Discovered a security vulnerability?

Tell us about it

ESET products or resources

If you believe you have found a vulnerability in any ESET product or web application, please inform us confidentially. Every valid report will be rewarded.

Website - www.eset.com

Our partnership with HackTrophy helps us to stay ahead of any potential problems. Let us know about any security issue on our website and claim your reward.

Out of scope vulnerabilities

Web applications

  • Reports from automated tools or scans
  • Denial of Service Attacks
  • Man in the middle attacks
  • Attacks requiring physical Access to user's device
  • Hypothetical issues that do not have any practical impact
  • Publicly accessible login panels without proof of exploitation
  • Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) & other non-technical attacks
  • Informative severity & low severity issues
  • Spamming
  • Clickjacking and issues only exploitable through clickjacking.
  • Fingerprinting / banner disclosure on common/public services.
  • Mail configuration issues (SPF, DKIM, DMARC settings)
  • Descriptive error messages (e.g. Stack Traces, application or server errors)
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Disclosure of known public or non-sensitive files or directories, (e.g. robots.txt,crossdomain.xml or any other policy files, wildcard presence/misconfiguration in these).
  • Nonstandard HTTP method enabled
  • Missing Security headers (such as Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options)
  • Lack of Secure/HTTP Only/SameSite flags on non-sensitive Cookies.
  • Open redirect that cannot be used to exfiltrate sensitive information (session cookies, OAuth tokens)
  • Management issues with multiple concurrent active sessions
  • Host-header injection Attacks
  • Self-XSS and issues exploitable only through Self-XS
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • CSRF on logout
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Forgot Password page brute force and account lockout not enforced.
  • Username / email enumeration without any further impact
  • Rate-limiting issues
  • Weak Captcha / Captcha Bypass
  • Use of a known-vulnerable library without a description of an exploit specific to our implementation
  • SSL Issues (example: weak/insecure cipher, BEAST, BREACH, Renegotiation attack, etc.)
  • Reports from automated tools or scans
  • Denial of Service Attacks
  • Man in the middle attacks
  • Attacks requiring physical Access to user's device
  • Hypothetical issues that do not have any practical impact
  • Publicly accessible login panels without proof of exploitation
  • Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) & other non-technical attacks
  • Informative severity & low severity issues
  • Spamming
  • Clickjacking and issues only exploitable through clickjacking.
  • Fingerprinting / banner disclosure on common/public services.
  • Mail configuration issues (SPF, DKIM, DMARC settings)
  • Descriptive error messages (e.g. Stack Traces, application or server errors)
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Disclosure of known public or non-sensitive files or directories, (e.g. robots.txt,crossdomain.xml or any other policy files, wildcard presence/misconfiguration in these).
  • Nonstandard HTTP method enabled
  • Missing Security headers (such as Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options)
  • Lack of Secure/HTTP Only/SameSite flags on non-sensitive Cookies.
  • Open redirect that cannot be used to exfiltrate sensitive information (session cookies, OAuth tokens)
  • Management issues with multiple concurrent active sessions
  • Host-header injection Attacks
  • Self-XSS and issues exploitable only through Self-XS
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • CSRF on logout
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Forgot Password page brute force and account lockout not enforced.
  • Username / email enumeration without any further impact
  • Rate-limiting issues
  • Weak Captcha / Captcha Bypass
  • Use of a known-vulnerable library without a description of an exploit specific to our implementation
  • SSL Issues (example: weak/insecure cipher, BEAST, BREACH, Renegotiation attack, etc.)

Product vulnerabilities

  • dll injection in ESET installers
  • No SSL in update/download servers 
  • Tapjacking
  • dll injection in ESET installers
  • No SSL in update/download servers 
  • Tapjacking

Vulnerability categories we encourage

We treat all reports with high priority and investigate all issues directly with the reporter as quickly as possible. Please when you make a report, do so in English via security@eset.com and include the following information:

  • Target – ESET server identified by IP address, hostname, URL and so forth or the ESET product, including version number (see our KnowledgeBase article to determine the version number)
  • Type of issue – the type of vulnerability (e.g. according to OWASP, such as cross-site scripting, buffer overflow, SQL injection, etc.) and include a general description of the vulnerability.
  • Proof-of-concept and/or URL demonstrating the vulnerability – a demonstration of the vulnerability that shows how it works. Examples include:
    ●  URL containing payload – e.g. XSS in GET request parameters
    ●  Link to general checker – e.g. SSL vulnerabilities
    ●  Video – generally useable (if uploading to a streaming service, please mark it as private)
    ●  Log file from ESET SysInspector (see how to create ESET SysInspector log) or Microsoft Problem Steps Recorder (see how to use Problem Steps Recorder), if applicable
    ●  Please provide as detailed description as you can, or send us a combination of any of the previous choices. 

We warmly welcome any recommendations on how to fix the vulnerability, if applicable.

To encrypt your email communications to us, please use our PGP public key

ESET is a strong believer in, as well as a practitioner of, the responsible disclosure process and publicly credits security vulnerability reporters for their efforts if they do not wish to remain anonymous.

THANK YOU.