… your security’s improved as a result of your program.”
As part of its Global Transparency Initiative, Kaspersky Lab recently extended its successful bug bounty program to include rewards of as much as $100,000 for the discovery and coordinated disclosure of severe vulnerabilities in some of its leading products.
Anton Shingarev, head of the CEO office at Kaspersky Lab, tells us the program launched in 2016 and already has led to more than 70 bug reports related to Kaspersky products and services being resolved, “thus improving the resiliency of our products.”
“In today’s complex threat landscape, bug bounty programs are one of the tools that help security companies strengthen their products and compliment their own vulnerability detection and mitigation work,” he said. “These programs also incentivize external researchers to safely and responsibly find and disclose software vulnerabilities.”
Bogdan Botezatu, Bitdefender’s senior e-threat analyst, tells us his company’s bug bounty program has helped identify potential blind spots across its technology stack.
“We are fortunate to have a red team always available to uncover what is happening in the cyberthreat landscape,” he said. “We strongly believe that an extra set of eyes can reveal things that may have been overlooked in our initial tests. The desire for a ‘second opinion’ arises from the responsibility that we have to our customers and partners. We want to engage with people outside of Bitdefender who bring different perspectives and skill sets to the security table.”
Bitdefender tends to treat any bug – regardless of severity – as a vulnerability with serious consequences, Botezatu said.
“Distributed denial-of-service (DDoS) attacks, vulnerability probes and mass scans are part of the normal daily routine for a security company and the fewer and the smaller the holes, the less leverage cybercriminals have,” he said. “There is plenty of feedback from bug hunters. After submitting bugs with proof of concept, we stay in touch with them for the duration of validation through the implementation of the fix. They are generally happy with the fact that we encourage them to take their best shot and reward them with money. Carrots are always better than sticks.”
Hacker activity in the programs varies widely, Bacchus said.
“We’ll see some hackers that get really invested in one or two programs and they really just focus on those areas and go very, very deep, and get an intimate knowledge of that organization, and their applications and how they work,” he said. “And we’ll see other hackers that kind of go wide and a little more shallow, so they basically go across many, many programs and see what they can find. There are hackers that are really good at finding certain vulnerabilities, and so they’ll look for that type of vulnerability across multiple programs. And sometimes you’ll have a hacker who’s good at finding just about everything, and they’ll go deep in one program and find all the various bugs for that one organization.”
More and more companies and organizations are realizing that …