DISCOVERED A SECURITY
VULNERABILITY?

Tell us about it

Because security is a process, not an end-state... That's why we would like to kindly ask you to report any security vulnerability affecting ESET products or resource at security@eset.com.

We investigate all reported issues with researcher individually and, with the shortest response time as possible. Please report all vulnerabilities in English via security@eset.com. In your report, include the following:

  • Target – ESET Service identified by IP address, URL etc. or ESET product including version of product
  • Type of issue – general vulnerability description and type of vulnerability (i.e. according to OWASP like cross-site scripting, buffer overflow, SQL injection, etc.)
  • Proof-of-concept and/or URL demonstrating the vulnerability – some demonstration of vulnerability that shows us how the vulnerability works. It might be:
    • URL containing payload – i.e. XSS in GET request parameters;
    • Link to general checker – i.e. SSL vulnerabilities;
    • Video – generally useable;
    • Detailed description or
    • Combination of any of the previous choices.

You might optionally include also your recommendation on how to fix the vulnerability.

To encrypt your email communications to us, please use our PGP public key.

 

Out of scope vulnerabilities

 

Web applications

  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Fingerprinting / banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure/HTTP Only flags on non-sensitive Cookies.
  • Lack of Security Speedbump when leaving the site.
  • Weak Captcha / Captcha Bypass
  • Forgot Password page brute force and account lockout not enforced.
  • OPTIONS HTTP method enabled
  • Username / email enumeration
    • via Login Page error message
    • via Forgot Password error message
  • Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
    • Strict-Transport-Security
    • X-Frame-Options
    • X-XSS-Protection
    • X-Content-Type-Options
    • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
    • Content-Security-Policy-Report-Only
  • SSL Issues, e.g.
    • SSL Attacks such as BEAST, BREACH, Renegotiation attack
    • SSL Forward secrecy not enabled
    • SSL weak / insecure cipher suites
  • Banner disclosure on common/public services
  • Self-XSS and issues exploitable only through Self-XSS
  • Findings derived primarily from social engineering (e.g. phishing, vishing, smishing)

Product vulnerabilities

  • dll injection in ESET installers
  • No SSL in update/download servers 
  • Tapjacking

ESET is a strong believer in, as well as a practitioner of, the responsible disclosure process and publicly credits security vulnerability reporters for their efforts if they do not wish to remain anonymous.

Thank you.
ESET