Abitti Security Policy

The Matriculation Examination Board, which publishes the Abitti exam system, is interested in all security observations concerning the system. The installation instructions for the Abitti exam system can be found on this website.
We are committed to publishing observations concerning the system no later than three months after they have been brought to our attention. During this three‑month period we will:

• Assess the severity of the observation.
• Determine the scope of any necessary corrective measures and their implementation schedule.
• Plan the communication related to the publication, where necessary in cooperation with the party who submitted the report.

We will remain in contact with the person submitting the report throughout the entire process. When you report an issue, you can therefore be assured that it is taken seriously. As a rule, we do not pay rewards for observations.

Observations can be submitted via two different routes:

• First check whether we currently have an open bug bounty programme. You can find more information on any possible active programme at hackabi.org.
• If there is no active bug bounty programme, please contact us by email at abitti@ylioppilastutkinto.fi.

We would like to remind you that attempts to break into our online services (e.g. oma.abitti.fi, APIs used by Naksu or the exam room server) will be interpreted as hostile activity. The same applies to exam room servers used in the matriculation examinations or in practice exams organised by upper secondary schools.