Discovered a security vulnerability?

Tell us about it

Vulnerabilities found in ESET products or ESET websites

If you believe you have found a vulnerability in any ESET product or web application please inform us confidentially via security@eset.com.

If you believe you have found a vulnerability in any ESET product or web application, please inform us confidentially.

Drop us a line
Before submitting a report, please read the Report Policy and Out of scope section. An automatic reply is sent when report is successfully processed by our system and waiting for review from a security specialist. Within three working days a security specialist will send the reporter feedback via security@eset.com. Our target is to provide a fix for confirmed vulnerabilities within 90 calendar days of disclosure. Reports of confirmed and fixed vulnerabilities are rewarded with a goodie bag.
When assessing the vulnerability, use the latest version of CVSS -
we will prioritize our response based on this CVSS score or vector string.
As a CNA for applicable vulnerabilities in our products, ESET will reserve a CVE ID automatically.

Please note that we will not initiate a law enforcement investigation or any lawsuit against you for the content of the report.

Sensitive and Personal information

Never attempt to access sensitive or personal data. If you obtain sensitive or personal information during your security research, follow these steps:

- STOP your research or actions that involve sensitive or personal information immediately

- DO NOT save, copy, disclose, transfer or do any activity related to the sensitive or personal information

- ALERT us immediately and support us in the mitigation effort

Out of scope vulnerabilities

Report Policy

  • Reach out to us via security@eset.com
  • Reports and all related materials are encrypted by PGP public key
  • Include your organization and contact name
  • Write a clear description of the potential vulnerability
  • Add all information needed to validate the potential vulnerability
  • Include the ESET product and module version (see KBs on finding product and module versions ) for reports related to the product
  • Product-related reports should contain a log file from ESET SysInspector if applicable
  • Proof of concept – please provide as detailed description as you can, including screenshots and video (marked as private when uploaded to stream services)
  • Mitigation suggestions are highly appreciated
  • Include the impact that you expect the potential vulnerability has on users, ESET employees or others
  • We request the reporter to keep any communication regarding vulnerability confidential
  • Inform about any disclosure plans and coordinate with us
  • Must be written in the English language

Please note that the report may be rejected when:

  • It matches criteria from “Out of scope” section
  • It does not follow our Report Policy
  • It is duplicated, only an original report from first reporter is considered

The reporter will be notified about any update in the process of fixing and/or mitigation.

ESET is a strong believer in the coordinated vulnerability disclosure process and publicly credits security vulnerability reporters for their efforts if they do not wish to remain anonymous.

THANK YOU.