Vulnerability Reward Program

Report a vulnerability in services and products related to younited

F-Secure rewards parties who report security vulnerabilities in certain F-Secure products and services, also known as a "bug bounty" program. In order to avoid misunderstandings and ambiguities, we apply the following guidelines; even if lengthy, please read them in their entirety before participating.

What is this about?


We want to hear about any security vulnerabilities in our products and services. In order to reward security researchers, we offer monetary rewards for eligible security vulnerability reports that are disclosed to us in a coordinated way. However, there are certain rules that need to be followed to ensure that your security research does not cause security risk to other users or their data, and to decrease the likelihood that your research would be flagged as a malicious intrusion attempt by our monitoring. We also want to be clear about certain aspects relating to acceptance of reports and payment of rewards in order to avoid any surprises.

A "security vulnerability" is defined as an issue that causes a breach of confidentiality, integrity, or availability of the service or data, or applies to personal data (privately identifiable information) being stored or processed in a way that is not compliant with the current Finnish data protection legislation.

Scope


At this time, the vulnerability reward program only covers some F-Secure products and services. In the future, we will consider extending it to cover additional products or services. We welcome vulnerability reports about any other F-Secure products or services, too. However, these are not at this time part of this reward program. At this time, the following products and services are in the scope of this vulnerability reward program:

F-Secure Younited Storage Service
The F-Secure younited service as currently publicly deployed Restricted to those domains and subdomains of younited.com, younitedcontent.com, and younitedapi.com that are a part of the actual Younited storage service, only. There are important exceptions, see notes below.
F-Secure Younited storage service mobile and desktop clients, current newest versions Current newest version as released through F-Secure web pages, Google Play, Windows Phone Store, or Apple App Store. There are restrictions, see notes below.

 

Restrictions on online services: Not all the services in the domains listed above are operated by F-Secure. For example, we may run marketing campaigns, support forums, and such, using the target domains that are operated by subcontractors. These third party provided services are not in the scope, as we cannot give a permission to conduct security research against third party services. Our service or company logos on a page do not necessarily mean it is a part of the service or operated by us. If you need clarification, contact us beforehand.

Restrictions on reproducibility: Browser-side security issues need to be reproducible on an HTML5 capable web browser. Mobile device clients' vulnerabilities need to be reproducible on a non-rooted device, on the most current, and no more than one year old, firmware provided by the device manufacturer. On Android, the device must have Google Play Services factory-installed. On desktop clients, reproducibility is required without the attacker requiring administrator or root access, and with the OS being updated with the most current security patches provided by the OS vendor or distribution. Client bugs also need to be in code that F-Secure delivers as a part of a client application; issues that are bugs of the underlying platform, OS, platform-provided libraries, or other third party apps, are not eligible.

Permissible security research: We only allow security research, that -

  • Makes a good faith effort to avoid affecting third party services or their availability;
  • Makes a good faith effort not to affect or disclose other users' accounts, personal data, or content, and not to affect service availability to other users;
  • Only uses user account(s) that belong to you personally (you are allowed to create several accounts specifically for the purpose of conducting security research for this vulnerability reward program);
  • Only targets user account(s), user data or personal data that belong to you personally, or are bogus test data;
  • Only uses or targets clients that have been installed on hardware you yourself own and operate;
  • Only uses methods that are in compliance with your local and Finnish law;
  • Does not use malicious or destructive payloads beyond what is technically required for a benign proof-of-concept demonstration;
  • Only targets services or products listed above, with the appropriate exclusions.

If you have any questions about whether a certain type of research is permissible, or whether a given target is in scope, contact us at the reporting email address (below) before conducting the research.

How to report a security vulnerability


Please submit your report by e-mail to security@f-secure.com. We would very strongly recommend you encrypt the email using our GnuPG key, available on key servers (key fingerprint 098A 308E 6F15 E2CE 84A2 CB91 3BE6 8DBF 5902 6649), and attach your own public key in the mail.

Please note that by submitting us a vulnerability report, you grant us a perpetual, worldwide, royalty-free, irrevocable and non-exclusive license and right, to use, modify, and incorporate your submission or any parts thereof into our products, services, or test systems without any further obligations or notices to you.

Any non-security or non-privacy related bug reports or customer service requests sent to this email address will be ignored. If you have a non-security-related question about Younited, please visit http://community.younited.com, and for other F-Secure products, http://community.f-secure.com/.

In your report, please describe, at least:

  • What you found;
  • Where exactly did you find it and steps to reproduce;

    Example: If the attack relates to a specific URI and a specific parameter, please provide that information in detail.
     
  • If the vulnerability applies to a service, date and time (UTC) when you could reproduce the vulnerability (we may have deployed a new version since then);
  • If the vulnerability applies to a client, provide the client version number, and on which platform the client is running.

We would be thankful for any further relevant technical information that you may have, especially if reproduction is tricky. If we cannot reproduce it, we cannot reward you. However, there is no need to describe the security impact of your finding - we understand security risks and we can figure that out. We only need technical details.

We aim to send you a receipt within two working days. If you do not hear back from us by then, please resend the report.

What happens after your report


Our developers will look into the matter, and will make a determination whether your finding actually is a security vulnerability and if we can reproduce it with the information you supplied. If it qualifies, a reward will be paid after the issue has been fixed.

A reward will not be paid if the finding becomes known by anyone else than you or us, in any way, before it is fixed.

We cannot commit to any specific fixing (and as a result, reward payment) schedule as each case is different. However, we internally give high priority for externally reported security issues, and we will aim to keep you updated on the status. You may also ask for status updates by contacting your case handler.

We may at times publish the names of people we have rewarded, and if we publish any vulnerability bulletins, we'd like to give credit where it's due. If you would rather stay behind an alias (handle) or anonymous, we will of course respect that.

Although we will try to see the issue with your eyes, in some edge cases, we might be of the opinion that the issue you found does not pose a risk or the issue is not a security or privacy bug. In these cases, a reward will not be paid.

If someone else has already reported the finding earlier, we will let you know after the issue has been fixed. If several researchers report the same issue, we only reward the sender of the first report that provides us with enough technical details to reproduce the finding. We know that this would give us a loophole to claim that everything's been already previously found, but trust us, we want to be fair.

Rewards


The size of the reward is solely determined by an F-Secure team consisting of our technical staff, and is based on the estimated risk posed by the vulnerability. The current reward range is from EUR 100 to EUR 15.000.

If you report several issues that are duplicates in different parts of the service (e.g., the same code running on different nodes or platforms), or part of a larger issue, these may be combined into one and only one reward may be paid.

Payments


Important: Please do not send your payment information to us up front. We will ask for the appropriate information if and when a payment is due.

Payments are made as bank transfers within the Single Euro Payments Area (SEPA) or international bank (wire) transfers outside the SEPA. We cannot use checks, cryptocurrencies, or use any other money transfer services. The payment recipient is responsible for any charges or fees levied on the transfer, and for accessing the funds once transferred. Payments are by default done in Euros (EUR) and any currency conversions are done at the current bank rate.

We are required to report all individual researchers' rewards to the Finnish Tax Administration irrespective of where you live. In order to do this, and to actually pay, we would later request your full name and a current physical mail address, and your bank (wire) transfer details. If you have a company, we may request that you invoice us instead.

The recipient is responsible for any taxes. If you are taxed in Finland, we are required to collect the withholding tax, and require your personal ID number and optionally your taxation certificate for the current year.

These identification requirements are imposed on us by the authorities, and we cannot make any exceptions to these. In addition, payments are not made to countries or jurisdictions that are under embargo, or to persons or entities on a sanctions list.

Due to these identification requirements, we will only deal with the original reporter directly. We will only use the email address in the original report, so ensure you have continued access to the email account you used to send the initial report.

Further legal statements


Our lawyers want us to point out the following small print:

You may reverse-engineer and decompile F-Secure clients strictly and solely for the purpose of conducting security research for this vulnerability reward program. This permission applies only to F-Secure clients explicitly named and listed in this vulnerability reward program. You may not disclose, show or publish to any third parties any code or parts thereof in any form you have derived resulting from this permission.

F-Secure reserves the right to discontinue this reward program and change its terms at any time without prior notification. This text was last modified on 2014-06-16. Unless specifically extended here, the current vulnerability reward program will end on 31st December, 2014. All decisions regarding reward payments are final. The rules of this reward program or any communication related thereto do not provide or imply any obligations to F-Secure of any kind.

A description of the personal data file used for reward payments is available here.