Bitdefender Box v2

  • $200 – $5,000 per vulnerability
  • Safe harbor
  • Managed by Bugcrowd

Program stats

7 vulnerabilities rewarded

Validation within 3 days
75% of submissions are accepted or rejected within 3 days

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Bitdefender BOX protects all devices connected to the Internet, not just a laptop or desktop computer. BOX secures smartphones, smart TVs, and all your other home appliances, like Wi-Fi thermostats, gaming consoles, and even your baby monitor). BOX can be controlled from the central website or the easy-to-use mobile app.

Bitdefender Box2 Testing Device

Researchers must supply their own device for testing. If you don't already own a Box2, you can acquire a device in 2 ways:
1) Purchase a device through the Bitdefender website.
2) Qualify as an "Expert Researcher" (survey link below).

Rewards & Priorities

The scope of this bounty program is to find vulnerabilities that can be exploited as a guest, or remotely. (e.g. a friend coming at your place, connecting to your WIFI network and hack your box device OR exploiting other customer devices remotely).

It's important to note that the Bitdefender Box communicates through a cloud app - however, this program is provided exclusively for the reporting of security issues pertaining to any communication directly to/from the Box itself. If you're able to identify any vulnerabilities in the cloud app, they should be reported here: The Bitdefender Security team will determine the nature and impact of the vulnerabilities at their sole discretion. The following vulnerabilities are in-scope for the program:

  • 1.a) Remote Code Execution - Ability to get remote code execution against the BOX without proper authorization (not on the same LAN) - achieving this objective will be rewarded in the range of 5000$
  • 1.b) Ability to access/control the BOX remotely without proper authorization (not on the same LAN) - reward varies depending on impact

  • 2.a) Remote Code Execution - Ability to get remote code execution against the BOX without proper authorization (ON the same LAN) - achieving this objective will be rewarded in the range of 2500$

  • 2.b) Ability to access/control the BOX without proper authorization (ON the same LAN) - reward varies depending on impact

  • 3.a) DOS - crash our product remotely (not on the same LAN) - 2500$

  • 3.b) DOS - crash our product (ON the same LAN) - 1000$

  • Attacking your own device from a BOX Administrator standpoint is not eligible for reward

Vulnerabilities submitted which are not included in the above list may not be rewarded. This is decided at the sole discretion of the Bitdefender team. See Scope - Additional Details for more information on scoping. Furthermore, ONLY vulnerabilities on BOX products are out-of-scope. Vulnerabilities found on Bitdefender mobile apps & are out-of-scope.

Account Setup - Mobile App

All instructions for the product are in the BOX package (default passwords, how to configure, etc). To configure/setup BOX v2, install the "Bitdefender Central" mobile application. Create an account or log in using an existing account. User accounts are shared by the mobile & web apps. Please note that the mobile app is not in scope for this program. However, if you believe you've found a way to be able to control someone else's device via the mobile app, you're encouraged to submit it - and we'll review whether it's in scope or rewardable.

Account Setup - Web App

The BOX is managed via the Bitdefender Central App Login using the same account registered via the mobile application. User accounts are shared by the mobile & web apps. Please note that any vulnerabilities found in the webapp should be reported here: - and not to this program.


In scope

Target name Type
Bitdefender BOX v2 IoT

Out of scope

Target name Type
Bitdefender Central (iOS App) iOS
Bitdefender Central (Android App) Android Website

Any domain/property of Bitdefender or associated business entities not listed in the targets section is out of scope. This includes any/all subdomains not listed above.

Scope - Additional Details

  • Vulnerabilities that can be exploited as a guest or remotely. (e.g. a friend coming to your home, connecting to your WIFI network, and hacking your BOX device OR exploiting other customer devices remotely). Please DO NOT attack any devices, accounts, or networks that are not yours.

  • The Bitdefender BOX communicates through a CLOUD APP. While the cloud app is not in scope for this program, if you're able to identify any vulnerabilities in this web application, please submit here:

  • Vulnerabilities discovered in "Bitdefender Central" -- mobile applications (iOS & Android) are NOT IN SCOPE!

  • ONLY BOX Products and Services are in-scope for this program (other Bitdefender products & services are available via BOX, but are out-of-scope for this program).

  • If you find a vulnerability on a non-BOX product or service, please submit it via the Bitdefender Public Program.

A closer look at how it works:

    1. SAFE BROWSING - Bitdefender BOX blocks all unsafe or malicious URLs to protect against phishing & online fraud.
    1. VULNERABILITY ASSESSMENT - Bitdefender BOX continuously scans, identifies and highlights network security flaws.
    1. EXPLOIT PREVENTION - Identify and block attempts to exploit vulnerabilities in your devices and network.
    1. ADVANCED PARENTAL CONTROLS - Efficient and intuitive tools to manage daily Internet time, set content filters by age categories or pause the Internet altogether for precious family time.
    1. DEVICE MANAGEMENT - Whenever a new device connects to your network, Bitdefender BOX promptly detects it and sends an instant notification to your Bitdefender Central app so you can take action and control what that device is allowed to do.
    1. LOCAL DEVICE SECURITY - Bitdefender BOX includes Total Security, our award winning cybersecurity suite to protect all your laptops, desktops, smartphones and tablets, across Windows, macOS, iOS and Android. These are not in the scope of this program. You can submit any issues related to Bitdefender Total Security on the Bugcrowd Bitdefender Public Program.
    1. ANOMALY DETECTION - Bitdefender BOX understands how devices should behave under normal circumstances and is able to accurately identify, block and alert you upon any malicious activity. The learning period is about 2 weeks in which the BOX generates a model for the protected device. The model won't be created for devices which generate a lot of noise ( e.g. laptops). It will be generated for devices which have simple patterns - e.g. IOT devices
    1. BRUTE-FORCE PROTECTION - The brute force protection technology will prevent hackers from taking control over your devices.
    1. SENSITIVE DATA PROTECTION - No sensitive information sent without encryption. This feature will identify whenever credit card information, authentication information or location data is sent over a non-encrypted connection and block the attempt.

Safe Harbor

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy;
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our official channels before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.