• $100 – $5,000 per vulnerability
  • Safe harbor
  • Managed by Bugcrowd

Program stats

262 vulnerabilities rewarded

Validation within 2 days
75% of submissions are accepted or rejected within 2 days

$563.63 average payout (last 3 months)

Latest hall of famers

Recently joined this program

1250 total


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Bitdefender.

Target Promotion Event :: July 13th - November 13th

The following specific targets are a part of a bonus reward event for the Bitdefender program:

The reward ranges for bugs found on these targets are as follows:

Technical Severity Low Reward High Reward
P1 $4,650 $7,500
P2 $2,000 $4,500
P3 $200 $500
P4 $100 $200

Reward range

Last updated

Technical severity Reward range
p1 Critical $3,100 - $5,000
p2 Severe $1,000 - $3,000
p3 Moderate $200 - $500
p4 Low $100 - $200
P5 submissions do not receive any rewards for this program.


In scope

Target name Type Tags
* Website Testing
  • jQuery
  • PHP
  • Newrelic
  • Website Testing
* Website Testing
  • jQuery
  • PHP
  • Newrelic
  • Website Testing
Bitdefender Total Security 2020 Other
Bitdefender GravityZone Business Security Other
Bitdefender Antimalware Engines Other

Bitdefender Total Security 2020 -> (CUSTOMERS)
Bitdefender GravityZone Business Security -> (BUSINESS)

Target info:

  • For authenticated testing please self-provision utilizing your @bugcrowdninja address or an email that clearly identifies you as a researcher.
  • No payment or promotional codes will be provided for testing purposes
  • Please refrain from testing contact forms or inputs that would result in a large amount of spam.


Bitdefender will rely on the Bugcrowd Vulnerability Rating Taxonomy for prioritization of findings, but reserve the right to either downgrade or upgrade findings’ severity based on the criticality of their underlying risk to Bitdefender. Appropriate payouts will then be awarded accordingly. Any downgraded submission with come with a full and detailed explanation.

There are some things we explicitly ask you not to do:

  • When experimenting, please only attack test accounts you control. A PoC unnecessarily involving accounts of other end users or Bitdefender employee may be disqualified.
  • Automated vulnerability scans are strictly prohibited.
  • In any way, do not attack our end users, or engage in the trade of stolen user credentials.
  • No phishing

The following kinds of findings are specifically non-rewardable within this program:

  • Self XSS
  • Descriptive error messages (e.g. stack traces, application or server errors).
  • Misconfigured or lack of SPF records
  • Out of date software versions
  • Content Spoofing
  • Vulnerabilities that are limited to unsupported browsers will not be accepted. Exploit must work at least on > IE 8.
  • .htaccess downloadable file without a real security misconfiguration that can have security impact
  • Login page or one of our websites over HTTP.
  • Password not enforced on user accounts
  • Clickjacking or any issue exploitable through clickjacking
  • As a rule of thumb, we don't reward vulnerabilities found in 3rd parties. We have a lot of those, many of which have their own bug bounty programs and the vulnerabilities affect many companies that integrate or use their stuff. This is why you should try to reach out to the company who originated the code and have these kind of issues fixed upstream. We may try to reach the upstream provider ourselves to ensure that we're not keeping vulnerable code and, should we do so, you can be assured that you will be credited for the find
  • Lack of Secure and HTTPOnly cookie flags.
  • Username / email enumeration
  • CORS issues without a working PoC

Bitdefender considers the following issues FAD or Accepted RISK:

    Path parameter permits open redirects.

    The problem here is that this is the intended functionality: the SHOPURL parameter allows a vendor to link a different website than the one defined on his account. Also, we are aware that this parameter is vulnerable to XSS.

  3. Bruteforce issues – No captcha or rate limiting
    We’ve received lots of reports regarding brute force, we don’t consider this to be rewardable but we can give researchers 5 kudos points for valid submissions that have some impact(ex: spamming users from our email address because of no rate limit)

  4. The service that host allow other company web page content to be included in page by switching the 'ri' parameter
    We will not reward this type of vulnerability.

  5. CSRF issues – That have no security impact. We reward researchers only with kudos points. EX: CSRF on a voting system or CSRF in notifications/etc. We will decide the reward on the CSRF issues that have low impact.

  6. Any subdomain takeover vulnerability on Bitdefender subdomains hosted by Edgecast Networks.(e.g.

  7. Wordpress vulnerabilities that were just published and our team didn’t patch them yet or the PoC doesn't have a working exploit of the vulnerability.

  8. Near duplicate accounts allowed with ignored email mutations –
    Gmail issues or same account.

  9. Hyperlink injection vulnerabilities as a first name/nickname etc.

  10. ACCOUNT TAKEOVER via facebook auth, google auth, twitter auth, etc in and

  11. Central and ACCOUNT ACTIVATION functionality doesn’t work. Even if the account is in inactive state it has the same behavioral with an active one so we don’t reward reports related to bypass account activation.

  12. DLL hijacking and Inter-Process communications exploitation will receive only kudos points.

  13. AV bypass will be rewarded only if it outlines a method to bypass the engines that would genuinely work remotely. If a sample is simply not detected by the engines it won’t qualify for a reward, but may receive kudos - as we would like forward it to the lab for analysis.

  14. CORS issues are not valid without a working POC / CORS on Gravityzone is FAD.

  15. & vulnerable SWF files

  16. Priv esc on GZ iso

  17. Email spoofing (including SPF, DKIM, From: spoofing, and visually similar, and related issues)


Safe Harbor

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy;
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our official channels before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.