F-Secure Vulnerability Reward Program Update

A message from Calvin, a security vulnerability expert and member of our Anti-Malware Unit. The AMU team has a customer care/support focus.

Happy New Year to all you readers out there! A year has passed since we launched our F-Secure Vulnerability Reward Program (bug bounty) and time really flies. Here’s a snapshot of what we’ve seen in 2016:

  • We had close to 60 unique submissions.
  • We rewarded almost €30,000 for 35 reports in total.
  • We rewarded €5,000 for one critical vulnerability.
  • We released two security advisories as a result of the submissions received.

The reports submitted during the past year have proven to be very useful to us. We have seen some interesting exploitation tricks and our development team has made use of the information to further improve our internal process. Not forgetting, we have a Hall of Fame page thanking all the researchers who helped make our products better.

On the other hand, we realized, being new to this, that we are not perfect and some mistakes were made. For that, we apologize and ask for forgiveness. We have learned from it and here is an update on what to expect in 2017:

  • Our program is now extended for another year, ending on 31st December 2017.
  • We are now promising an acknowledgement email within 5 business days upon receiving your report. We will also provide a progress update email within 10 business days after our last contact with you.
  • We are working on listing a payment table so that you can have a better overview of our reward level. Stay tuned to our program page.
  • We are also working on defining what we at F-Secure consider as quality report, and this too will be updated in our program page.

We thank you for your continuous research and for helping us keep our users secure. Click here for the complete rules. Happy bug hunting!

Tagged: Security Research, Th3 Cyb3r, Vulnerability Source: https://labsblog.f-secure.com

Leave a Reply