|Scope Type||Scope Name|
|undefined||Bitdefender BOX v2|
Out of Scope
|Scope Type||Scope Name|
|android_application||Bitdefender Central (Android App)|
|ios_application||Bitdefender Central (iOS App)|
Bitdefender BOX protects all devices connected to the Internet, not just a laptop or desktop computer. BOX secures smartphones, smart TVs, and all your other home appliances, like Wi-Fi thermostats, gaming consoles, and even your baby monitor). BOX can be controlled from the central website or the easy-to- use mobile app.
Researchers must supply their own device for testing. If you don't already own
a Box2, you can acquire a device in 2 ways:
1) Purchase a device through the Bitdefender website.
2) Qualify as an "Expert Researcher" (survey link below).
The scope of this bounty program is to find vulnerabilities that can be exploited as a guest, or remotely. (e.g. a friend coming at your place, connecting to your WIFI network and hack your box device OR exploiting other customer devices remotely).
It's important to note that the Bitdefender Box communicates through a cloud app - however, this program is provided exclusively for the reporting of security issues pertaining to any communication directly to/from the Box itself. If you're able to identify any vulnerabilities in the cloud app, they should be reported here: https://bugcrowd.com/bitdefender. The Bitdefender Security team will determine the nature and impact of the vulnerabilities at their sole discretion. The following vulnerabilities are in-scope for the program:
1.b) Ability to access/control the BOX remotely without proper authorization (not on the same LAN) - reward varies depending on impact
2.a) Remote Code Execution - Ability to get remote code execution against the BOX without proper authorization (ON the same LAN) - achieving this objective will be rewarded in the range of 2500$
2.b) Ability to access/control the BOX without proper authorization (ON the same LAN) - reward varies depending on impact
3.a) DOS - crash our product remotely (not on the same LAN) - 2500$
3.b) DOS - crash our product (ON the same LAN) - 1000$
Attacking your own device from a BOX Administrator standpoint is not eligible for reward
Vulnerabilities submitted which are not included in the above list may not
be rewarded. This is decided at the sole discretion of the Bitdefender team.
Scope - Additional Details for more information on scoping. Furthermore,
ONLY vulnerabilities on BOX products are out-of-scope. Vulnerabilities found
on Bitdefender mobile apps &
central.bitdefender.com are out-of-scope.
All instructions for the product are in the BOX package (default passwords, how to configure, etc). To configure/setup BOX v2, install the "Bitdefender Central" mobile application. Create an account or log in using an existing account. User accounts are shared by the mobile & web apps. Please note that the mobile app is not in scope for this program. However, if you believe you've found a way to be able to control someone else's device via the mobile app, you're encouraged to submit it - and we'll review whether it's in scope or rewardable.
The BOX is managed via the Bitdefender Central App https://central.bitdefender.com. Login using the same account registered via the mobile application. User accounts are shared by the mobile & web apps. Please note that any vulnerabilities found in the webapp should be reported here: https://bugcrowd.com/bitdefender - and not to this program.
Target name | Type
Bitdefender BOX v2 | IoT
Target name | Type
Bitdefender Central (iOS App) | iOS
Bitdefender Central (Android App) | Android
<https://central.bitdefender.com> | Website
Any domain/property of Bitdefender or associated business entities not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
Vulnerabilities that can be exploited as a guest or remotely. (e.g. a friend coming to your home, connecting to your WIFI network, and hacking your BOX device OR exploiting other customer devices remotely). Please DO NOT attack any devices, accounts, or networks that are not yours.
The Bitdefender BOX communicates through a CLOUD APP. While the cloud app is not in scope for this program, if you're able to identify any vulnerabilities in this web application, please submit here: https://bugcrowd.com/bitdefender
Vulnerabilities discovered in "Bitdefender Central" -- mobile applications (iOS & Android) are NOT IN SCOPE!
ONLY BOX Products and Services are in-scope for this program (other Bitdefender products & services are available via BOX, but are out-of-scope for this program).
If you find a vulnerability on a non-BOX product or service, please submit it via the Bitdefender Public Program.
When conducting vulnerability research according to this policy, we consider this research to be:
Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy;
Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our official channels before going any further.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.