Kaspersky Lab has promised to work with independent companies to conduct audits on its product source code in the future in an effort to reestablish trust in the wake of alleged involvement in US government data theft. Kaspersky software was then explicitly blamed for the theft of sensitive documents owned by the US National Security Agency, taken home by an employee who was targeted by Russian hackers for the information.
Last month, the US Department of Homeland Security (DHS) ordered all US federal agencies to stop using Kaspersky products within the next 90 days due to suspected ties to the Russian government The Trump administration has also removed Kaspersky from lists of approved vendors that the US government is permitted to purchase equipment and services from.
The Moscow-based cybersecurity firm said there are also plans to create three “transparency centers” worldwide in the Asia, Europe, and the United States over the next three years. First center in 2018, 3 centers by 2020, in Asia, Europe and the U.S. These centers will bring together the plans to review source code and internal processes, as well as make changes to coding and threat detection rules as necessary.
Amit Serper from Cybereason, Boston, noted on Twitter that access to source code may do little, as that may not be where the true issue lies.
“Code review is absolutely meaningless,” said Serper. The system may collect the checksums of processed files, URL information, information about a user’s PC and software, and more.
Kaspersky Lab said that the firm will work with stakeholders and the information security community in the future to further solidify plans to increase transparency and strengthen compliance. Kaspersky Lab will also be offering up to $100,000 in bumped-up bug bounty rewards to researchers who find and report vulnerabilities in core company products through the Coordinated Vulnerability Disclosure program by the end of 2017.
Bug Bounties: ‘Buy What You Want’ – Video