Report a vulnerability
F-Secure welcomes collaboration with researchers interested in responsibly disclosing vulnerabilities in any F-Secure products or services.
Issues reported to us undergo thorough investigation on a case-by-case basis. Researchers may choose between two options for reporting vulnerabilities:
Security researchers are welcome to report vulnerabilities found in any F-Secure product or service
Not all F-Secure products and services are eligible under the Vulnerability Reward Program (VRP). You can check the Scope section of the VRP page to find out which products and services qualify for the program.
Vulnerability Reward Program (VRP)
Vulnerabilities reported for
selected F-Secure products or services
may be eligible for payment under our reward program
VRP Hall of Fame
F-Secure would like to thank the researchers who helped make our products and services safer by reporting valid security vulnerabilities
Report a vulnerability (with a summary of its exploitation and impact, including details of any configurations, circumstances and code needed) via email to:
We very strongly recommend encrypting the email using our GnuPG key (available on key servers, key fingerprint 84AE 1EA4 A5FF 15D6 B10C 46AC 90F9 A6DD 90E8 028A) and attaching your own public key in the mail.
Spam messages which the spam scanner failed to filter
Legitimate, non-spam messages which were accidentally filtered as spam
Spam that attempts to trick you into disclosing an online banking password or other personal, private, sensitive information
- We accept only current messages which are completely unsolicited. Please do not submit old messages, joke messages, or emails from subscribed mailing lists.
- For meaningful analysis, do not edit the message(s) in any way. They should be submitted with full headers and, if possible, in the "message/rfc822" format.
- Scam or hoax emails such as Nigerian "419" spams are not "phishing", though we do appreciate receiving these as regular spam samples.
- If you cannot share complete samples for privacy or contractual reasons, just the full headers are acceptable; but please understand that our analysis without the full message will be incomplete.
- We assume no responsibility for any confidential information you may send us. If you send a message to us using this channel, our only guarantee is that it will not be released outside of our organization.
- Create a new message for your submission and add your samples as attachments to it. In the message, name the F-Secure product used and its version number.
- If you cannot attach the samples, collect them into a zip archive file named samples.zip. You may opt to password-protect the archive with the password "infected" (without the quotes).
- Submit the samples from a valid, live e-mail address. In rare cases, we may need to reply to you if we have questions.
- Multiple samples of the same type can be sent as a single submission (i.e., don't mix spam and ham samples in the same submission).
- Submissions are primarily handled by automated systems; if you wish to include comments related to the submission, they should be communicated to your designated support contact to ensure proper attention. Mention the support ticket ID in the Subject header of the sample submission.
- Create a new message for your submission, then drag the sample(s) from your inbox into the composition pane so they appear as attachments to the new message.
- Please use the feedback mechanism included in the products to report incorrect classifications. This guarantees that the samples are correctly submitted with all the required information.
- We require the full headers of the email message to successfully process a submission; you may need to refer to your product documentation or publicly available sources for instructions on how to obtain the full headers of an email message using your email program.