No software is perfect. Even security applications can have issues that need to be fixed. So four years ago, F-Secure invited security researchers to find vulnerabilities in our products. And the results have paid off for our customers and bug hunters that find and report vulnerabilities.
F-Secure’s Vulnerability Reward Program has now awarded more than €100,000 in bug bounties for more than 100 vulnerabilities.
“The program began with just a few of our products in 2015,” says Kiran Krishnappa, F-Secure Security Vulnerability Analyst. “Here we are in 2019 with more than 20 products in the scope of the program, and new ones added as our portfolio evolves.”
‘It makes for better products’
After reviewing the program’s objectives, focus and purpose, F-Secure has renewed the program for another year.
“We are committed to the continuation of the program,” says Erka Koivunen, F-Secure’s Chief Information Security Officer. “This is an institutionalized way for us to draw from that pool of talent and to reward those who identify bugs. However, we review the need for and the merits of the program annually.”
Erka says that internal debate about renewal allows his team to make a decision that isn’t based just on hype or industry trends. They discuss which bug bounty-hosting organizations to engage with, the commitment to the program throughout the company, including top-level management, and clear indicators that show strategic goals are being met.
“The program has to demonstrably benefit our software security initiative,” he says. “So far, we have been extremely satisfied with the result. And we intend to keep it that way.”
One factor in the effort’s success has been that permission to tear apart products line-by-line is extended to researchers both outside and inside of F-Secure.
“Recognizing that we employ world-class hackers, we have found the internal flavor of our bug bounty to nicely complement the external one,” Erka says. “It makes for better products, it rewards extracurricular activity of our fellows, and it also makes them more intimately familiar with our technology.”
Someone is going to find the bugs
Companies that don’t take vulnerability reporting seriously put their customers at risk.
No matter what you do, criminals are on the hunt for security weaknesses. Bugs that have never been fixed—often bugs that have been known about for years—remain a huge part of the problem of securing the internet of things (IoT), an industry that is, in many cases, decades behind in its security mindset.
In addition to inviting the security world to dig into our products and rewarding them for their efforts, F-Secure fellows do their own share of improving other companies’ products and software through responsible disclosure.
In recent months, F-Secure consultants have issued warnings about flawed boot schemes in a particular system-on-chip (SoC) used in automotive, aviation, consumer electronics, and industrial components as well as a coding bug that could allow attackers to exploit BIG-IP load balancers relied upon by large banks, governments and other organizations.
‘You help keep our users secure’
F-Secure honors successful participants with monetary rewards and recognition in our Hall of Fame.
“We just want to do what we can to show how we appreciate researchers who participated in our bug bounty program,” Kiran says. “Please keep your research coming in. You help us keep our users secure.”
For details about how the program works and how to submit, check out this page.