Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

F-Secure Revamps Bug Bounty Program

Finland-based security solutions provider F-Secure announced this week the launch of a bug bounty program that covers several of the company’s corporate and consumer products.

Finland-based security solutions provider F-Secure announced this week the launch of a bug bounty program that covers several of the company’s corporate and consumer products.

F-Secure launched its vulnerability reward program in the spring of 2014 and suspended it in February 2015. The initial program only covered F-Secure Younited storage services.

The company has now relaunched its bug bounty program and expanded it to include many of the firm’s products. The new program includes consumer products such as F-Secure SAFE, Internet Security, Freedom, and Key, and corporate solutions such as F-Secure Client Security, Server Security, Email and Server Security, Internet Gatekeeper, Linux Security, and Protection Service for Business (PSB) products.

Experts who find vulnerabilities in these applications can earn between €100 ($110) and €15,000 ($16,500).

The reported vulnerabilities are only eligible for a reward if they can be reproduced on the newest versions of the targeted software obtained from F-Secure’s website, Google Play, the Apple App Store, and the Windows Phone Store. In the case of mobile products, the exploit must work on non-rooted, non-jailbroken devices that run a version of firmware no older than one year. In the case of desktop clients, the exploit must work without administrator or root access.

Bugs in third-party components delivered as part of the F-Secure application and flaws in the underlying platform can also be eligible.

Researchers who identify vulnerabilities in the covered products are advised to report them to security(at)f-secure.com, preferably by encrypting the email. The submission must include a description of the issue, its location and steps to reproduce, and the product version affected. In the case of services, the reporter must specify the date and time when the vulnerability could be reproduced.

While some companies threaten to take legal action against researchers who reverse engineer their products, participants in F-Secure’s program are granted permission to decompile and reverse engineer the company’s applications.

Researchers often find serious vulnerabilities in security products. A perfect example is the work of Google researcher Tavis Ormandy, who identified several flaws in Kaspersky Lab anti-virus products over the past months.

Related Reading: Invitation-Only Bug Bounty Programs Becoming More Popular

Related Reading: Microsoft Launches Bug Bounty Program for .NET Core, ASP.NET Beta

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Vulnerabilities

A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.