Vulnerability Reward Program
Report vulnerabilities found in WithSecure products and services.
WithSecure rewards parties who report security vulnerabilities in certain WithSecure products and services, also known as a "bug bounty" program.
In order to avoid misunderstandings and ambiguities, we apply the following guidelines; even if lengthy, please read them in their entirety before participating.
What is this about?
We want to hear about any security vulnerabilities in our products and services. In order to reward security researchers, we offer monetary rewards for eligible security vulnerability reports that are disclosed to us in a coordinated way. However, there are certain rules that need to be followed to ensure that your security research does not cause security risk to other users or their data, and to decrease the likelihood that your research would be flagged as a malicious intrusion attempt by our monitoring. We also want to be clear about certain aspects relating to acceptance of reports and payment of rewards in order to avoid any surprises.
A "security vulnerability" is defined as an issue that causes a breach of confidentiality, integrity, or availability of the service or data, or applies to personal data (personally identifiable information) being stored or processed in a way that is not compliant with the current Finnish data protection legislation.
At this time, the vulnerability reward program only covers certain WithSecure products and services listed in the table below. We welcome vulnerability reports about any other WithSecure products, services or public web pages. However, these are not at this time part of this reward program.
|WithSecure Client Security|
|WithSecure Client Security Premium|
|WithSecure Server Security|
|WithSecure Server Security Premium|
|WithSecure E-mail and Server Security|
|WithSecure E-mail and Server Security Premium|
|WithSecure Internet Gatekeeper|
|WithSecure Linux Security (32-bit)|
|WithSecure Linux Security 64|
|WithSecure PSB Email and Server Security|
|WithSecure PSB Linux Security|
|WithSecure Cloud Protection for Salesforce|
|WithSecure Policy Manager|
|WithSecure Elements EPP for Computers / F-Secure Computer Protection|
|WithSecure Elements EPP for Computers Premium / F-Secure Computer Protection Premium|
|WithSecure Elements EPP for Servers / F-Secure Server Protection|
|WithSecure Elements EPP for Servers Premium / F-Secure Server Protection Premium|
|WithSecure Elements for Microsoft 365|
|WithSecure Freedome for Business|
Restrictions and Supported versions
Current newest version with latest database update installed as released through WithSecure web pages, Google Play Store, Windows Phone Store or Apple App Store. Information on current newest version can be found here.
Restrictions and Reproductibility
Browser-side security issues need to be reproducible on an HTML5 capable web browser. Mobile device clients' vulnerabilities need to be reproducible on a non-rooted device, on the most current, and no more than one year old, firmware provided by the device manufacturer. On Android, the device must have Google Play Services factory-installed. On desktop clients, reproducibility is required without the attacker requiring administrator or root access, and with the OS being updated with the most current security patches provided by the OS vendor or distribution. Eligible client bugs are required to be in the code that WithSecure delivers as a part of a client application. Bugs in third-party components are generally eligible if they are delivered as part of the WithSecure client application. Issues that are bugs of the underlying platform, OS, platform-provided libraries may be eligible as long as they can manifest or affect the WithSecure application. In the case of bugs for external components, we will offer to take the responsibility of timely notifying the affected parties. If you need clarification, contact us beforehand.
Permissible Security Research
We only allow security research, that:
- Makes a good faith effort to avoid affecting third party services or their availability;
- Makes a good faith effort not to affect or disclose other users' accounts, personal data, or content, and not to affect service availability to other users;
- Only uses user account(s) that belong to you personally (you are allowed to create several accounts specifically for the purpose of conducting security research for this vulnerability reward program);
- Only targets user account(s), user data or personal data that belong to you personally, or are bogus test data;
- Only uses or targets clients that have been installed on hardware you yourself own and operate;
- Only uses methods that are in compliance with your local and Finnish law;
- Does not use malicious or destructive payloads beyond what is technically required for a benign proof-of-concept demonstration;
- Only targets services or products listed above, with the appropriate exclusions.
If you have any questions about whether a certain type of research is permissible, or whether a given target is in scope, contact us at firstname.lastname@example.org before conducting the research.
How to report a vulnerability
Please submit your report by email to email@example.com. We would very strongly recommend you encrypt the email using our PGP key, available on key servers (key fingerprint 4D4B 5579 44BE 34AF 45FA A656 C9C3 2AD8 02C6 F457), and attach your own public key in the mail.
Please note that by submitting us a vulnerability report, you grant us a perpetual, worldwide, royalty-free, irrevocable and non-exclusive license and right, to use, modify, and incorporate your submission or any parts thereof into our products, services, or test systems without any further obligations or notices to you.
Any non-security or non-privacy related bug reports or customer service requests sent to this email address will be ignored. If you have a non-security-related question regarding WithSecure products, please visit https://community.f-secure.com/, or contact Support For Business.
In your report, please describe, at least:
- What you found;
- Where exactly did you find it and steps to reproduce;
- Example: If the attack relates to a specific URI and a specific parameter, please provide that information in detail.
- Example: If you are performing fuzzing activities, please provide us with additional information especially the initial corpus you used.
- If the vulnerability applies to a service, date and time (UTC) when you could reproduce the vulnerability (we may have deployed a new version since then);
- If the vulnerability applies to a client, provide the client version number, on which platform the client is running and database version (if applicable);
- Possible impact of the vulnerability or ways an attacker can leverage the vulnerability;
- Proof-of-Concept or functional exploit if available;
- Fix suggestion if available.
We would be thankful for any further relevant technical information that you may have, especially if reproduction is tricky. If we cannot reproduce it, we cannot reward you.
We aim to send you a receipt within five working days. If you do not hear back from us by then, please resend the report.
What happens after your report
Our developers will look into the matter, and will make a determination whether your finding actually is a security vulnerability and if we can reproduce it with the information you supplied. If it qualifies, a reward will be paid after the issue has been fixed.
We cannot commit to any specific fixing (and as a result, reward payment) schedule as each case is different. However, we internally give high priority for externally reported security issues, and we will aim to keep you updated on the status. You may also ask for status updates by contacting your case handler.
We may at times publish the names of people we have rewarded, and if we publish any vulnerability bulletins, we'd like to give credit where it's due. If you would rather stay behind an alias (handle) or anonymous, we will of course respect that.
Although we will try to see the issue with your eyes, in some edge cases, we might be of the opinion that the issue you found does not pose a risk or the issue is not a security or privacy bug. In these cases, a reward will not be paid.
A reward will not be paid if the finding becomes public, in any way, before it is fixed. If someone else has already reported the finding earlier, we will let you know after the issue has been fixed. If several researchers report the same issue, we only reward the sender of the first report that provides us with enough technical details to reproduce the finding. We know that this would give us a loophole to claim that everything's been already previously found, but trust us, we want to be fair.
The size of the reward is solely determined by an WithSecure team consisting of our technical staff, and is based on the estimated risk posed by the vulnerability. The current reward range is from EUR 100 to EUR 15,000.
If you report several issues that are duplicates in different parts of the service (e.g., the same code running on different nodes or platforms), or part of a larger issue, these may be combined into one and only one reward may be paid.
The following table provides several bug classes and their corresponding bounty. While not all bug classes are covered by this list, you may get a sense of severity vs. reward by examining the following examples.
|Reward amount (€)||Example|
|Up to 15,000||
Remote code execution on production server
Remote file inclusion on production server
Significant authentication bypass on production server containing critical information
|Up to 5,000||
Remote code execution on client software
Data extraction from a production server
Access control issue which exposes Personally Identifiable Information
|Up to 2,000||
Remote code execution within a sandbox
Local privilege escalation
Persistent denial of service on Anti-virus or privacy functionality
|Up to 500||
Temporary denial of service of Anti-virus or privacy functionality
Security related misconfiguration on production server or client software
IMPORTANT! Please do not send your payment information to us up front. We will ask for the appropriate information if and when a payment is due.
Payments are made as bank transfers within the Single Euro Payments Area (SEPA) or international bank (wire) transfers outside the SEPA. We cannot use checks, cryptocurrencies, or use any other money transfer services. The payment recipient is responsible for any charges or fees levied on the transfer, and for accessing the funds once transferred. Payments are by default done in Euros (EUR) and any currency conversions are done at the current bank rate.
We are required to report all individual researchers' rewards to the Finnish Tax Administration irrespective of where you live. In order to do this, and to actually pay, we would later request your full name, date of birth and a current physical mail address, and your bank (wire) transfer details. If you have a company, we may request that you invoice us instead.
The recipient is responsible for any taxes. If you are taxed in Finland, we are required to collect the withholding tax, and require your personal ID number and optionally your taxation certificate for the current year.
These identification requirements are imposed on us by the authorities, and we cannot make any exceptions to these. In addition, payments are not made to countries or jurisdictions that are under embargo, or to persons or entities on a sanctions list.
Due to these identification requirements, we will only deal with the original reporter directly. We will only use the email address in the original report, so ensure you have continued access to the email account you used to send the initial report.
Further legal statements
Our lawyers want us to point out the following small print:
You may reverse-engineer and decompile WithSecure clients strictly and solely for the purpose of conducting security research for this vulnerability reward program. This permission applies only to WithSecure clients explicitly named and listed in this vulnerability reward program, excluding any licensed third party components therein. You may not disclose, show or publish to any third parties any code or parts thereof in any form you have derived resulting from this permission.
A description of the personal data record used for reward payments is available here.
WithSecure reserves the right to discontinue this reward program and change its terms at any time without prior notification. This text was last modified on 2022-01-05. Unless specifically extended here, the current vulnerability reward program will end on 31st December 2022. All decisions regarding reward payments are final. The rules of this reward program or any communication related thereto do not provide or imply any obligations to WithSecure of any kind.