Bitdefender Box v2

  • $200 – $5,000 per vulnerability
  • Safe harbor

Program stats

  • Vulnerabilities rewarded 7
  • Validation within 3 days 75% of submissions are accepted or rejected within 3 days

Latest hall of famers

Recently joined this program

34 total

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Bitdefender BOX protects all devices connected to the Internet, not just a laptop or desktop computer. BOX secures smartphones, smart TVs, and all your other home appliances, like Wi-Fi thermostats, gaming consoles, and even your baby monitor). BOX can be controlled from the central website or the easy-to-use mobile app.

Bitdefender Box2 Testing Device

Researchers must supply their own device for testing. If you don't already own a Box2, you can acquire a device in 2 ways:
1) Purchase a device through the Bitdefender website.
2) Qualify as an "Expert Researcher" (survey link below).


Rewards & Priorities

The scope of this bounty program is to find vulnerabilities that can be exploited as a guest, or remotely. (e.g. a friend coming at your place, connecting to your WIFI network and hack your box device OR exploiting other customer devices remotely).

It's important to note that the Bitdefender Box communicates through a cloud app - however, this program is provided exclusively for the reporting of security issues pertaining to any communication directly to/from the Box itself. If you're able to identify any vulnerabilities in the cloud app, they should be reported here: https://bugcrowd.com/bitdefender. The Bitdefender Security team will determine the nature and impact of the vulnerabilities at their sole discretion. The following vulnerabilities are in-scope for the program:

  • 1.a) Remote Code Execution - Ability to get remote code execution against the BOX without proper authorization (not on the same LAN) - achieving this objective will be rewarded in the range of 5000$
  • 1.b) Ability to access/control the BOX remotely without proper authorization (not on the same LAN) - reward varies depending on impact

  • 2.a) Remote Code Execution - Ability to get remote code execution against the BOX without proper authorization (ON the same LAN) - achieving this objective will be rewarded in the range of 2500$

  • 2.b) Ability to access/control the BOX without proper authorization (ON the same LAN) - reward varies depending on impact

  • 3.a) DOS - crash our product remotely (not on the same LAN) - 2500$

  • 3.b) DOS - crash our product (ON the same LAN) - 1000$

  • Attacking your own device from a BOX Administrator standpoint is not eligible for reward

Vulnerabilities submitted which are not included in the above list may not be rewarded. This is decided at the sole discretion of the Bitdefender team. See Scope - Additional Details for more information on scoping. Furthermore, ONLY vulnerabilities on BOX products are out-of-scope. Vulnerabilities found on Bitdefender mobile apps & central.bitdefender.com are out-of-scope.


Account Setup - Mobile App

All instructions for the product are in the BOX package (default passwords, how to configure, etc). To configure/setup BOX v2, install the "Bitdefender Central" mobile application. Create an account or log in using an existing account. User accounts are shared by the mobile & web apps. Please note that the mobile app is not in scope for this program. However, if you believe you've found a way to be able to control someone else's device via the mobile app, you're encouraged to submit it - and we'll review whether it's in scope or rewardable.

Account Setup - Web App

The BOX is managed via the Bitdefender Central App https://central.bitdefender.com. Login using the same account registered via the mobile application. User accounts are shared by the mobile & web apps. Please note that any vulnerabilities found in the webapp should be reported here: https://bugcrowd.com/bitdefender - and not to this program.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.