F-Secure rewards parties who report security vulnerabilities in certain F-Secure products and services, also known as a "bug bounty" program. In order to avoid misunderstandings and ambiguities, we apply the following guidelines; even if lengthy, please read them in their entirety before participating.
We want to hear about any security vulnerabilities in our products and services. In order to reward security researchers, we offer monetary rewards for eligible security vulnerability reports that are disclosed to us in a coordinated way. However, there are certain rules that need to be followed to ensure that your security research does not cause security risk to other users or their data, and to decrease the likelihood that your research would be flagged as a malicious intrusion attempt by our monitoring. We also want to be clear about certain aspects relating to acceptance of reports and payment of rewards in order to avoid any surprises.
A "security vulnerability" is defined as an issue that causes a breach of confidentiality, integrity, or availability of the service or data, or applies to personal data (personally identifiable information) being stored or processed in a way that is not compliant with the current Finnish data protection legislation.
At this time, the vulnerability reward program only covers certain F-Secure products and services listed in the table below. We welcome vulnerability reports about any other F-Secure products, services or public web pages. However, these are not at this time part of this reward program.
|F-Secure Internet Security|
|F-Secure ID PROTECTION / KEY / Identity Theft Checker (ITC)|
Please see the corporate products (WithSecure) in scope of reward program here.
RESTRICTIONS ON SUPPORTED VERSIONS:
Current newest version with latest database update installed as released through F-Secure web pages, Google Play Store, Windows Phone Store or Apple App Store. Information on current newest version can be found here.
RESTRICTIONS ON REPRODUCIBILITY:
Browser-side security issues need to be reproducible on an HTML5 capable web browser. Mobile device clients' vulnerabilities need to be reproducible on a non-rooted device, on the most current, and no more than one year old, firmware provided by the device manufacturer. On Android, the device must have Google Play Services factory-installed. On desktop clients, reproducibility is required without the attacker requiring administrator or root access, and with the OS being updated with the most current security patches provided by the OS vendor or distribution. Eligible client bugs are required to be in the code that F-Secure delivers as a part of a client application. Bugs in third-party components are generally eligible if they are delivered as part of the F-Secure client application. Issues that are bugs of the underlying platform, OS, platform-provided libraries may be eligible as long as they can manifest or affect the F-Secure application. In the case of bugs for external components, we will offer to take the responsibility of timely notifying the affected parties. If you need clarification, contact us beforehand.
PERMISSIBLE SECURITY RESEARCH:
We only allow security research, that -
If you have any questions about whether a certain type of research is permissible, or whether a given target is in scope, contact us at firstname.lastname@example.org before conducting the research.
Please submit your report by email to email@example.com. We would very strongly recommend you encrypt the email using our PGP key, available on key servers (key fingerprint 4D4B 5579 44BE 34AF 45FA A656 C9C3 2AD8 02C6 F457), and attach your own public key in the mail.
Please note that by submitting us a vulnerability report, you grant us a perpetual, worldwide, royalty-free, irrevocable and non-exclusive license and right, to use, modify, and incorporate your submission or any parts thereof into our products, services, or test systems without any further obligations or notices to you.
Any non-security or non-privacy related bug reports or customer service requests sent to this email address will be ignored. If you have a non-security-related question regarding F-Secure products, please visit https://community.f-secure.com/, or contact Support For Home.
In your report, please describe, at least:
We would be thankful for any further relevant technical information that you may have, especially if reproduction is tricky. If we cannot reproduce it, we cannot reward you.
We aim to send you a receipt within five working days. If you do not hear back from us by then, please resend the report.
Our developers will look into the matter, and will make a determination whether your finding actually is a security vulnerability and if we can reproduce it with the information you supplied. If it qualifies, a reward will be paid after the issue has been fixed.
We cannot commit to any specific fixing (and as a result, reward payment) schedule as each case is different. However, we internally give high priority for externally reported security issues, and we will aim to keep you updated on the status. You may also ask for status updates by contacting your case handler.
We may at times publish the names of people we have rewarded, and if we publish any vulnerability bulletins, we'd like to give credit where it's due. If you would rather stay behind an alias (handle) or anonymous, we will of course respect that.
Although we will try to see the issue with your eyes, in some edge cases, we might be of the opinion that the issue you found does not pose a risk or the issue is not a security or privacy bug. In these cases, a reward will not be paid.
A reward will not be paid if the finding becomes public, in any way, before it is fixed. If someone else has already reported the finding earlier, we will let you know after the issue has been fixed. If several researchers report the same issue, we only reward the sender of the first report that provides us with enough technical details to reproduce the finding. We know that this would give us a loophole to claim that everything's been already previously found, but trust us, we want to be fair.
The size of the reward is solely determined by an F-Secure team consisting of our technical staff, and is based on the estimated risk posed by the vulnerability. The current reward range is from EUR 100 to EUR 15,000.
If you report several issues that are duplicates in different parts of the service (e.g., the same code running on different nodes or platforms), or part of a larger issue, these may be combined into one and only one reward may be paid.
The following table provides several bug classes and their corresponding bounty. While not all bug classes are covered by this list, you may get a sense of severity vs. reward by examining the following examples.
|Reward amount (€)||Example|
|Up to 15,000||
|Up to 5,000||
|Up to 2,000||
|Up to 500||
IMPORTANT! Please do not send your payment information to us up front. We will ask for the appropriate information if and when a payment is due.
Payments are made as bank transfers within the Single Euro Payments Area (SEPA) or international bank (wire) transfers outside the SEPA. We cannot use checks, cryptocurrencies, or use any other money transfer services. The payment recipient is responsible for any charges or fees levied on the transfer, and for accessing the funds once transferred. Payments are by default done in Euros (EUR) and any currency conversions are done at the current bank rate.
We are required to report all individual researchers' rewards to the Finnish Tax Administration irrespective of where you live. In order to do this, and to actually pay, we would later request your full name, date of birth and a current physical mail address, and your bank (wire) transfer details. If you have a company, we may request that you invoice us instead.
The recipient is responsible for any taxes. If you are taxed in Finland, we are required to collect the withholding tax, and require your personal ID number and optionally your taxation certificate for the current year.
These identification requirements are imposed on us by the authorities, and we cannot make any exceptions to these. In addition, payments are not made to countries or jurisdictions that are under embargo, or to persons or entities on a sanctions list.
Due to these identification requirements, we will only deal with the original reporter directly. We will only use the email address in the original report, so ensure you have continued access to the email account you used to send the initial report.
Our lawyers want us to point out the following small print:
You may reverse-engineer and decompile F-Secure clients strictly and solely for the purpose of conducting security research for this vulnerability reward program. This permission applies only to F-Secure clients explicitly named and listed in this vulnerability reward program, excluding any licensed third party components therein. You may not disclose, show or publish to any third parties any code or parts thereof in any form you have derived resulting from this permission.
A description of the personal data record used for reward payments is available here.
F-Secure reserves the right to discontinue this reward program and change its terms at any time without prior notification. This text was last modified on 2022-01-05. Unless specifically extended here, the current vulnerability reward program will end on 31st December 2022. All decisions regarding reward payments are final. The rules of this reward program or any communication related thereto do not provide or imply any obligations to F-Secure of any kind.