• $100 – $5,000 per vulnerability
  • Managed by Bugcrowd

Program stats

174 vulnerabilities rewarded

Validation within 4 days
75% of submissions are accepted or rejected within 4 days

$386.66 average payout (last 3 months)

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Bitdefender.

We encourage security researchers to identify and submit vulnerability reports regarding virtually everything that bears the Bitdefender scope, including but not limited to the website, products and services.

Reward Range

Last updated
Technical severity Reward range
p1 Critical $3,100 - $5,000
p2 Severe $1,000 - $3,000
p3 Moderate $200 - $500
p4 Low $100 - $200
P5 submissions do not receive any rewards for this program.


In scope

Target name Type
* Website
* Website
Bitdefender Total Security 2019 Other
Bitdefender GravityZone Business Security Other

Out of scope

Target name Type Website Website Website Website Website

Bitdefender Total Security 2019 -> (CUSTOMERS)
Bitdefender GravityZone Business Security -> (BUSINESS)

Target info:

  • For authenticated testing please self-provision utilizing your @bugcrowdninja address or an email that clearly identifies you as a researcher.
  • No payment or promotional codes will be provided for testing purposes
  • Please refrain from testing contact forms or inputs that would result in a large amount of spam.


Bitdefender will rely on the Bugcrowd Vulnerability Rating Taxonomy for prioritization of findings, but reserve the right to either downgrade or upgrade findings’ severity based on the criticality of their underlying risk to Bitdefender. Appropriate payouts will then be awarded accordingly. Any downgraded submission with come with a full and detailed explanation.

There are some things we explicitly ask you not to do:

  • When experimenting, please only attack test accounts you control. A PoC unnecessarily involving accounts of other end users or Bitdefender employee may be disqualified.
  • Automated vulnerability scans are strictly prohibited.
  • In any way, do not attack our end users, or engage in the trade of stolen user credentials.
  • No phishing

The following kinds of findings are specifically non-rewardable within this program:

  • Self XSS
  • Descriptive error messages (e.g. stack traces, application or server errors).
  • Misconfigured or lack of SPF records
  • Out of date software versions
  • Content Spoofing
  • Vulnerabilities that are limited to unsupported browsers will not be accepted. Exploit must work at least on > IE 8.
  • .htaccess downloadable file without a real security misconfiguration that can have security impact
  • Login page or one of our websites over HTTP.
  • Password not enforced on user accounts
  • Clickjacking or any issue exploitable through clickjacking
  • Vulnerabilities in our 3rd party partners source code on which we don't have any control regarding the fix. This vulnerabilities should be directly reported to the 3rd party host ( e.g. Hubspot).
  • Lack of Secure and HTTPOnly cookie flags.
  • Username / email enumeration
  • CORS issues without a working PoC

Bitdefender considers the following issues FAD or Accepted RISK:

    Path parameter permits open redirects.

    The problem here is that this is the intended functionality: the SHOPURL parameter allows a vendor to link a different website than the one defined on his account. Also, we are aware that this parameter is vulnerable to XSS.

  3. Broken authentication and session management
    Ex: Token not expiring, a session not deleted after logout, reset link still works after use, etc.
    We had LOTS of reports with this issues so we are already aware of this problems.
    Still, if anyone found anything that can be considered CRITICAL (P1/P2) we can take a look at that report and decide if it is rewardable or not.

  4. Bruteforce issues – No captcha or rate limiting
    We’ve received lots of reports regarding brute force, we don’t consider this to be rewardable but we can give researchers 5 kudos points for valid submissions that have some impact(ex: spamming users from our email address because of no rate limit)

  5. The service that host allow other company web page content to be included in page by switching the 'ri' parameter
    We will not reward this type of vulnerability.

  6. CSRF issues – That have no security impact. We reward researchers only with kudos points. EX: CSRF on a voting system or CSRF in notifications/etc. We will decide the reward on the CSRF issues that have low impact.

  7. Any subdomain takeover vulnerability on Bitdefender subdomains hosted by Edgecast Networks.(e.g.

  8. Wordpress vulnerabilities that were just published and our team didn’t patch them yet or the PoC doesn't have a working exploit of the vulnerability.

  9. Near duplicate accounts allowed with ignored email mutations –
    Gmail issues or same account.

  10. Hyperlink injection vulnerabilities as a first name/nickname etc.

  11. ACCOUNT TAKEOVER via facebook auth, google auth, twitter auth, etc in and

  12. Central and ACCOUNT ACTIVATION functionality doesn’t work. Even if the account is in inactive state it has the same behavioral with an active one so we don’t reward reports related to bypass account activation.

  13. Bitdefender Antivirus is susceptible to a DLL pre-loading attack if a user is tricked into downloading an arbitrary DLL file that resides in the same folder as the installer(ex: running dll like: DWMAPI.dll and others)

  14. AV bypass will be rewarded only if it outlines a method to bypass the engines that would genuinely work remotely. If a sample is simply not detected by the engines it won’t qualify for a reward, but may receive kudos - as we would like forward it to the lab for analysis.

  15. CORS issues are not valid without a working POC / CORS on Gravityzone is FAD.

  16. & vulnerable SWF files

  17. Priv esc on GZ iso

  18. Email spoofing (including SPF, DKIM, From: spoofing, and visually similar, and related issues)


Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.