Security is a process, not a destination.
That's why you can report any security vulnerability affecting ESET products or resources, just drop us a line to security@eset.com.
Vulnerability categories we encourage
We treat all reports with high priority and investigate all issues directly with the reporter as quickly as possible. Please when you make a report, do so in English via security@eset.com and include the following information:
- Target – ESET server identified by IP address, hostname, URL and so forth or the ESET product, including version number (see our KnowledgeBase article to determine the version number)
- Type of issue – the type of vulnerability (e.g. according to OWASP, such as cross-site scripting, buffer overflow, SQL injection, etc.) and include a general description of the vulnerability.
- Proof-of-concept and/or URL demonstrating the vulnerability – a demonstration of the vulnerability that shows how it works. Examples include:
● URL containing payload – e.g. XSS in GET request parameters
● Link to general checker – e.g. SSL vulnerabilities
● Video – generally useable (if uploading to a streaming service, please mark it as private)
● Log file from ESET SysInspector (see how to create ESET SysInspector log) or Microsoft Problem Steps Recorder (see how to use Problem Steps Recorder), if applicable
● Please provide as detailed description as you can, or send us a combination of any of the previous choices.
We warmly welcome any recommendations on how to fix the vulnerability, if applicable.
To encrypt your email communications to us, please use our PGP public key:
Out of scope vulnerabilities
Web applications
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Fingerprinting / banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Lack of Secure/HTTP Only flags on non-sensitive Cookies.
- Lack of Security Speedbump when leaving the site.
- Weak Captcha / Captcha Bypass
- Forgot Password page brute force and account lockout not enforced.
- OPTIONS HTTP method enabled
- Username / email enumeration
● via Login Page error message
● via Forgot Password error message - Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
● Strict-Transport-Security
● X-Frame-Options
● X-XSS-Protection
● X-Content-Type-Options
● Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
● Content-Security-Policy-Report-Only - SSL Issues, e.g.
● SSL Attacks such as BEAST, BREACH, Renegotiation attack
● SSL Forward secrecy not enabled
● SSL weak / insecure cipher suites - Banner disclosure on common/public services
- Self-XSS and issues exploitable only through Self-XSS
- Findings derived primarily from social engineering (e.g. phishing, vishing, smishing)
Product vulnerabilities
- dll injection in ESET installers
- No SSL in update/download servers
- Tapjacking
ESET is a strong believer in, as well as a practitioner of, the responsible disclosure process and publicly credits security vulnerability reporters for their efforts if they do not wish to remain anonymous.
THANK YOU.
ESET