Building trust together with Disclose.io

July 11, 2019

Why did you buy this antivirus and not that one? Because this one costs less Because you trust it more, of course. And why do security researchers spend more time analyzing this app and not that one? Because they trust the company that developed the first app more. Not all businesses welcome news about vulnerabilities being found in their products — some actually threaten the researchers with legal action.


So, yes, in general, choosing a product or company is about trust. One mistake is enough to ruin the trust, but building it is significantly harder. It’s like a tower consisting of thousands of bricks — removing one brick may be enough for the tower to collapse, but to build the tower, you need to carefully lay one brick next to another several thousand times. That’s hard and time-consuming.

A safe harbor for researchers

We at Kaspersky want you, our customers and potential customers, to trust us, so we are building that tower, brick by brick, and maintaining it. We’ve already launched our Global Transparency Initiative. We hope that shows how transparent our business is. And we’ve increased our bug bounties. Now we are pleased to announce that we have joined Bugcrowd’s Disclose.io project to guarantee that we also won’t be legally assaulting those who look to research our products and find vulnerabilities in there.

Bugcrowd launched Disclose.io in partnership with renowned security researcher Amit Elazari in August 2018 to provide a clear legal framework to protect organizations and researchers engaged in bug bounty and vulnerability disclosure programs. Basically, what Disclose.io offers is a set of agreements between researchers and businesses. All companies who have joined Disclose.io agree to follow these agreements, and so do all of the researchers. These agreements are very simple. They’re easy to read and understand — forget about the hundreds of subsections and small fonts here and there that can make legal agreements nearly impossible to process. You can find the core terms on GitHub, and that adds to their transparency; documents on GitHub cannot be modified without the entire community seeing this fact.

These agreements encourage businesses not to punish researchers for their research, but to work with them to understand the vulnerability and fix it, and to recognize their contribution to the security of the product. On the other hand, these agreements require researchers to be responsible with the vulnerabilities they find — not to make information public before the issue is fixed, not to abuse the data they access, not to extort money from the vendors, and so on and so forth.

To sum it up, Disclose.io basically says: “Dear researchers and businesses, if you both behave nicely, it will be beneficial for both of you.” We absolutely agree with that statement, and that’s why we’re supporting Disclose.io movement and providing a safe harbor for researchers that want to find weak spots in our products.

Our customers, of course, will benefit as well. The more a product or service is looked into by the security community, the more secure it becomes. For security solutions, being as secure as possible is certainly a must.