Highest Rated Comments

taviso21 karma

I had a positive experience working with Kaspersky reporting vulnerabilities a few years ago. The team were responsive and my impression was they were shocked I was able to find so many problems and were committed to putting it right.

I haven't looked at Kaspersky since I completed my audit, but colleagues have told me since then that Kaspersky engineers are now active libFuzzer contributors, and it sounds like you've built new fuzzing infrastructure from scratch. Nice!

I have two questions,

  • Are you working on sandboxing, like Microsoft does with mpengine?
  • Can you talk about your fuzzing infrastructure, do you have dedicated engineers working on engine security? Is it integrated into development, e.g. new unpackers can't ship without 100% code coverage and X hours fuzzing? What tools are you using, are you 100% libFuzzer, or are you using anything else?