Discovered a security vulnerability?

Tell us about it

Vulnerabilities found on listed ESET Websites

Our partnership with HackTrophy helps us to stay ahead of any potential threats. Let us know about any security issues on our websites. Confirmed reports on webs listed below are compensated with monetary rewards.

* ESET Global Website includes sub-services go.eset.com, cookie.eset.com, search.eset.com and api.eset.com

Vulnerabilities found in ESET Products or ESET Websites

If you believe you have found a vulnerability in any ESET product or web application which is not defined in HackTrophy scope, please inform us confidentially via security@eset.com.

If you believe you have found a vulnerability in any ESET product or web application, please inform us confidentially.

Before submitting the report, please read the Report Policy and Out of Scope section. Every report receive first update in three working days (8x5 CET) via security@eset.com. Automatic reply is sent when report is successfully created in the system and waiting for feedback from security specialist. Our target is provide fix for confirmed vulnerability in 90 days. Confirmed and fixed reports are rewarded with goodie bag.

Please note that we will not initiate a law enforcement investigation or any lawsuit against you for the content of the report.

Sensitive and Personal information

Never attempt to access personal information or sensitive data. If you obtain sensitive or personal information during your security research, follow these steps:

- STOP your research or actions that include data or personal information immediately

- DO NOT save, copy, disclose, transfer or do any activity related to data or personal information

- ALERT us immediately and support us in the mitigation effort

Out of scope vulnerabilities

Web applications

  • Reports from automated tools or scans
  • Denial of Service Attacks
  • Man in the middle attacks
  • Attacks requiring physical Access to user's device
  • Hypothetical issues that do not have any practical impact
  • Publicly accessible login panels without proof of exploitation
  • Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) & other non-technical attacks
  • Informative severity & low severity issues
  • Spamming
  • Clickjacking and issues only exploitable through clickjacking.
  • Fingerprinting / banner disclosure on common/public services.
  • Mail configuration issues (SPF, DKIM, DMARC settings)
  • Descriptive error messages (e.g. Stack Traces, application or server errors)
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Disclosure of known public or non-sensitive files or directories, (e.g. robots.txt,crossdomain.xml or any other policy files, wildcard presence/misconfiguration in these).
  • Nonstandard HTTP method enabled
  • Missing Security headers (such as Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options)
  • Lack of Secure/HTTP Only/SameSite flags on non-sensitive Cookies.
  • Open redirect that cannot be used to exfiltrate sensitive information (session cookies, OAuth tokens)
  • Management issues with multiple concurrent active sessions
  • Host-header injection Attacks
  • Self-XSS and issues exploitable only through Self-XS
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • CSRF on logout
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Forgot Password page brute force and account lockout not enforced.
  • Username / email enumeration without any further impact
  • Rate-limiting issues
  • Weak Captcha / Captcha Bypass
  • Use of a known-vulnerable library without a description of an exploit specific to our implementation
  • SSL Issues (example: weak/insecure cipher, BEAST, BREACH, Renegotiation attack, etc.)

Product vulnerabilities

  • Issues that can be covered by adding detection signature
  • DLL Injection
  • DLL Hijacking
  • No SSL in update/download servers
  • Local AV engine bypasses
  • Tapjacking
  • Known vulnerabilities in 3rd party components

Report Policy

  • Reach out to us via security@eset.com
  • Reports and all related materials are encrypted by PGP public key
  • Include your organization & contact name
  • Write a clear description of the potential vulnerability
  • Add all information needed to validate the potential vulnerability
  • Include the ESET product and module version (see KB product and KB module to determine the version number) in reports related to the product
  • Product-related reports should contain a log file from ESET SysInspector if applicable
  • Proof of Concept – please provide as detailed description as you can, including screenshots or video (marked as private when uploaded to stream services)
  • Mitigation suggestions are highly appreciated
  • Include the impact of the potential vulnerability you expect it has on the users, ESET employees or others.
  • We request the reporter to keep any communication regarding vulnerability confidential
  • Inform about any disclosure plans and coordinate with us
  • Must be written in the English language

Please note that the report may be rejected when:

  • match “Out of Scope” section criteria
  • not follow our Report Policy
  • is duplicated, only original report from first reporter is taken into account

Reporter will be notified about any update in process of fix/mitigation.

ESET is a strong believer in, as well as a practitioner of, the responsible disclosure process and publicly credits security vulnerability reporters for their efforts if they do not wish to remain anonymous.

THANK YOU.