We treat all reports with high priority and investigate all issues directly with the reporter as quickly as possible. Send your report via firstname.lastname@example.org and include the following information:
- Target – ESET server identified by IP address, hostname, URL, etc.; or the ESET product, including version number (see our KnowledgeBase article to determine the version number).
- Type of issue – the type of vulnerability (e.g. according to OWASP, such as cross-site scripting, buffer overflow, SQL injection, etc.) and include a general description of the vulnerability.
- Proof-of-concept and/or URL demonstrating the vulnerability – a demonstration of the vulnerability that shows how it works. Examples include:
- URL containing payload – e.g. XSS in GET request parameters
- Link to general checker – e.g. SSL vulnerabilities
- Video – generally useable (if uploading to a streaming service, please mark it as private)
- Log file from ESET SysInspector (see how to create ESET SysInspector log) or Microsoft Problem Steps Recorder (see how to use Problem Steps Recorder), if applicable
Please provide as detailed a description as you can, or send us a combination of any of the previous choices. We welcome any recommendations on how to fix the vulnerability, if applicable.
To encrypt your email communications to us, please use our PGP public key:
ESET is a strong believer in, as well as a practitioner of, the responsible disclosure process and publicly credits security vulnerability reporters for their efforts if they do not wish to remain anonymous.