F-Secure rewards parties who report security vulnerabilities in certain F-Secure products and services, also known as a "bug bounty" program. In order to avoid misunderstandings and ambiguities, we apply the following guidelines; even if lengthy, please read them in their entirety before participating.
What is this about?
We want to hear about any security vulnerabilities in our products and services. In order to reward security researchers, we offer monetary rewards for eligible security vulnerability reports that are disclosed to us in a coordinated way. However, there are certain rules that need to be followed to ensure that your security research does not cause security risk to other users or their data, and to decrease the likelihood that your research would be flagged as a malicious intrusion attempt by our monitoring. We also want to be clear about certain aspects relating to acceptance of reports and payment of rewards in order to avoid any surprises.
A "security vulnerability" is defined as an issue that causes a breach of confidentiality, integrity, or availability of the service or data, or applies to personal data (privately identifiable information) being stored or processed in a way that is not compliant with the current Finnish data protection legislation.
At this time, the vulnerability reward program only covers some F-Secure products and services. In the future, we will consider extending it to cover additional products, services or our public web pages (including registration and login pages). We welcome vulnerability reports about any other F-Secure products, services or public web pages (including registration and login pages), too. However, these are not at this time part of this reward program.
At this time, the following products are in the scope of this vulnerability reward program:
F-Secure Corporate Products
See notes below on restrictions
F-Secure Consumer Products
See notes below on restrictions
|F-Secure Client Security||F-Secure SAFE|
|F-Secure Client Security Premium||F-Secure Internet Security|
|F-Secure Server Security||F-Secure Freedome|
|F-Secure Server Security Premium||F-Secure Key|
|F-Secure E-mail and Server Security|
|F-Secure E-mail and Server Security Premium|
|F-Secure Internet Gatekeeper|
|F-Secure Linux Security|
|F-Secure PSB Workstation Security|
|F-Secure PSB Email and Server Security|
|F-Secure PSB Server Security|
|F-Secure PSB Linux Security|
Restrictions on supported versions: Current newest version with latest database update installed as released through F-Secure web pages, Google Play Store, Windows Phone Store or Apple App Store. Information on current newest version can be found here and here.
Restrictions on reproducibility: Browser-side security issues need to be reproducible on an HTML5 capable web browser. Mobile device clients' vulnerabilities need to be reproducible on a non-rooted device, on the most current, and no more than one year old, firmware provided by the device manufacturer. On Android, the device must have Google Play Services factory-installed. On desktop clients, reproducibility is required without the attacker requiring administrator or root access, and with the OS being updated with the most current security patches provided by the OS vendor or distribution. Eligible client bugs are required to be in the code that F-Secure delivers as a part of a client application. Bugs in third-party components are generally eligible if they are delivered as part of the F-Secure client application. Issues that are bugs of the underlying platform, OS, platform-provided libraries may be eligible as long as they can manifest or affect the F-Secure application. In the case of bugs for external components, we will offer to take the responsibility of timely notifying the affected parties. If you need clarification, contact us beforehand.
Permissible security research: We only allow security research, that -
- Makes a good faith effort to avoid affecting third party services or their availability;
- Makes a good faith effort not to affect or disclose other users' accounts, personal data, or content, and not to affect service availability to other users;
- Only uses user account(s) that belong to you personally (you are allowed to create several accounts specifically for the purpose of conducting security research for this vulnerability reward program);
- Only targets user account(s), user data or personal data that belong to you personally, or are bogus test data;
- Only uses or targets clients that have been installed on hardware you yourself own and operate;
- Only uses methods that are in compliance with your local and Finnish law;
- Does not use malicious or destructive payloads beyond what is technically required for a benign proof-of-concept demonstration;
- Only targets services or products listed above, with the appropriate exclusions.
If you have any questions about whether a certain type of research is permissible, or whether a given target is in scope, contact us at the reporting email address (below) before conducting the research.
How to report a security vulnerability
Please submit your report by e-mail to email@example.com. We would very strongly recommend you encrypt the email using our GnuPG key, available on key servers (key fingerprint 84AE 1EA4 A5FF 15D6 B10C 46AC 90F9 A6DD 90E8 028A), and attach your own public key in the mail.
Please note that by submitting us a vulnerability report, you grant us a perpetual, worldwide, royalty-free, irrevocable and non-exclusive license and right, to use, modify, and incorporate your submission or any parts thereof into our products, services, or test systems without any further obligations or notices to you.
Any non-security or non-privacy related bug reports or customer service requests sent to this email address will be ignored. If you have a non-security-related question regarding F-Secure products, please visit http://community.f-secure.com/ or contact Support.
In your report, please describe, at least:
- What you found;
- Where exactly did you find it and steps to reproduce;
Example: If the attack relates to a specific URI and a specific parameter, please provide that information in detail.
Example: If you are performing fuzzing activities, please provide us with additional information especially the initial corpus you used.
- If the vulnerability applies to a service, date and time (UTC) when you could reproduce the vulnerability (we may have deployed a new version since then);
- If the vulnerability applies to a client, provide the client version number, and on which platform the client is running.
We would be thankful for any further relevant technical information that you may have, especially if reproduction is tricky. If we cannot reproduce it, we cannot reward you. However, there is no need to describe the security impact of your finding - we understand security risks and we can figure that out. We only need technical details.
We aim to send you a receipt within five working days. If you do not hear back from us by then, please resend the report.
What happens after your report
Our developers will look into the matter, and will make a determination whether your finding actually is a security vulnerability and if we can reproduce it with the information you supplied. If it qualifies, a reward will be paid after the issue has been fixed.
A reward will not be paid if the finding becomes known by anyone else than you or us, in any way, before it is fixed.
We cannot commit to any specific fixing (and as a result, reward payment) schedule as each case is different. However, we internally give high priority for externally reported security issues, and we will aim to keep you updated on the status. You may also ask for status updates by contacting your case handler.
We may at times publish the names of people we have rewarded, and if we publish any vulnerability bulletins, we'd like to give credit where it's due. If you would rather stay behind an alias (handle) or anonymous, we will of course respect that.
Although we will try to see the issue with your eyes, in some edge cases, we might be of the opinion that the issue you found does not pose a risk or the issue is not a security or privacy bug. In these cases, a reward will not be paid.
If someone else has already reported the finding earlier, we will let you know after the issue has been fixed. If several researchers report the same issue, we only reward the sender of the first report that provides us with enough technical details to reproduce the finding. We know that this would give us a loophole to claim that everything's been already previously found, but trust us, we want to be fair.
The size of the reward is solely determined by an F-Secure team consisting of our technical staff, and is based on the estimated risk posed by the vulnerability. The current reward range is from EUR 100 to EUR 15.000.
If you report several issues that are duplicates in different parts of the service (e.g., the same code running on different nodes or platforms), or part of a larger issue, these may be combined into one and only one reward may be paid.
Important: Please do not send your payment information to us up front. We will ask for the appropriate information if and when a payment is due.
Payments are made as bank transfers within the Single Euro Payments Area (SEPA) or international bank (wire) transfers outside the SEPA. We cannot use checks, cryptocurrencies, or use any other money transfer services. The payment recipient is responsible for any charges or fees levied on the transfer, and for accessing the funds once transferred. Payments are by default done in Euros (EUR) and any currency conversions are done at the current bank rate.
We are required to report all individual researchers' rewards to the Finnish Tax Administration irrespective of where you live. In order to do this, and to actually pay, we would later request your full name and a current physical mail address, and your bank (wire) transfer details. If you have a company, we may request that you invoice us instead.
The recipient is responsible for any taxes. If you are taxed in Finland, we are required to collect the withholding tax, and require your personal ID number and optionally your taxation certificate for the current year.
These identification requirements are imposed on us by the authorities, and we cannot make any exceptions to these. In addition, payments are not made to countries or jurisdictions that are under embargo, or to persons or entities on a sanctions list.
Due to these identification requirements, we will only deal with the original reporter directly. We will only use the email address in the original report, so ensure you have continued access to the email account you used to send the initial report.
Further legal statements
Our lawyers want us to point out the following small print:
You may reverse-engineer and decompile F-Secure clients strictly and solely for the purpose of conducting security research for this vulnerability reward program. This permission applies only to F-Secure clients explicitly named and listed in this vulnerability reward program, excluding any licensed third party components therein. You may not disclose, show or publish to any third parties any code or parts thereof in any form you have derived resulting from this permission.
F-Secure reserves the right to discontinue this reward program and change its terms at any time without prior notification. This text was last modified on 2016-09-08. Unless specifically extended here, the current vulnerability reward program will end on 31st December, 2016. All decisions regarding reward payments are final. The rules of this reward program or any communication related thereto do not provide or imply any obligations to F-Secure of any kind.