Our program statement
Exein is continuously developing its products to make devices firmware more secure. The early stage of development won’t prevent us from submitting our product to security researchers. Exein’s bounty program is aiming to encourage talented group of independent security researchers and individual researchers to identify potential vulnerabilities. Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.
Get rewards for successful vulnerability submissions
Our minimum bounty for successful vulnerability submissions is €500 up to €3000. Depending on the severity and complexity of the identified potential vulnerability, higher bonuses may be paid out at our discretion.
What is our Bounty Program scope?
The current scope is limited to the Exein Core LSM in its use-case.
Exein Core is a component of Exein's security suite in charge of monitoring a target process behavior and, in particular, its divergence from what is considered its "normal behavior". Please review the Exein Core technical documentation.
In particular no disclosures assuming the following conditions will be taken into consideration:
- Vulnerabilities due to poorly trained models
- Vulnerabilities assuming the attacker already has a valid user on the device
- Vulnerabilities involving physical access to the device
- Vulnerabilities starting with any firmware component not under the Exein core control. E.g., to use a flaw or a misconfiguration in components not monitored by Exein with interfaces publicly exposed to gain access to the system is not considered a valid scenario.
- Exein controlled binary is a custom binary or a mainstream binary crafted/patched in such a way that attackers can control system calls flow.
- Any vulnerability whose result leads to a DoS of any kind.
The component must be targeted in its use-case scenario for the proof to be eligible for the bounty. No bounties will be given for any disclosures related to any bug identified outside this scope.
Responsible Disclosure and Guidelines
For your submission to qualify for a bounty, you must:
- Adhere to all guidelines and terms related to the program defined in Scope
- Be the first to submit this particular vulnerability
- Not disclose or discuss the vulnerability outside of this program before or after submitting it
- Prior to submission you should provide contact and identity info according to the Italian laws for external workers and consultancy (Italian law: DL 50-24 Aprile 2017 “ Normativa rapporti lavorativi occasionali”)
Bugs that are outside the scope or guidelines detailed here are not eligible for this program.Join our Bounty Program