I had a positive experience working with Kaspersky reporting vulnerabilities a few years ago. The team were responsive and my impression was they were shocked I was able to find so many problems and were committed to putting it right.
I haven't looked at Kaspersky since I completed my audit, but colleagues have told me since then that Kaspersky engineers are now active libFuzzer contributors, and it sounds like you've built new fuzzing infrastructure from scratch. Nice!
I have two questions,
Are you working on sandboxing, like Microsoft does with mpengine?
Can you talk about your fuzzing infrastructure, do you have dedicated engineers working on engine security? Is it integrated into development, e.g. new unpackers can't ship without 100% code coverage and X hours fuzzing? What tools are you using, are you 100% libFuzzer, or are you using anything else?
taviso21 karma
I had a positive experience working with Kaspersky reporting vulnerabilities a few years ago. The team were responsive and my impression was they were shocked I was able to find so many problems and were committed to putting it right.
I haven't looked at Kaspersky since I completed my audit, but colleagues have told me since then that Kaspersky engineers are now active libFuzzer contributors, and it sounds like you've built new fuzzing infrastructure from scratch. Nice!
I have two questions,
View HistoryShare Link