Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

November 5, 2015

Some Holiday Spending Money (“bug bounty”)

Filed under: Cybersecurity,Security — Patrick Durusau @ 5:38 pm

Vulnerability Reward Program

From the post:

F-Secure rewards parties who report security vulnerabilities in certain F-Secure products and services, also known as a “bug bounty” program. In order to avoid misunderstandings and ambiguities, we apply the following guidelines; even if lengthy, please read them in their entirety before participating.

We want to hear about any security vulnerabilities in our products and services. In order to reward security researchers, we offer monetary rewards for eligible security vulnerability reports that are disclosed to us in a coordinated way. However, there are certain rules that need to be followed to ensure that your security research does not cause security risk to other users or their data, and to decrease the likelihood that your research would be flagged as a malicious intrusion attempt by our monitoring. We also want to be clear about certain aspects relating to acceptance of reports and payment of rewards in order to avoid any surprises.

A “security vulnerability” is defined as an issue that causes a breach of confidentiality, integrity, or availability of the service or data, or applies to personal data (privately identifiable information) being stored or processed in a way that is not compliant with the current Finnish data protection legislation.

See the post for a list of products that are eligible under the “bug bounty” program.

I reported recently on the $1 million dollar bounty on the iPhone: Justice Department on iPhone Hacking: Call Chaouki Bekrar @Zerodium.

At the other end of the “bug bounty” world, you can find F-Secure, which offers:


The size of the reward is solely determined by an F-Secure team consisting of our technical staff, and is based on the estimated risk posed by the vulnerability. The current reward range is from EUR 100 to EUR 15.000.

If you report several issues that are duplicates in different parts of the service (e.g., the same code running on different nodes or platforms), or part of a larger issue, these may be combined into one and only one reward may be paid.

On the higher end you might get a buzz for a day or two but the rewards aren’t enough to attract serious talent.

On the other hand, you won’t have a lot of competition so perhaps your odds will be marginally better.

Good hunting!

No Comments

No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress