Kaspersky

TRANSPARENCY CENTERS

Transparency Centers serve as facilities for trusted partners to access reviews of the company’s code, software updates and threat detection rules, along with other activities. Through them, we provide governments and partners with information on our products and their security, including essential and important technical documentation, for external evaluation in a secure environment.

Kaspersky’s first Transparency Center was open in November 2018 in Zurich, Switzerland. In June 2019 another Transparency Center was opened in Madrid that also serves as a briefing center where trusted stakeholders can learn more about the company’s portfolio, engineering and data processing practices.

Kaspersky plans to open additional centers in Kuala Lumpur and São Paulo with the same functionality. At all of Kaspersky’s Transparency Centers, the company provides the opportunity to compile the company’s software from its source code and compare it with the publicly available one.

No other cybersecurity provider has done anything as far reaching as this. In opening its Transparency Centers, Kaspersky makes a significant step towards becoming completely transparent about its protection technologies, infrastructure and data processing practices.

To request access to the Transparency Center, please contact [email protected] or visit the website.

• Access policy

  The security and protection of our customers is our top priority; therefore, we follow the strictest access-policy practices and reserve the right to turn down a request if it could potentially cause a security breach.

  The Transparency Center welcomes:

  • ⚬ State agencies and regulators responsible for national cybersecurity and the protection of information systems (decreed as such by the respective local legislation);
  • ⚬ Prospective and existing enterprise partners and customers of Kaspersky anywhere in the world.

  Academia, media and information security community experts are being considered as potential invitees to the Transparency Center in the future

  Under no circumstances whatsoever will Kaspersky provide intelligence or law enforcement agencies that have a mandate and/or capability for cyber-offensive operations with access to the Transparency Center. The security information and infrastructure in the Transparency Center are provided by Kaspersky strictly for consultation purposes only. Any actions to modify the company’s source code, software updates, or threat detection rules are forbidden and will be prevented by the TC Steering team; any abuse will be reported to the local law enforcement agency.

INDEPENDENT AUDIT

Kaspersky has successfully completed the Service Organization Control for Service Organizations (SOC 2) Type 1 audit conducted by one of the Big Four accounting firms.

The Service Organization Controls (SOC) Reporting Framework is a globally recognized report for cybersecurity risk management controls, developed by the American Institute of Certified Public Accountants (AICPA) to inform customers about effective design and implementation of security controls. Being a responsible and transparent company for its customers, Kaspersky has chosen this standard to demonstrate the trustworthiness of its product and the company’s commitment to the AICPA Trust Service Principles and Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

The final report confirms that the development and release of Kaspersky’s threat detection rules databases (AV databases) are protected from unauthorized changes by strong security controls. To learn more and to request the Kaspersky SOC 2 Type 1 Report, please visit the website.

Latest news on the Global Transparency Initiative

To keep you up-to-date with news on the relocation to Switzerland and the other activities that form part of our Global Transparency Initiative, we’ll be posting regular updates and progress reports in this section.

• Update May 2020

  • ⚬ Kaspersky developed a Cyber Capacity Building Program which includes dedicated training on product security evaluation. Available in online and offline formats, it is designed to help companies, government organizations and academia develop practical tools and knowledge for security assessments. The training will provide an introduction to product security evaluation and threat modeling, as well as source code review and vulnerability management. Taking part in the program will be free of charge, with a pilot project to be launched first for government organizations and academia in Q3, 2020. Later this year the training will be available for business organizations. Interested parties can learn more and request information here.
    
    
  • ⚬ Kaspersky has enabled remote access to Transparency Center services,by providing a ‘blue-piste’ assessment option – to become acquainted with both the company’s engineering practices and unparalleled data protection standards. Kaspersky’s security experts are ready to answer any questions regarding the company’s data processing practices and the functioning of its solutions, as well as provide a live demonstration of a source-code review. To request a remote blue-piste assessment option, please visit the website.
    
    
  • ⚬ As one of the pioneers in the industry, Kaspersky published its ethical principles for Responsible Vulnerability Disclosure (RVD), for greater transparency and efficiency in vulnerability handling and mitigating harm and risks to users. These principles are based on the company’s vast cybersecurity experience and have been aligned with guidelines provided by FIRST.
    
    
  • ⚬ Kaspersky has been continuously working on its Bug Bounty Program. Since March 2018, the company has been notified of 66 bugs. In total, 26 of those reported were rewarded with combined bounties totaling $49,250.
    
    
  • ⚬ Earlier this year the Paris Call officially launched its new website. Kaspersky has been among the early supporters of its nine principles for keeping cyberspace secure, open and cooperative. Kaspersky’s Global Transparency Initiative is listed as a particular example of the sixth principle implementation, by promoting higher transparency and accountability in cybersecurity
    
    
  • ⚬ Kaspersky’s Global Transparency Initiative has also been featured as an example of best practice for greater transparency and trust in a number of international documents, such as the UN Institute for Disarmament Research (UNIDIR) report on supply-chain security, and the Industrial Internet Consortium’s (IIC) best practices for trustworthy software development.
    
    

• Update November 2019

  • ⚬ Kaspersky relocates data from its U.S. and Canadian customers to Switzerland.. This follows the relocation of data processing for the company’s European users. The data is shared voluntarily with the Kaspersky Security Network (KSN) – an advanced, cloud-based system that automatically processes cyberthreat-related data, and includes suspicious or previously unknown malicious files that the company’s products send to KSN for automated malware analysis. Kaspersky plans to finalize the relocation by the end of 2020.
    
    
  • ⚬ Kaspersky to open a Transparency Center in São Paulo, Brazil, that will serve as a dedicated security facility for trusted partners in Latin America, to review the company’s source code, as well as learn more about engineering and data-processing practices and the company’s product portfolio. Earlier this year, the company opened one more European Transparency Center in Madrid and announced the opening of its APAC Transparency Center in Malaysia. At all of Kaspersky’s Transparency Centers, the company provides the opportunity to compile the company’s software from its source code and compare it with the publicly available one. This move assures an unprecedented level of confidence in Kaspersky’s products, allowing them to run a compilation process with the assistance of the company’s experts.
    
    

• Update July 2019

  • ⚬ Kaspersky has successfully completed the Service Organization Control for Service Organizations (SOC 2) Type 1 audit. The final report, issued by one of the Big Four accounting firms, confirms that the development and release of Kaspersky’s threat detection rules databases (AV databases), created and distributed for company’s products operating on Windows and Unix Servers, are protected from unauthorized changes by strong security controls. Kaspersky can disclose the principal information about its abovementioned commitments and requirements in the SOC 2 Type 1 report upon request.
    
    
  • ⚬ Kaspersky has been working continuously on the development of its Bug Bounty Program. Recently the company paid a $23,000 bounty – the biggest reward in the history of the program to date – to researchers from the Imaginary team for the discovery of a security issue in Kaspersky that could potentially allow third-parties to remotely execute arbitrary code on a user's PC with system privileges. The bug was promptly fixed. Kaspersky thanks the Imaginary team for the report and their assistance in improving the company’s products. Since March 2018, we resolved 66 bugs reported by security researchers through the program, with bounty rewards totaling almost $45,000.
    
    
  • ⚬ Safe Harbor for vulnerability researchers: The company now supports the Disclose.io framework which provides Safe Harbor for vulnerability researchers concerned about negative legal consequences of their discoveries. Kaspersky understands that external experts provide valuable assistance by finding and reporting vulnerabilities in its products and is ready to provide additional guarantees for fair treatment of vulnerability reports.
    
    
  • ⚬ Transparency Center in Madrid has officially been open to Kaspersky’s customers and partners, as well as government stakeholders, since June. As is the case at the Zurich facility, the company offers source-code reviews and tailored security briefings on the company’s data processing practices and functioning of its products.
    
    
  • ⚬ Threat intelligence support for law enforcement agencies: Kaspersky, the first among cybersecurity vendors, announced an advanced free service for Law Enforcement Agencies (LEAs). A unique and tailored approach developed to maximize their efforts in tackling borderless cybercrime, it consists of three components: Threat Intelligence Reporting, Threat Data Feeds and an Automated Security Awareness Platform (Kaspersky ASAP).

• Update April 2019

  • ⚬ Kaspersky opens Transparency Center in Madrid. In addition to a similar center in Zurich, opened in 2018, it will serve as a trusted facility for the company’s partners and government stakeholders. They will be able to come and check the company’s product source code and learn about Kaspersky’s engineering and data processing practices, as well as the company’s portfolio. The center will be open to visitors from June. Previously announced plans for Transparency Centers to be open in Asia and North America by 2020 are still ongoing.
    
    
  • ⚬ Transparency Center review system developed. This offers multiple review options according to the area of interest – from a general non-technical overview of the company’s engineering practices and data protection standards, through to the deepest and most comprehensive review of the critical parts of the company’s source code. More information about the available options can be found on the Transparency Centers website.
    
    
  • ⚬ Kaspersky publishes results of a voluntary third-party legal assessment, aimed at providing independent evaluation of the company’s obligations to Russian legislation. The analysis was conducted by prominent legal expert, Dr. Kaj Hober – Professor of International Investment and Trade Law at Uppsala University in Sweden and expert on the Russian legal system – and covers three Russian laws related to data processing and storage. These were widely reported as the ones Kaspersky was obliged to comply with, being a Russian-based company. Results of the analysis are freely available online.
    
    
  • ⚬ Bug Bounty program was improved by extending the scope of products for review. Security researchers can now investigate Kaspersky Password Manager and Kaspersky Endpoint Security for Linux, among others. Within a year of the extension being announced, we resolved more than 50 bugs reported by security researchers through the program, with bounty rewards totaling more than $17,000.

• Update November 2018

  First Transparency Center opens and data processing for European users in Zurich begins, plus news of an independent engineering audit and a thriving bug bounty program

  On November 13, 2018, malicious and suspicious files shared voluntarily with Kaspersky by users of the company’s products in Europe started to be processed in two data centers in Zurich. The data, which includes suspicious or previously unknown malicious files and corresponding meta-data that the company’s products send to Kaspersky Security Network (KSN) for automated malware analysis, is being processed in data centers that provide world-class facilities in compliance with industry standards to ensure the highest levels of security.

  The move reflects Kaspersky’s determination to assure the integrity and trustworthiness of its products.  It is accompanied by the opening of the company’s first Transparency Center, also in Zurich. Through the Transparency Center, Kaspersky will provide governments and partners with information on its products and their security, including essential and important technical documentation, for external evaluation in a secure environment.

  Other activities in progress include the engagement of a Big Four professional services firm to audit the company's engineering practices around the creation and distribution of threat detection rule databases, with the aim of independently confirming their accordance with the highest industry security practices.

  Alongside this, Kaspersky continues to support an active bug bounty program. Within one year, it has resolved more than 50 bugs reported by security researchers, of which several were especially valuable.

• Update August 2018

  • ⚬ Kaspersky has signed contracts with two leading data center providers in Zurich, Interxion and NTS, for world-class facilities where, from late 2018, we will start to securely store and process data shared by users of Kaspersky products in Europe. Other countries, including the U.S., Canada, Australia, Japan, South Korea and Singapore, will follow. Full relocation for European countries is expected to be finalized by the fourth quarter of 2019. For more information, see here: www.kaspersky.com/blog/transparency-status-updates
    
    
  • ⚬ Kaspersky’s first Transparency Center, also located in Zurich, will achieve initial operating capability by the end of 2018. The center will eventually provide responsible stakeholders with full visibility of the source code of our products and software updates.
    
    
  • ⚬ The other pillars of our new plans, such as the relocation of software code assembly, including products, product updates and threat detection rule databases (AV databases), and the appointment of an independent, third-party to manage and review everything, will take place during the second phase of the project, after 2018.