We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Bitdefender.
We encourage security researchers to identify and submit vulnerability reports regarding virtually everything that bears the Bitdefender scope, including but not limited to the website, products and services.
Last updated 27 Jun 2019 14:24:49 UTC
Technical severity | Reward range
p1 Critical | $3,100 - $5,000
p2 Severe | $1,000 - $3,000
p3 Moderate | $200 - $500
p4 Low | $100 - $200
P5 submissions do not receive any rewards for this program.
Target name | Type
*.bitdefender.com | Website
*.bitdefender.net | Website
Bitdefender Total Security 2019 | Other
Bitdefender GravityZone Business Security | Other
Target name | Type
elearning.bitdefender.com | Website
cloud.bitdefender.net | Website
dlab-box.bitdefender.net | Website
community.bitdefender.com | Website
countrypartners.bitdefender.com | Website
Bitdefender Total Security 2019 - > https://www.bitdefender.com/solutions/total-security.html (CUSTOMERS)
Bitdefender GravityZone Business Security -> https://www.bitdefender.com/business/free-trials/ (BUSINESS)
Bitdefender will rely on the Bugcrowd Vulnerability Rating Taxonomy for prioritization of findings, but reserve the right to either downgrade or upgrade findings’ severity based on the criticality of their underlying risk to Bitdefender. Appropriate payouts will then be awarded accordingly. Any downgraded submission with come with a full and detailed explanation.
There are some things we explicitly ask you not to do:
The following kinds of findings are specifically non-rewardable within this program:
Path parameter permits open redirects.
The problem here is that this is the intended functionality: the SHOPURL parameter allows a vendor to link a different website than the one defined on his account. Also, we are aware that this parameter is vulnerable to XSS.
Bruteforce issues – No captcha or rate limiting
We’ve received lots of reports regarding brute force, we don’t consider this to be rewardable but we can give researchers 5 kudos points for valid submissions that have some impact(ex: spamming users from our email address because of no rate limit)
The service that host connect.bitdefender.com allow other company web page content to be included in connect.bitdefender.com page by switching the 'ri' parameter
We will not reward this type of vulnerability.
CSRF issues – That have no security impact. We reward researchers only with kudos points. EX: CSRF on a voting system or CSRF in notifications/etc. We will decide the reward on the CSRF issues that have low impact.
Any subdomain takeover vulnerability on Bitdefender subdomains hosted by Edgecast Networks.(e.g. content-down.bitdefender.com)
Wordpress vulnerabilities that were just published and our team didn’t patch them yet or the PoC doesn't have a working exploit of the vulnerability.
Near duplicate accounts allowed with ignored email mutations –
Gmail issues firstname.lastname@example.org or email@example.com same account.
Hyperlink injection vulnerabilities
www.evil.com as a first name/nickname etc.
ACCOUNT TAKEOVER via facebook auth, google auth, twitter auth, etc in Central.bitdefender.com and my.bitdefender.com.
Central and my.bitdefender.com ACCOUNT ACTIVATION functionality doesn’t work. Even if the account is in inactive state it has the same behavioral with an active one so we don’t reward reports related to bypass account activation.
DLL hijacking and Inter-Process communications exploitation will receive only kudos points.
AV bypass will be rewarded only if it outlines a method to bypass the engines that would genuinely work remotely. If a sample is simply not detected by the engines it won’t qualify for a reward, but may receive kudos - as we would like forward it to the lab for analysis.
CORS issues are not valid without a working POC / CORS on Gravityzone is FAD.
www.bitdefender.com & download.bitdefender.com vulnerable SWF files
Priv esc on GZ iso
Email spoofing (including SPF, DKIM, From: spoofing, and visually similar, and related issues)
When conducting vulnerability research according to this policy, we consider this research to be:
Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy;
Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our official channels before going any further.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.