.

Other RCE vulnerabilities can bag researchers a reward of $5,000 to $20,000.

CEO Eugene Kaspersky said: “Finding and fixing bugs is a priority for us as a software company. We invite security researchers to make sure there are no vulnerabilities in our products.”

The RCE bounty hike follows the US Department of Homeland Security’s announcement that it had banned the use of Kaspersky products amid concerns over the company’s purported links with Russia.

The security firm said the move to ban its products was “unconstitutional” and amounted to “punishment without trial”.

A statement from the DHS read: “The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks.

“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates US national security.”

Kaspersky, in return, took the DHS to court to claim the ban was unconstitutional under the US Administrative Procedure Act.

The company told The Register: “Kaspersky Lab maintains that the DHS decision is unconstitutional and relied on subjective, non-technical public sources, such as uncorroborated and often anonymously sourced media reports, related claims, and rumors.”