Report a vulnerability
Kaspersky policy on vulnerability reporting and disclosure
Kaspersky appreciates the important work of security researchers who identify and report potential vulnerabilities in Kaspersky products.
Security is critical to everything we do. We recognize the value that security researchers can provide in helping us maintain the high standard of security and privacy for our customers. This includes coordinating vulnerability research, mitigation, and disclosure. This policy outlines Kaspersky’s definition of good faith in the context of finding and reporting vulnerabilities, as well as what researchers can expect from us in return.
If you have discovered a security flaw in Kaspersky’s products, please report it to us so we can take the necessary measures to rectify the vulnerability as quickly as possible. Please report a vulnerability to us by emailing at Vulnerability@kaspersky.com or through our Bug Bounty program. To encrypt your message, please use this PGP key. Our BugBounty program is described here.
When you report, please have in mind these good practices:
- Your contact details. Kaspersky specialists require information about how to address you and contact you for clarification of the data about the vulnerability you have discovered.
- The name of the product in which you discovered the vulnerability, along with its version number and your device’s operating system.
- Describe in detail the vulnerability you have discovered so that we can determine the nature and scale of the issue.
- Please tell us whether you are planning to give information about the vulnerability to a third party.
Kaspersky will analyze the information you provide, provide a timely initial response to your submission, work to remediate vulnerabilities in a timely manner, and inform you of the results.
We kindly request that you do not publish any information about the vulnerability until it has been fixed by our team.
Kaspersky Bug Bounty Program
Kaspersky runs its public bug bounty program on the Yogosha platform. If you want to participate in the program, please sign up and join the community.
Products in Scope
- Kaspersky Standard
- Kaspersky Plus
- Kaspersky Premium
- Kaspersky Endpoint Security for Windows
- Kaspersky Endpoint Security for Linux
- Kaspersky Password Manager
- Kaspersky VPN Secure Connection
Scope of Program
| Remote (no direct access to host, i.e. behind nat) | LAN (network access to host in the same broadcast domain) | Local vector (direct access to host operating system with user privileges) | |
|---|---|---|---|
|
RCE in product high privilege process |
$5 000¹ – $20 000² |
$5 000¹ – $10 000² |
- |
|
Other RCE in product |
$2 000¹ – $10 000² |
$2 000¹ – $5 000² |
- |
|
Local Privilege Escalation |
- |
- |
$1 000¹ – $5 000² |
|
Sensitive³ user data disclosure |
$2 000¹ – $10 000² |
$2 000¹ – $5 000² |
$500¹ – $2 000² |
Based on our product’s threat model, attacks on the communication channel within remote management services (configuration, update, etc.) can be implemented on any target system regardless of user activity. Thus, by using a man-in-the-middle attack, arbitrary code can be remotely executed in high privilege antivirus processes. As a result, malware code will work as part of an antivirus product and bypass detection technologies. We take this possibility very seriously.
A special bounty of $100,000 will be awarded for high-quality report with a Proof of Concept (PoC) that implements this attack vector.
Comments:
[1] – A report with test cases that includes a detailed step by step description of the vulnerability implementation.
[2] – A high quality report with a proof of concept (should demonstrate that vulnerability is possible). Exploits that take an excessive amount of time to run or are otherwise not credible may not be accepted.
[3] – Sensitive data: user passwords, payment data (if applicable), authentication tokens.
Out of scope
- Kaspersky’s online services, websites, and other network services.
- 3rd party software (libraries, operating system, etc.) vulnerabilities.
- Local bypass and attacks started with administrative (or higher) privileges.
- Reports about undetected malware (you can email to: newvirus@kaspersky.com).
- Bypass of product’s licensing restrictions without security impact on legitimate users.
Qualifying Vulnerability
Kaspersky provides rewards for qualifying vulnerability reports at its discretion. We use the Common Vulnerability Scoring System (CVSS), version 3.1 to assess the severity of vulnerabilities reported. Kaspersky retains sole discretion in determining which submissions are qualified, actionable, and eligible for reward. Reports for which any portion has been disclosed to any party other than Kaspersky, as well as complete exploits, are ineligible.
Expectations
All researchers are welcome to participate in Kaspersky’s bug bounty program, except for:
- Individuals younger than 13 (thirteen) years of age at the time of entry; and
- Employees of Kaspersky and its subsidiaries, as well as their immediate family members.
When working with Kaspersky according to this policy, researchers can expect us to:
- Extend Safe Harbor protections for researchers’ vulnerability research related to this policy;
- Work with researchers to understand and validate their reports;
- Work to remediate discovered vulnerabilities in a timely manner – fixing vulnerabilities is our top priority, and we use the CVSS score to determine the severity of a vulnerability reported and potential impact level on our customers;
- Recognize researchers’ contributions to improving our security if a researcher is the first to report a unique vulnerability, and their report triggers a code or configuration change.
Safe Harbor
When conducting vulnerability research according to this policy, Kaspersky considers such research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or other similar laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms and Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
- Lawful and helpful to the overall security of the ICT ecosystem, and conducted in good faith.
Rules of Ethics
To encourage vulnerability research and to avoid any confusion between good-faith research and malicious activity, we ask researchers to:
- Follow this policy, as well as any other relevant agreements. If there is any inconsistency between this policy and any other relevant terms, the terms of this policy will prevail;
- Report every discovered vulnerability promptly and with sufficient detail;
- Act in good faith to avoid privacy violations, destroying data, and/or disruption to our systems;
- Use only official channels to discuss vulnerability information with us;
- Keep details of any discovered vulnerabilities confidential until they are fixed;
- Perform testing only on in-scope products, and respect products and services which are out-of-scope;
- Contact us immediately if you inadvertently encounter user data. Please do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability;
- Interact only with test accounts you own or with explicit permission from the account holder;
- Not to engage in extortion; and
- Otherwise comply with all applicable laws.
Security researchers are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time. We will not apply any changes we make to these program terms retroactively.
