Scope
At this time, the vulnerability reward program only covers certain WithSecure products and services listed in the table below. We welcome vulnerability reports about any other WithSecure products, services or public web pages. However, these are not at this time part of this reward program.
| WithSecure Client Security |
| WithSecure Client Security Premium |
| WithSecure Server Security |
| WithSecure Server Security Premium |
| WithSecure E-mail and Server Security |
| WithSecure E-mail and Server Security Premium |
| WithSecure Linux Protection |
| WithSecure Atlant |
| WithSecure PSB Linux Security |
| WithSecure Cloud Protection for Salesforce |
| WithSecure Policy Manager |
| WithSecure Elements EPP for Computers |
| WithSecure Elements EPP for Computers Premium |
| WithSecure Elements EPP for Servers |
| WithSecure Elements EPP for Servers Premium |
| WithSecure Elements Collaboration Protection |
Restrictions and Supported versions
Current newest version with latest database update installed as released through WithSecure web pages, Google Play Store, Windows Phone Store or Apple App Store. Information on current newest version can be found here.
Restrictions and Reproductibility
Browser-side security issues need to be reproducible on an HTML5 capable web browser. Mobile device clients' vulnerabilities need to be reproducible on a non-rooted device, on the most current, and no more than one year old, firmware provided by the device manufacturer. On Android, the device must have Google Play Services factory-installed. On desktop clients, reproducibility is required without the attacker requiring administrator or root access, and with the OS being updated with the most current security patches provided by the OS vendor or distribution. Eligible client bugs are required to be in the code that WithSecure delivers as a part of a client application. Bugs in third-party components are generally eligible if they are delivered as part of the WithSecure client application. Issues that are bugs of the underlying platform, OS, platform-provided libraries may be eligible as long as they can manifest or affect the WithSecure application. In the case of bugs for external components, we will offer to take the responsibility of timely notifying the affected parties. If you need clarification, contact us beforehand.
Permissible Security Research
We only allow security research, that:
- Makes a good faith effort to avoid affecting third party services or their availability;
- Makes a good faith effort not to affect or disclose other users' accounts, personal data, or content, and not to affect service availability to other users;
- Only uses user account(s) that belong to you personally (you are allowed to create several accounts specifically for the purpose of conducting security research for this vulnerability reward program);
- Only targets user account(s), user data or personal data that belong to you personally, or are bogus test data;
- Only uses or targets clients that have been installed on hardware you yourself own and operate;
- Only uses methods that are in compliance with your local and Finnish law;
- Does not use malicious or destructive payloads beyond what is technically required for a benign proof-of-concept demonstration;
- Only targets services or products listed above, with the appropriate exclusions.
If you have any questions about whether a certain type of research is permissible, or whether a given target is in scope, contact us at security@withsecure.com before conducting the research.
