Emsisoft Bug Bounty Program

Security is very important to us and we appreciate the responsible disclosure of issues.

We also understand that a lot of effort goes into security research, which is why we pay up to $500 USD per accepted security vulnerability, depending on how severe and exploitable it turns out to be. Please keep in mind, that our bug bounty program will only reward researchers who follow responsible disclosure guidelines and never disclose any information about the vulnerability to the public or any entity other than Emsisoft before the issue has been fixed and the fix has been rolled out to our customers.

Once we receive your report it may take us up to 10 business days to review and respond. If your submission meets our criteria, we will pay the bug bounty per unique bug reported. Of course, we also give credit to researchers in our release notes.

Please note that the following bug types are specifically excluded from the bounty:

Non-detection of malware or protection bypasses, with the exception of bypasses that can’t be fixed with the addition of additional rules or signatures.
Vulnerabilities in third-party libraries or frameworks, the Windows operating system, or third-party web applications, plugins, or services that we use or that host our services (e.g. store.emsisoft.com, support.emsisoft.com, etc). Essentially: If we didn’t write the exploitable code, we don’t consider it to be covered by this bug bounty program.
Issues that are non-exploitable but lead to crashes, information leaks, or stability issues.
Descriptive error messages (e.g. Stack traces, application or server errors).
HTTP 404 codes/pages or other HTTP non-200 codes/pages.
Banner disclosure on common/public services.
Disclosure of known public files or directories, (e.g. robots.txt, publicly accessible login forms).
Clickjacking and issues only exploitable through clickjacking.
Self-XSS and issues exploitable only through Self-XSS.
CSRF on forms that are available to the public without registration (e.g. the contact form).
Logout Cross-Site Request Forgery (logout CSRF).
Presence of application or web browser “autocomplete” or “save password”.
Issues that require physical access to the device to carry out the exploit.
Theoretical issues that lack practical severity.
Mail configuration issues related to DKIM, DMARC or SPF.
Missing security headers, SSL configuration issues, as well as non-secure elements being pulled into secure sites.
Vulnerabilities where a fix is not feasible.
Redirect issues, unless the redirect can be used to exfiltrate sensitive information (authentication tokens for example).
Non-amplified bruteforce attacks.
Attacks relying on social engineering or access to the user’s email account, unless access to said account was obtained through a vulnerability in our products.

If the same vulnerability is reported by multiple researchers at the same time, the reward will go to the first person who reported it.

Requirements

To report a vulnerability, please email us at [email protected]. If you would like to encrypt your submission, please use the following GPG key:

Please include as much information as possible in your submission, but as a minimum we expect steps to reproduce the vulnerability and an explanation of why you consider it as such. Feel free to include a video if you fancy but remember to mark it as private if you use any public hosting or streaming services like YouTube.

Important: We require a working proof-of-concept and won’t accept any automated reports or reports for theoretical issues.

Thank you for your help in making our products and services better!