Series of Security Bugs Force Malwarebytes to Start Bug Bounty Program

Good news for security researchers you can now earn some good money by reporting security bugs to Malwarebytes — Thanks to its bug bounty program.

Malwarebytes is currently in the final stages of installing permanent patches for fixing the array of security bugs in one of its flagship products. The company received reports about the presence of security issues in the product by Tavis Ormandy, the famous security researcher at Google Project Zero.

Malwarebytes is known for the powerful Windows and Mac OS X security product called Malwarebytes Anti-Malware (MBAM), which can identify, delete and secure users against all malware threats in real time.

Previously in November 2015, the team at Malwarebytes was contacted by Tavis Ormandy who informed the firm about four very serious security issues plaguing their flagship product.

As per the findings from Mr. Ormandy, MBAM was not signing the updates and downloading signature updates through HTTP, which made it an alluring platform for basic MiTM attacks (man in the middle attacks).

fresh-series-of-security-bugs-force-malwarebytes-to-start-bug-bounty-program-2
Gif Source: BBSing

It was also highlighted by Mr. Ormandy that the malicious actors could easily execute code on the target machine utilizing the flaws that were present in the TXTREPLACE and ACTION functionalities. Moreover, they could control a local privilege enhancement issue that is usually found in the engine’s Access Control List (ACL) to get system-level permissions.

The Malwarebytes team was quick to the response to receiving information from Mr. Ormandy as they promptly issued a hotfix within a few days only and is even preparing to launch MBAM version 2.2.1, which is said to be developed to fix this issue fully and for good.

Alongside issuing patches for their product, the firm is also accepting outside help in ensuring the security of their product. In this regard, the CEO of Malwarebytes Marcin Kleczynski has announced the firm’s official bug bounty program to keep their product bug-free. The CEO has stated that the firm will be rewarding the third-party researchers if they come up with information about security bugs.

The company will reportedly pay between $100 and $1000 (€91 and €910) for every identified security bug depending upon the severity of the identified issue. However, researchers reporting about lower-tier security bugs will also be deemed eligible for some kind of “swag” from the firm.

Mr. Kleczynski stated:

“We are taking steps like the Bug Bounty program as well as building automatic vulnerability finding software to mitigate any potential for a future vulnerability.”

Meanwhile, those of you who are still using the older version of MBAM need to turn on the MBAM’s “self-protection feature” to prevent exploitation.

Uzair Amir

I am an Electronic Engineer, an Android Game Developer and a Tech writer. I am into music, snooker and my life motto is 'Do my best, so that I can't blame myself for anything.'