F-Secure starts official Vulnerability Reward Program in November 2014

F-Secure starts Vulnerability Reward Program in November

F-Secure the world famous it-security and antivirus software company joined the commercial bug bounty community in november 2014 by publishing a new security related website. The program was still in progress since march/april and got published around the 15th november. An official of f-secure wrote us a mail to notify us about the changes in the morning. The vulnerability laboratory team captured the changes and tracked the program in the official bug bounty list.

It is very important for security researchers to read the scope rules next to startup any testings because of there are several specific restrictions set to participate in the official bug bounty program. The reward amount for a valid issue begins with 100$ reward and ends with a maxium reward of 15.000$. Like in every program the security team provides a pgp key for security communication and a how to report a bug guide. Feel free to watch the reference link to review or participate in the official vulnerability reward program of f-secure.


At this time, the vulnerability reward program only covers some F-Secure products and services. In the future, we will consider extending it to cover additional products or services. We welcome vulnerability reports about any other F-Secure products or services, too. However, these are not at this time part of this reward program. At this time, the following products and services are in the scope of this vulnerability reward program:

F-Secure Younited Storage Service
The F-Secure younited service as currently publicly deployed Restricted to those domains and subdomains of younited.com, younitedcontent.com, and younitedapi.com that are a part of the actual Younited storage service, only. There are important exceptions, see notes below.
F-Secure Younited storage service mobile and desktop clients, current newest versions Current newest version as released through F-Secure web pages, Google Play, Windows Phone Store, or Apple App Store. There are restrictions, see notes below.

Restrictions on online services: Not all the services in the domains listed above are operated by F-Secure. For example, we may run marketing campaigns, support forums, and such, using the target domains that are operated by subcontractors. These third party provided services are not in the scope, as we cannot give a permission to conduct security research against third party services. Our service or company logos on a page do not necessarily mean it is a part of the service or operated by us. If you need clarification, contact us beforehand.

Restrictions on reproducibility: Browser-side security issues need to be reproducible on an HTML5 capable web browser. Mobile device clients' vulnerabilities need to be reproducible on a non-rooted device, on the most current, and no more than one year old, firmware provided by the device manufacturer. On Android, the device must have Google Play Services factory-installed. On desktop clients, reproducibility is required without the attacker requiring administrator or root access, and with the OS being updated with the most current security patches provided by the OS vendor or distribution. Client bugs also need to be in code that F-Secure delivers as a part of a client application; issues that are bugs of the underlying platform, OS, platform-provided libraries, or other third party apps, are not eligible.

Permissible security research: We only allow security research, that -

  • Makes a good faith effort to avoid affecting third party services or their availability;
  • Makes a good faith effort not to affect or disclose other users' accounts, personal data, or content, and not to affect service availability to other users;
  • Only uses user account(s) that belong to you personally (you are allowed to create several accounts specifically for the purpose of conducting security research for this vulnerability reward program);
  • Only targets user account(s), user data or personal data that belong to you personally, or are bogus test data;
  • Only uses or targets clients that have been installed on hardware you yourself own and operate;
  • Only uses methods that are in compliance with your local and Finnish law;
  • Does not use malicious or destructive payloads beyond what is technically required for a benign proof-of-concept demonstration;
  • Only targets services or products listed above, with the appropriate exclusions.




Rate this article: 
Average: 5 (4 votes)

Add new comment

Plain text

  • No HTML tags allowed.