F-Secure welcomes collaboration with researchers interested in responsibly disclosing vulnerabilities in any F-Secure products or services. Issues reported to us undergo thorough investigation on a case-by-case basis. Researchers may choose between two options for reporting vulnerabilities:
Report a vulnerability (with a summary of its exploitation and impact, including details of any configurations, circumstances and code needed) via email to:
- We very strongly recommend encrypting the email using our GnuPG key ( available on key servers, key fingerprint B2A3 5FC5 D2EF 1258 E22F 0D78 ABF7 5C15 D545 AA06) and attaching your own public key in the mail.
If you have email messages which were incorrectly classified by our spam scanner, we would like to receive a copy by email. Do note that the submitted messages must meet the formatting criteria listed below or they will be rejected by our automated systems.
Spam messages which the spam scanner failed to filter
Legitimate, non-spam messages which were accidentally filtered as spam
Spam that attempts to trick you into disclosing an online banking password or other personal, private, sensitive information
- We accept only current messages which are completely unsolicited. Please do not submit old messages, joke messages, or emails from subscribed mailing lists.
- For meaningful analysis, do not edit the message(s) in any way. They should be submitted with full headers and, if possible, in the "message/rfc822" format.
- Scam or hoax emails such as Nigerian "419" spams are not "phishing", though we do appreciate receiving these as regular spam samples.
- If you cannot share complete samples for privacy or contractual reasons, just the full headers are acceptable; but please understand that our analysis without the full message will be incomplete.
- We assume no responsibility for any confidential information you may send us. If you send a message to us using this channel, our only guarantee is that it will not be released outside of our organization.
- Create a new message for your submission and add your samples as attachments to it. In the message, name the F-Secure product used and its version number.
- If you cannot attach the samples, collect them into a zip archive file named samples.zip. You may opt to password-protect the archive with the password "infected" (without the quotes).
- Submit the samples from a valid, live e-mail address. In rare cases, we may need to reply to you if we have questions.
- Multiple samples of the same type can be sent as a single submission (i.e., don't mix spam and ham samples in the same submission).
- Submissions are primarily handled by automated systems; if you wish to include comments related to the submission, they should be communicated to your designated support contact to ensure proper attention. Mention the support ticket ID in the Subject header of the sample submission.
NOTE: Microsoft Outlook or Outlook Express users
- Create a new message for your submission, then drag the sample(s) from your inbox into the composition pane so they appear as attachments to the new message.
NOTE: Messaging Security Gateway and Protection Service for Email product users
- Please use the feedback mechanism included in the products to report incorrect classifications. This guarantees that the samples are correctly submitted with all the required information.
NOTE: Any other email program
- We require the full headers of the email message to successfully process a submission; you may need to refer to your product documentation or publicly available sources for instructions on how to obtain the full headers of an email message using your email program.