We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Bitdefender.
|Technical severity||Reward range|
|p1 Critical||$3,100 - $5,000|
|p2 Severe||$1,000 - $3,000|
|p3 Moderate||$200 - $500|
|p4 Low||$100 - $200|
Bitdefender Total Security 2020 -> https://www.bitdefender.com/solutions/total-security.html (CUSTOMERS)
Bitdefender GravityZone Business Security -> https://www.bitdefender.com/business/free-trials/ (BUSINESS)
- For authenticated testing please self-provision utilizing your @bugcrowdninja address or an email that clearly identifies you as a researcher.
- No payment or promotional codes will be provided for testing purposes
- Please refrain from testing contact forms or inputs that would result in a large amount of spam.
Bitdefender will rely on the Bugcrowd Vulnerability Rating Taxonomy for prioritization of findings, but reserve the right to either downgrade or upgrade findings’ severity based on the criticality of their underlying risk to Bitdefender. Appropriate payouts will then be awarded accordingly. Any downgraded submission with come with a full and detailed explanation.
There are some things we explicitly ask you not to do:
- When experimenting, please only attack test accounts you control. A PoC unnecessarily involving accounts of other end users or Bitdefender employee may be disqualified.
- Automated vulnerability scans are strictly prohibited.
- In any way, do not attack our end users, or engage in the trade of stolen user credentials.
- No phishing
The following kinds of findings are specifically non-rewardable within this program:
- Self XSS
- Descriptive error messages (e.g. stack traces, application or server errors).
- Misconfigured or lack of SPF records
- Out of date software versions
- Content Spoofing
- Vulnerabilities that are limited to unsupported browsers will not be accepted. Exploit must work at least on > IE 8.
- .htaccess downloadable file without a real security misconfiguration that can have security impact
- Login page or one of our websites over HTTP.
- Password not enforced on user accounts
- Clickjacking or any issue exploitable through clickjacking
- Vulnerabilities in our 3rd party partners source code on which we don't have any control regarding the fix. This vulnerabilities should be directly reported to the 3rd party host ( e.g. Hubspot).
- Lack of Secure and HTTPOnly cookie flags.
- Username / email enumeration
- CORS issues without a working PoC
Bitdefender considers the following issues FAD or Accepted RISK:
Path parameter permits open redirects.
The problem here is that this is the intended functionality: the SHOPURL parameter allows a vendor to link a different website than the one defined on his account. Also, we are aware that this parameter is vulnerable to XSS.
Bruteforce issues – No captcha or rate limiting
We’ve received lots of reports regarding brute force, we don’t consider this to be rewardable but we can give researchers 5 kudos points for valid submissions that have some impact(ex: spamming users from our email address because of no rate limit)
The service that host connect.bitdefender.com allow other company web page content to be included in connect.bitdefender.com page by switching the 'ri' parameter
We will not reward this type of vulnerability.
CSRF issues – That have no security impact. We reward researchers only with kudos points. EX: CSRF on a voting system or CSRF in notifications/etc. We will decide the reward on the CSRF issues that have low impact.
Any subdomain takeover vulnerability on Bitdefender subdomains hosted by Edgecast Networks.(e.g. content-down.bitdefender.com)
Wordpress vulnerabilities that were just published and our team didn’t patch them yet or the PoC doesn't have a working exploit of the vulnerability.
Near duplicate accounts allowed with ignored email mutations –
Gmail issues email@example.com or firstname.lastname@example.org same account.
Hyperlink injection vulnerabilities
www.evil.com as a first name/nickname etc.
ACCOUNT TAKEOVER via facebook auth, google auth, twitter auth, etc in Central.bitdefender.com and my.bitdefender.com.
Central and my.bitdefender.com ACCOUNT ACTIVATION functionality doesn’t work. Even if the account is in inactive state it has the same behavioral with an active one so we don’t reward reports related to bypass account activation.
DLL hijacking and Inter-Process communications exploitation will receive only kudos points.
AV bypass will be rewarded only if it outlines a method to bypass the engines that would genuinely work remotely. If a sample is simply not detected by the engines it won’t qualify for a reward, but may receive kudos - as we would like forward it to the lab for analysis.
CORS issues are not valid without a working POC / CORS on Gravityzone is FAD.
www.bitdefender.com & download.bitdefender.com vulnerable SWF files
Priv esc on GZ iso
Email spoofing (including SPF, DKIM, From: spoofing, and visually similar, and related issues)
When conducting vulnerability research according to this policy, we consider this research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy;
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our official channels before going any further.