Banner object (1)

Hack and Take the Cash !

790 bounties in database
  Back Link to program      
22/03/2018
Bitdefender logo
Thanks
Gift
Hall of Fame
Reward

Reward

100 $ 

Bitdefender

We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Bitdefender.

We encourage security researchers to identify and submit vulnerability reports regarding virtually everything that bears the Bitdefender scope, including but not limited to the website, products and services.

Reward Range

Last updated 27 Jun 2019 14:24:49 UTC

Technical severity | Reward range
---|---
p1 Critical | $3,100 - $5,000
p2 Severe | $1,000 - $3,000
p3 Moderate | $200 - $500
p4 Low | $100 - $200

P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name | Type
---|---
*.bitdefender.com | Website
*.bitdefender.net | Website
Bitdefender Total Security 2019 | Other
Bitdefender GravityZone Business Security | Other

Out of scope

Target name | Type
---|---
elearning.bitdefender.com | Website
cloud.bitdefender.net | Website
dlab-box.bitdefender.net | Website
community.bitdefender.com | Website
countrypartners.bitdefender.com | Website

DOWNLOAD LINKS:
Bitdefender Total Security 2019 - > https://www.bitdefender.com/solutions/total-security.html (CUSTOMERS)
Bitdefender GravityZone Business Security -> https://www.bitdefender.com/business/free-trials/ (BUSINESS)

Target info:

  • For authenticated testing please self-provision utilizing your @bugcrowdninja address or an email that clearly identifies you as a researcher.
  • No payment or promotional codes will be provided for testing purposes
  • Please refrain from testing contact forms or inputs that would result in a large amount of spam.

Rewards

Bitdefender will rely on the Bugcrowd Vulnerability Rating Taxonomy for prioritization of findings, but reserve the right to either downgrade or upgrade findings’ severity based on the criticality of their underlying risk to Bitdefender. Appropriate payouts will then be awarded accordingly. Any downgraded submission with come with a full and detailed explanation.

There are some things we explicitly ask you not to do:

  • When experimenting, please only attack test accounts you control. A PoC unnecessarily involving accounts of other end users or Bitdefender employee may be disqualified.
  • Automated vulnerability scans are strictly prohibited.
  • In any way, do not attack our end users, or engage in the trade of stolen user credentials.
  • No phishing

The following kinds of findings are specifically non-rewardable within this program:

  • Self XSS
  • Descriptive error messages (e.g. stack traces, application or server errors).
  • Misconfigured or lack of SPF records
  • Out of date software versions
  • Content Spoofing
  • Vulnerabilities that are limited to unsupported browsers will not be accepted. Exploit must work at least on > IE 8.
  • .htaccess downloadable file without a real security misconfiguration that can have security impact
  • Login page or one of our websites over HTTP.
  • Password not enforced on user accounts
  • Clickjacking or any issue exploitable through clickjacking
  • Vulnerabilities in our 3rd party partners source code on which we don't have any control regarding the fix. This vulnerabilities should be directly reported to the 3rd party host ( e.g. Hubspot).
  • Lack of Secure and HTTPOnly cookie flags.
  • Username / email enumeration
  • CORS issues without a working PoC

Bitdefender considers the following issues FAD or Accepted RISK:

  1. https://store.bitdefender.com/affiliate.php?ACCOUNT=BTDLLC&AFFILIATE=30907&PATH=https://google.com
    Path parameter permits open redirects.

  2. https://store.bitdefender.com/order/checkout.php?SHOPURL=http://test.com
    The problem here is that this is the intended functionality: the SHOPURL parameter allows a vendor to link a different website than the one defined on his account. Also, we are aware that this parameter is vulnerable to XSS.

  3. Bruteforce issues – No captcha or rate limiting
    We’ve received lots of reports regarding brute force, we don’t consider this to be rewardable but we can give researchers 5 kudos points for valid submissions that have some impact(ex: spamming users from our email address because of no rate limit)

  4. The service that host connect.bitdefender.com allow other company web page content to be included in connect.bitdefender.com page by switching the 'ri' parameter
    We will not reward this type of vulnerability.

  5. CSRF issues – That have no security impact. We reward researchers only with kudos points. EX: CSRF on a voting system or CSRF in notifications/etc. We will decide the reward on the CSRF issues that have low impact.

  6. Any subdomain takeover vulnerability on Bitdefender subdomains hosted by Edgecast Networks.(e.g. content-down.bitdefender.com)

  7. Wordpress vulnerabilities that were just published and our team didn’t patch them yet or the PoC doesn't have a working exploit of the vulnerability.

  8. Near duplicate accounts allowed with ignored email mutations –
    Gmail issues test@gmail.com or te.st@gmail.com same account.

  9. Hyperlink injection vulnerabilities
    www.evil.com as a first name/nickname etc.

  10. ACCOUNT TAKEOVER via facebook auth, google auth, twitter auth, etc in Central.bitdefender.com and my.bitdefender.com.

  11. Central and my.bitdefender.com ACCOUNT ACTIVATION functionality doesn’t work. Even if the account is in inactive state it has the same behavioral with an active one so we don’t reward reports related to bypass account activation.

  12. DLL hijacking and Inter-Process communications exploitation will receive only kudos points.

  13. AV bypass will be rewarded only if it outlines a method to bypass the engines that would genuinely work remotely. If a sample is simply not detected by the engines it won’t qualify for a reward, but may receive kudos - as we would like forward it to the lab for analysis.

  14. CORS issues are not valid without a working POC / CORS on Gravityzone is FAD.

  15. www.bitdefender.com & download.bitdefender.com vulnerable SWF files

  16. Priv esc on GZ iso

  17. Email spoofing (including SPF, DKIM, From: spoofing, and visually similar, and related issues)

HAPPY HUNTING!!

Safe Harbor

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy;

  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our official channels before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

FireBounty © 2015-2019

Legal notices