보안 취약점이 발견 되었습니까?

관련 정보를 ESET에 말씀해 주십시오.

보안은 목표가 아니라 과정이 중요합니다.
따라서 ESET 제품 또는 자원에 영향을 주는 모든 보안 취약점을 보고할 수 있어야 하는 이유입니다. security@eset.com를 방문하십시오.

권장 취약점 카테고리


We treat all reports with high priority and investigate all issues directly with the reporter as quickly as possible.
Please when you make a report, do so in English via security@eset.com and include the following information:

  • Target – ESET server identified by IP address, hostname, URL and so forth or the ESET product, including version number (see our KnowledgeBase article to determine the version number)
  • Type of issue – the type of vulnerability (e.g. according to OWASP, such as cross-site scripting, buffer overflow, SQL injection, etc.) and include a general description of the vulnerability.
  • Proof-of-concept and/or URL demonstrating the vulnerability – a demonstration of the vulnerability that shows how it works. Examples include:
    ●  URL containing payload – e.g. XSS in GET request parameters
    ●  Link to general checker – e.g. SSL vulnerabilities
    ●  Video – generally useable (if uploading to a streaming service, please mark it as private)
    ●  Log file from ESET SysInspector (see how to create ESET SysInspector log) or Microsoft Problem Steps Recorder (see how to use Problem Steps Recorder), if applicable
    ●  Please provide as detailed description as you can, or send us a combination of any of the previous choices. 

We warmly welcome any recommendations on how to fix the vulnerability, if applicable.

ESET에 보내는 이메일을 암호화하려면, PGP 공개키를 사용하십시오:

범위를 벗어난 취약점

웹 애플리케이션

  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Fingerprinting / banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure/HTTP Only flags on non-sensitive Cookies.
  • Lack of Security Speedbump when leaving the site.
  • Weak Captcha / Captcha Bypass
  • Forgot Password page brute force and account lockout not enforced.
  • OPTIONS HTTP method enabled
  • Username / email enumeration
    ●  via Login Page error message
    ●  via Forgot Password error message
  • Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
      Strict-Transport-Security
    ●  X-Frame-Options
    ●  X-XSS-Protection
    ●  X-Content-Type-Options
    ●  Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
    ●  Content-Security-Policy-Report-Only
  • SSL Issues, e.g.
    ●  SSL Attacks such as BEAST, BREACH, Renegotiation attack
    ●  SSL Forward secrecy not enabled
    ●  SSL weak / insecure cipher suites
  • Banner disclosure on common/public services
  • Self-XSS and issues exploitable only through Self-XSS
  • Findings derived primarily from social engineering (e.g. phishing, vishing, smishing)

제품 취약점

  • dll injection in ESET installers
  • No SSL in update/download servers 
  • Tapjacking

ESET is a strong believer in, as well as a practitioner of, the responsible disclosure process and publicly credits security vulnerability reporters for their efforts if they do not wish to remain anonymous.

THANK YOU.

ESET