The vulnerability reward program covers the following WithSecure products and services. We welcome vulnerability reports about any other WithSecure products, services or public web pages — however, these are not at this time part of this reward program.

Restrictions and supported versions

Current newest version with latest database update installed as released through WithSecure web pages, Google Play Store, Windows Phone Store or Apple App Store.

Permissible security research

We only allow security research that:

• Makes a good faith effort to avoid affecting third party services or their availability
• Makes a good faith effort not to affect or disclose other users’ accounts, personal data, or content
• Only uses user account(s) that belong to you personally
• Only targets user account(s), user data or personal data that belong to you personally, or are bogus test data
• Only uses or targets clients installed on hardware you yourself own and operate
• Only uses methods in compliance with your local and Finnish law
• Does not use malicious or destructive payloads beyond what is technically required for a benign proof-of-concept
• Only targets services or products listed above, with the appropriate exclusions

Please submit your report by email to security@withsecure.com. We would very strongly recommend you encrypt the email using our PGP key, available on key servers (key fingerprint 2622 90BA C1DB AB46 2954 B150 1518 05EB 454B 15C4), and attach your own public key in the mail.

What to include in your report

• What you found
• Where exactly you found it and steps to reproduce
  • Example: If the attack relates to a specific URI and parameter, provide that information in detail
  • Example: If you are performing fuzzing activities, provide additional information including the initial corpus you used
• If the vulnerability applies to a service, the date and time (UTC) when you could reproduce it
• If the vulnerability applies to a client, provide the client version number, platform, and database version
• Possible impact or ways an attacker can leverage the vulnerability
• Proof-of-Concept or functional exploit if available
• Fix suggestion if available

We aim to send a receipt within five working days. If you do not hear back by then, please resend the report.

Our developers will look into the matter and determine whether your finding is a security vulnerability and if we can reproduce it with the information you supplied. If it qualifies, a reward will be paid after the issue has been fixed.

We cannot commit to any specific fixing schedule as each case is different. However, we internally give high priority to externally reported security issues and will aim to keep you updated on the status.

We may at times publish the names of people we have rewarded. If you would rather stay behind an alias or remain anonymous, we will of course respect that.

A reward will not be paid if the finding becomes public in any way before it is fixed. If someone else has already reported the same finding, we will let you know after the issue has been fixed. If several researchers report the same issue, we only reward the sender of the first report that provides enough technical detail to reproduce the finding.

The size of the reward is solely determined by a WithSecure team of technical staff, based on the estimated risk posed by the vulnerability. The current reward range is from EUR 500 to EUR 18,000.

Payments are made as bank transfers within the Single Euro Payments Area (SEPA) or international bank wire transfers outside the SEPA. We cannot use checks, cryptocurrencies, or any other money transfer services. Payments are by default in Euros (EUR) and any currency conversions are done at the current bank rate.

We are required to report all individual researchers’ rewards to the Finnish Tax Administration irrespective of where you live. We would later request your full name, date of birth, a current physical mail address, and your bank transfer details.

The recipient is responsible for any taxes. If you are taxed in Finland, we are required to collect the withholding tax and require your personal ID number and optionally your taxation certificate for the current year.

Due to identification requirements, we will only deal with the original reporter directly using the email address from the initial report.

You may reverse-engineer and decompile WithSecure clients strictly and solely for the purpose of conducting security research for this vulnerability reward program. This permission applies only to WithSecure clients explicitly named and listed in this vulnerability reward program, excluding any licensed third party components therein. You may not disclose, show or publish to any third parties any code or parts thereof in any form you have derived resulting from this permission.

WithSecure reserves the right to discontinue this reward program and change its terms at any time without prior notification. This text was last modified on 2022-12-22. Unless specifically extended, the current vulnerability reward program will end on 30th June 2026. All decisions regarding reward payments are final. The rules of this reward program or any communication related thereto do not provide or imply any obligations to WithSecure of any kind.