Usr6 Posted August 14, 2016 Report Posted August 14, 2016 Kaspersky Lab is running its public Bug Bounty Program for six months from September 1, 2016. All researchers are welcome to participate. Under the Kaspersky Lab Bug Bounty Program, qualified individuals are encouraged to submit bug reports for vulnerabilities in Kaspersky Internet Security 2017 (https://products.s.kaspersky-labs.com/english/homeuser/kis2017) or Kaspersky Endpoint Security 10 SP1MR3 (https://forum.kaspersky.com/index.php?showtopic=352009). Please review and accept the terms and conditions of the Kaspersky Internet Security 2017 (https://hackerone.box.com/shared/static/lpa6rlcmja4udys12oijjjirq1sq7bab.pdf) and Kaspersky Endpoint Security 10 SP1MR3 (https://hackerone.box.com/shared/static/la5b6ier63s1prxfhybnily4742gmjwb.pdf) Testing Licenses Certificates before you test and/or report a vulnerability. Scope of program Kaspersky Lab would like you to test the security of Kaspersky Internet Security 2017 and Kaspersky Endpoint Security 10 SP1MR3 running on Microsoft Windows 8.1, or a more recent Microsoft desktop OS. Vulnerability types in scope: Local privilege escalation (average reward $1,000) User data (like passwords and another sensitive information) compromise (average reward $2,000) Remote code execution (average reward $2,000) Out of scope: Kaspersky Lab’s online services, websites, and other network services. We are looking for security issues in the desktop products only. Qualifying vulnerability Rewards for qualifying bugs typically range from $300. Bounties will be paid out at Kaspersky Lab’s discretion. Kaspersky Lab retains sole discretion in determining which submissions are qualified, actionable, and eligible for reward. Severity of the issue and quality of reports will be considered in the reward amount. The maximum reward depends on vulnerability importance. We are using CVSSv2 for vulnerability priorities. Disclosure policy Researchers invited to participate in the Kaspersky Lab program must adhere to the Disclosure Policy located here (https://hackerone.com/disclosure-guidelines). The program prohibits disclosure of any vulnerability discovered in Kaspersky Internet Security 2017 to any party publicly or privately until the vulnerability fix is released. Upon completion of the vulnerability fix, Kaspersky Lab may agree to disclosure after 30 days. Eligibility We are thankful to every individual researcher who submits a vulnerability report, helping us improve overall security of Kaspersky Lab’s products. However, only those that meet the following criteria may be eligible to receive a reward. Some of the requirements to participate in the Bug Bounty Program include: You must be the first reporter of a vulnerability in order to be considered for an award You must not be employed by Kaspersky Lab or its subsidiaries or related entities You must comply with these terms when discovering the vulnerability You must follow all guidelines when submitting the vulnerability report We can’t be legally prohibited from rewarding you for any reason 3 sursa: https://hackerone.com/kaspersky Quote