Security Experts:

F-Secure Revamps Bug Bounty Program

Finland-based security solutions provider F-Secure announced this week the launch of a bug bounty program that covers several of the company’s corporate and consumer products.

F-Secure launched its vulnerability reward program in the spring of 2014 and suspended it in February 2015. The initial program only covered F-Secure Younited storage services.

The company has now relaunched its bug bounty program and expanded it to include many of the firm’s products. The new program includes consumer products such as F-Secure SAFE, Internet Security, Freedom, and Key, and corporate solutions such as F-Secure Client Security, Server Security, Email and Server Security, Internet Gatekeeper, Linux Security, and Protection Service for Business (PSB) products.

Experts who find vulnerabilities in these applications can earn between €100 ($110) and €15,000 ($16,500).

The reported vulnerabilities are only eligible for a reward if they can be reproduced on the newest versions of the targeted software obtained from F-Secure’s website, Google Play, the Apple App Store, and the Windows Phone Store. In the case of mobile products, the exploit must work on non-rooted, non-jailbroken devices that run a version of firmware no older than one year. In the case of desktop clients, the exploit must work without administrator or root access.

Bugs in third-party components delivered as part of the F-Secure application and flaws in the underlying platform can also be eligible.

Researchers who identify vulnerabilities in the covered products are advised to report them to security(at)f-secure.com, preferably by encrypting the email. The submission must include a description of the issue, its location and steps to reproduce, and the product version affected. In the case of services, the reporter must specify the date and time when the vulnerability could be reproduced.

While some companies threaten to take legal action against researchers who reverse engineer their products, participants in F-Secure’s program are granted permission to decompile and reverse engineer the company’s applications.

Researchers often find serious vulnerabilities in security products. A perfect example is the work of Google researcher Tavis Ormandy, who identified several flaws in Kaspersky Lab anti-virus products over the past months.

Related Reading: Invitation-Only Bug Bounty Programs Becoming More Popular

Related Reading: Microsoft Launches Bug Bounty Program for .NET Core, ASP.NET Beta

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
Singapore ICS Cyber Security Conference