Vulnerability Disclosure Policy

This document describes the security vulnerability disclosure policy of F-Secure Labs. It is the policy of the company to exercise the responsible disclosure of security vulnerabilities in a manner which is of maximum value to all affected parties.

It is F-Secure Labs' intention to meet a number of key objectives during the disclosure process and these are listed here:

  • To ensure the company’s clients are provided with the greatest level of protection against the vulnerabilities in their systems.
  • To maintain an effective line of communication with the software vendor so that appropriate fixes can be produced in a timely manner.
  • To provide the users of the vulnerable software with the opportunity to apply appropriate fixes before full details of the issue are made public.
  • To release details of the vulnerability through appropriate channels so that the information can be distributed to the interested parties within the IT industry.
  • To provide accurate information about the vulnerability so that security professionals are able to determine the vulnerability of systems they are assessing.

Advisory Production and Disclosure Process

Upon the discovery of any previously unpublished security vulnerability a period of analysis and further research will initially be conducted. Subsequently an advisory will be produced that documents the type of issue and its causes. The advisory will also include details of any proof of concept exploit and an immediate workaround to mitigate the risk that the issue exposes.

Once the advisory has been produced it will initially be released to the vendor of the affected product or software. However, if the vulnerability is discovered during a penetration test being conducted against one of F-Secure's clients it will be disclosed to them in the first instance. This will ensure that they receive the highest level of service with respect to the reduction of business risk. Each of F-Secure's clients is subject to a Non-Disclosure Agreement so that the information shared with them cannot be redistributed without our express permission.

Every vulnerability discovered is individually assessed to quantify risks associated with it, the results of this review are used to guide disclosure using the following high level process. 

  • F-Secure will endeavour to use communication channels documented by the software vendor for security issues. If a security contact is provided this will be used in the first instance, otherwise communication will be attempted by email or telephone to the most appropriate resource.
  • If no response to the vendor communications have been received within 4 weeks of the initial contact vulnerability mitigation information may be published to F-Secure current clients.
  • A minimum of 2 weeks after disclosure to F-Secure clients and following no response from the vendor an appropriate level of vulnerability information will be released into the public domain.

It is hoped that a communication channel will be established with the vendor within 2 weeks of initial attempts to contact them. Using this channel it is expected that the vendor will inform F-Secure about their intended fix for the issue as well as establishing a "reasonable" timeline for the publication of patches and updates for the vendor’s customers. F-Secure Consulting will endeavour to work with any software vendor to ensure that the entire disclosure process is in line with their timelines.

A date for publishing the advisory to F-Secure's clients and then subsequently to the public will also be agreed. However, if the communication channel is not maintained by the vendor F-Secure retains the right to alter the timescales for publication based on the level of service expected by their clients.

This disclosure policy is documented to ensure that all parties involved in the process are aware of its aims and objectives. As stated previously, each vulnerability that is discovered will be different and it is expected that the disclosure process can be conducted in a manner that provides the greatest level of assurance to all affected parties. Where deviations to this process are required they will be conducted in a manner that is in line with the objectives set out here.





HP Multi-Function Printers - Improper validation of an array index

F-Secure discovered that HP multi-function printers (MFPs) can be used to expose infrastructure to attack. A remote code execution vulnerability in the printer can allow a local or remote malicious actor to gain control over the...

Read more

HP Multi-Function Printers - Exposed UART Interfaces

F-Secure found that HP multi-function printers (MFPs) have unlocked shells on the communications board connectors. A malicious actor with physical access to the device might be able to place a temporary or persistent implant via those interfaces.

Read more

OP-TEE TrustZone bypass at wakeup on NXP i.MX6UL

The Open Portable Trusted Execution Environment (OP-TEE) is an open source Trusted Execution Environment (TEE) implementing the Arm TrustZone technology.

Read more


Printing Shellz

What do you get when you combine a hardware hacker (Alexander), a red teamer who wants to learn hardware security (Timo), and a spare HP multi-function printer? Two happy hackers, unconventional zero-days, new tooling for the...

Read more

Threat Intelligence Report: Lazarus Group Campaign Targeting the Cryptocurrency Vertical

In 2019, F-Secure uncovered technical details on Lazarus Group’s modus operandi during an investigation of an attack on an organisation in the cryptocurrency vertical.

Read more

The Fake Cisco

Producing counterfeit products is, and always was, a great business if you don't mind being on the wrong side of things. No need to invest in a costly R&D process, no need to select the best...

Read more