32 vulnerabilities rewarded
4 days average response time
$292.59 average payout (last 12 weeks)
Latest hall of famers
Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.
We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Bitdefender.
We encourage security researchers to identify and submit vulnerability reports regarding virtually everything that bears the Bitdefender scope, including but not limited to the website, products and services.
Out of scope
Bitdefender Total Security 2018 -> https://www.bitdefender.com/solutions/total-security.html (CUSTOMERS)
Bitdefender GravityZone Business Security -> https://www.bitdefender.com/business/free-trials/ (BUSINESS)
- For authenticated testing please self-provision utilizing your @bugcrowdninja address or an email that clearly identifies you as a researcher.
- No payment or promotional codes will be provided for testing purposes
- Please refrain from testing contact forms or inputs that would result in a large amount of spam.
Bitdefender will rely on the Bugcrowd Vulnerability Rating Taxonomy for prioritization of findings, but reserve the right to either downgrade or upgrade findings’ severity based on the criticality of their underlying risk to Bitdefender. Appropriate payouts will then be awarded accordingly. Any downgraded submission with come with a full and detailed explanation.
|P1||$900 - $1,500|
|P2||$500 - $900|
|P3||$200 - $500|
|P4||$100 - $200|
There are some things we explicitly ask you not to do:
- When experimenting, please only attack test accounts you control. A PoC unnecessarily involving accounts of other end users or Bitdefender employee may be disqualified.
- Automated vulnerability scans are strictly prohibited.
- In any way, do not attack our end users, or engage in the trade of stolen user credentials.
- No phishing
The following kinds of findings are specifically non-rewardable within this program:
- Self XSS
- Descriptive error messages (e.g. stack traces, application or server errors).
- Misconfigured or lack of SPF records
- Out of date software versions
- Content Spoofing
- Vulnerabilities that are limited to unsupported browsers will not be accepted. Exploit must work at least on > IE 8.
- .htaccess downloadable file without a real security misconfiguration that can have security impact
- Login page or one of our websites over HTTP.
- Password not enforced on user accounts
- Clickjacking or any issue exploitable through clickjacking
- Vulnerabilities in our 3rd party partners source code on which we don't have any control regarding the fix. This vulnerabilities should be directly reported to the 3rd party host ( e.g. Hubspot).
- Lack of Secure and HTTPOnly cookie flags.
- Username / email enumeration
- CORS issues without a working PoC
Bitdefender considers the following issues FAD or Accepted RISK:
Path parameter permits open redirects.
The problem here is that this is the intended functionality: the SHOPURL parameter allows a vendor to link a different website than the one defined on his account. Also, we are aware that this parameter is vulnerable to XSS.
Broken authentication and session management
Ex: Token not expiring, a session not deleted after logout, reset link still works after use, etc.
We had LOTS of reports with this issues so we are already aware of this problems.
Still, if anyone found anything that can be considered CRITICAL (P1/P2) we can take a look at that report and decide if it is rewardable or not.
Bruteforce issues – No captcha or rate limiting
We’ve received lots of reports regarding brute force, we don’t consider this to be rewardable but we can give researchers 5 kudos points for valid submissions that have some impact(ex: spamming users from our email address because of no rate limit)
The service that host connect.bitdefender.com allow other company web page content to be included in connect.bitdefender.com page by switching the 'ri' parameter
We will not reward this type of vulnerability.
CSRF issues – That have no security impact. We reward researchers only with kudos points. EX: CSRF on a voting system or CSRF in notifications/etc. We will decide the reward on the CSRF issues that have low impact.
Any subdomain takeover vulnerability on Bitdefender subdomains hosted by Edgecast Networks.(e.g. content-down.bitdefender.com)
Wordpress vulnerabilities that were just published and our team didn’t patch them yet. If a reporter finds out an unpatched vulnerability that is more than 1 week old, his report will be considered valid.
Near duplicate accounts allowed with ignored email mutations –
Gmail issues firstname.lastname@example.org or email@example.com same account.
Hyperlink injection vulnerabilities
www.evil.com as a first name/nickname etc.
ACCOUNT TAKEOVER via facebook auth, google auth, twitter auth, etc in Central.bitdefender.com and my.bitdefender.com.
Central and my.bitdefender.com ACCOUNT ACTIVATION functionality doesn’t work. Even if the account is in inactive state it has the same behavioral with an active one so we don’t reward reports related to bypass account activation.
Bitdefender Antivirus is susceptible to a DLL pre-loading attack if a user is tricked into downloading an arbitrary DLL file that resides in the same folder as the installer(ex: running dll like: DWMAPI.dll and others)
AV bypass will be rewarded only if it outlines a method to bypass the engines that would genuinely work remotely. If a sample is simply not detected by the engines it won’t qualify for a reward, but may receive kudos - as we would like forward it to the lab for analysis.
CORS issues are not valid without a working POC / CORS on Gravityzone is FAD.