F-Secure starts official Vulnerability Reward Program in November 2014

Scope

At this time, the vulnerability reward program only covers some F-Secure products and services. In the future, we will consider extending it to cover additional products or services. We welcome vulnerability reports about any other F-Secure products or services, too. However, these are not at this time part of this reward program. At this time, the following products and services are in the scope of this vulnerability reward program:

Restrictions on online services: Not all the services in the domains listed above are operated by F-Secure. For example, we may run marketing campaigns, support forums, and such, using the target domains that are operated by subcontractors. These third party provided services are not in the scope, as we cannot give a permission to conduct security research against third party services. Our service or company logos on a page do not necessarily mean it is a part of the service or operated by us. If you need clarification, contact us beforehand.

Restrictions on reproducibility: Browser-side security issues need to be reproducible on an HTML5 capable web browser. Mobile device clients' vulnerabilities need to be reproducible on a non-rooted device, on the most current, and no more than one year old, firmware provided by the device manufacturer. On Android, the device must have Google Play Services factory-installed. On desktop clients, reproducibility is required without the attacker requiring administrator or root access, and with the OS being updated with the most current security patches provided by the OS vendor or distribution. Client bugs also need to be in code that F-Secure delivers as a part of a client application; issues that are bugs of the underlying platform, OS, platform-provided libraries, or other third party apps, are not eligible.

Permissible security research: We only allow security research, that -

• Makes a good faith effort to avoid affecting third party services or their availability;
• Makes a good faith effort not to affect or disclose other users' accounts, personal data, or content, and not to affect service availability to other users;
• Only uses user account(s) that belong to you personally (you are allowed to create several accounts specifically for the purpose of conducting security research for this vulnerability reward program);
• Only targets user account(s), user data or personal data that belong to you personally, or are bogus test data;
• Only uses or targets clients that have been installed on hardware you yourself own and operate;
• Only uses methods that are in compliance with your local and Finnish law;
• Does not use malicious or destructive payloads beyond what is technically required for a benign proof-of-concept demonstration;
• Only targets services or products listed above, with the appropriate exclusions.