Want udpate for my vulnerability report
Hi Team,
I am a security researcher and few months ago i have submitted vulnerability report from my another mail - (sapt….@gmail.com ) to your vulnerability reward program and that time your one of the agent said yes the program is active and we will reply to your report very soon but it's been 3 months and i haven't got any respond from your end
So i kindly request you to please contact me for the vulnerability report and take a look at it cause it's been month team and am not happy from your response so i request you to please take a look at my report
Also am attaching your agent screenshot which i receive on my mail for your reference
Regards,
Sudo
Security researcher ;
Answers
-
Hi,
Thank you for reaching out and for your interest in helping improve the security of F-Secure products.
Please note that vulnerability reports submitted to our Vulnerability Reward Program are handled by a dedicated security team. As community moderators, we do not have access to or visibility into the status of reports submitted through that program.
We kindly ask you to refer to the official Vulnerability Reward Program page and follow the instructions provided there for submitting or following up on a report:
If your report was submitted previously and you have not yet received a response, we recommend submitting a follow-up through the official channel listed on the page so the security team can review your request directly.
Thank you for helping us keep our services secure.
Chameni.
-
Hi @Chameni ,
Thanks for your reply team actually as you said that follow up on your submission you might get reply so let me tell you am trying to reach to your team from 2 months even i mailed them also for updates but no one is replying to me and this is why i post my question here so that someone can help me regarding that
Even i went to your live chat help option too and he suggested me that raise a ticket on community forum that's why i did so now please help regarding this cause i have tried all the things then i reach out to you
Hope you got me will be waiting for your response
Sudo
-
Hello,
I am only an F-Secure user.
Sorry for my comment. Just to better understand the situation (like, what the problem might be).
Did you use "security@f-secure.com" address? Did you encrypt the email using PGP key as their suggested (with providing your public key)?
The page dedicated to the Vulnerability Reward Program has not been updated, saying "the current vulnerability reward program will end June 30, 2025." (as well as .well-known's security.txt). So, did you receive any response from "security@f-secure.com" or all communication was within Live Chat and 'further' tickets there?
Screenshot mentions the point that they call it "Bug Bounty Program" (managed internally on a best-effort basis) there. Perhaps there was a misunderstanding regarding which channel to use for communication and from whom to expect a response? Did the agent tell you routine clearly at that time?
// I don't know if you can 'ping' @gancal on this subject.
-
Hi @Hunter0923,
Thank you for explaining. We understand how frustrating it must be to wait so long without a response. We’ll help you get this sorted.
I'm checking with the respective team on this, will revert back the soonest with an update.
-
Hi @Hunter0923,
Thank you for your interest in our bug bounty program. At the moment, program is currently on hold, we really appreciate your effort in reporting issues and helping us keep our products secure. Your submission will still be reviewed by the team, and they’ll get back to you once possible.Best regards.
Chameni -
Hi @Hunter0923,
Thank you for your patience. It appears that your previous email sent to security@f -secure.com may have been placed in quarantine, which is why you did not receive a response.
If you are still willing to proceed, we kindly ask you to resubmit your report by sending the email, details of the issue, and any attachments to security@f -secure.com again. To help prevent the message from being quarantined, please place the attachments in a password-protected archive when sending them.
Thank you again for taking the time to report this and help improve our security.
-
Hi @Chameni ,
Thanks for your reply actually team i don't wanna get in more trouble cause i think your mail system has any issue so can you please tell me any other mail or shall i ping you so i will send my report to you and you can forward
This will be better so please message me or let me know how do i ping you i will give you my report also let me know that it will be eligible for reward or not confirm please cause that time your program is active and that's why i submitted
Hope you got me
Sudo
-
Thanks for the tag @Ukko ! I'm still here 😁
@Hunter0923 , as noted by @Chameni earlier, your report was quarantined by our mail server as it probably was detected as containing suspicious attachment therefore it never landed in security@f-secure.com inbox.
To support you better, can you resubmit your report to the same email address, but this time zip up the attachment in a password-protected zip?
Regarding the eligibility of the reward, note that the report has to be in scope as listed in the program page. At the time of the program when it was active last year, the scope of product eligible for reward is F-Secure Total in Windows, Mac, Android and iOS. Issues related to backend services and public web pages were not in scope of the program hence not eligible for reward. We would however still fix any valid security issue and list contributors to our Hall of Fame page upon fix release.
Hope this answers your question and concerns.
-Calvin Gan
-
Hi @Chameni ,
Yes where i test and submit the report that was eligible for domain and i have ask before testing so please refer my report and i have sent it on the mail which you told me please check that you have received it or not my mail start with sap*.@gmail.com
So please let me know thanks again for assisting
Regards,
Sudo
-
@Hunter0923 , we see the submission now in our mailbox. Our team will respond to you directly through the email.
