Revelation of security bugs jumpstarts launch of Malwarebytes’ bug bounty program

Malwarebytes CEO Marcin Kleczynski has announced that the company has launched a bug bounty program in an effort to make its software more secure.

“The Coordinated Vulnerability Disclosure program incentivizes external researchers who work with us responsibly by promoting an open communication channel with our engineering division, awarding bug bounties and duly crediting the effort from leading researchers in our Hall of Fame and other hotfix release notes,” he explained.

Bug reporters will receive between $100 and $1000 for information about a bug – the final amount depends on bug severity and exploitability, and can occasionally be even higher. In scope are bugs in the company’s products and web services in the *.malwarebytes.org domain.

The announcement comes at the heels of the revelation that the company is in the process of patching several bugs in the consumer version of Malwarebytes Anti-Malware.

The vulnerabilities have been privately flagged by Google security researcher Tavis Ormandy in November 2015. More details about them have been published yesterday, as the 90 day disclosure deadline usually given by Google to affected vendors has obviously passed.

Kleczynski says that the server-side vulnerabilities have already been fixed, and they are now internally testing a new version (2.2.1) of the product that will patch the client-side vulnerabilities and be released in the next 3 to 4 weeks.

“The research seems to indicate that an attacker could use some of the processes described to insert their own code onto a targeted machine. Based on the findings, we believe that this could only be done by targeting one machine at a time,” he noted.

“However, this is of sufficient enough a concern that we are seeking to implement a fix. Consumers using the Premium version of Malwarebytes Anti-Malware should enable self-protection under settings to mitigate all of the reported vulnerabilities.”

He reiterated the company’s commitment to keeping their customers safe, and has also shared that they are building automatic vulnerability finding software, as well as creating new processes and methodologies that will help them to scrutinize their own code, and implementing additional tests and checkpoints into their development cycle.