Bitdefender Box v2

  • $200 – $5,000 per vulnerability
  • Managed by Bugcrowd

Program stats

7 vulnerabilities rewarded

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Bitdefender BOX protects all devices connected to the Internet, not just a laptop or desktop computer. BOX secures smartphones, smart TVs, and all your other home appliances, like Wi-Fi thermostats, gaming consoles, and even your baby monitor). BOX can be controlled from the central website or the easy-to-use mobile app.

Bitdefender Box2 Testing Device

Researchers must supply their own device for testing. If you don't already own a Box2, you can acquire a device in 2 ways:
1) Purchase a device through the Bitdefender website.
2) Qualify as an "Expert Researcher" (survey link below).

Discount Code & Expert Researcher Survey

  • Expert Researcher Survey - IF you believe that you are an Expert IoT / Network Device Researcher, we encourage you to fill out this survey with your qualifications: Expert IoT / Network Researcher Survey. All responses will be reviewed - if you're uniquely qualified for testing against this target type, we'll ship you a free Bitdefender BOX2 for testing purposes.

Rewards & Priorities

The scope of this bounty program is to find vulnerabilities that can be exploited as a guest, or remotely. (e.g. a friend coming at your place, connecting to your WIFI network and hack your box device OR exploiting other customer devices remotely).

It's important to note that the Bitdefender Box communicates through a cloud app - however, this program is provided exclusively for the reporting of security issues pertaining to any communication directly to/from the Box itself. If you're able to identify any vulnerabilities in the cloud app, they should be reported here: https://bugcrowd.com/bitdefender. The Bitdefender Security team will determine the nature and impact of the vulnerabilities at their sole discretion. The following vulnerabilities are in-scope for the program:

  • 1.a) Remote Code Execution - Ability to get remote code execution against the BOX without proper authorization (not on the same LAN) - achieving this objective will be rewarded in the range of 5000$
  • 1.b) Ability to access/control the BOX remotely without proper authorization (not on the same LAN) - reward varies depending on impact

  • 2.a) Remote Code Execution - Ability to get remote code execution against the BOX without proper authorization (ON the same LAN) - achieving this objective will be rewarded in the range of 2500$

  • 2.b) Ability to access/control the BOX without proper authorization (ON the same LAN) - reward varies depending on impact

  • 3.a) DOS - crash our product remotely (not on the same LAN) - 2500$

  • 3.b) DOS - crash our product (ON the same LAN) - 1000$

  • Attacking your own device from a BOX Administrator standpoint is not eligible for reward

Vulnerabilities submitted which are not included in the above list may not be rewarded. This is decided at the sole discretion of the Bitdefender team. See Scope - Additional Details for more information on scoping. Furthermore, ONLY vulnerabilities on BOX products are out-of-scope. Vulnerabilities found on Bitdefender mobile apps & central.bitdefender.com are out-of-scope.


Account Setup - Mobile App

All instructions for the product are in the BOX package (default passwords, how to configure, etc). To configure/setup BOX v2, install the "Bitdefender Central" mobile application. Create an account or log in using an existing account. User accounts are shared by the mobile & web apps. Please note that the mobile app is not in scope for this program. However, if you believe you've found a way to be able to control someone else's device via the mobile app, you're encouraged to submit it - and we'll review whether it's in scope or rewardable.

Account Setup - Web App

The BOX is managed via the Bitdefender Central App https://central.bitdefender.com. Login using the same account registered via the mobile application. User accounts are shared by the mobile & web apps. Please note that any vulnerabilities found in the webapp should be reported here: https://bugcrowd.com/bitdefender - and not to this program.

Targets

In scope

Out of scope

Any domain/property of Bitdefender or associated business entities not listed in the targets section is out of scope. This includes any/all subdomains not listed above.

Scope - Additional Details

  • Vulnerabilities that can be exploited as a guest or remotely. (e.g. a friend coming to your home, connecting to your WIFI network, and hacking your BOX device OR exploiting other customer devices remotely). Please DO NOT attack any devices, accounts, or networks that are not yours.

  • The Bitdefender BOX communicates through a CLOUD APP. While the cloud app is not in scope for this program, if you're able to identify any vulnerabilities in this web application, please submit here: https://bugcrowd.com/bitdefender

  • Vulnerabilities discovered in "Bitdefender Central" -- mobile applications (iOS & Android) are NOT IN SCOPE!

  • ONLY BOX Products and Services are in-scope for this program (other Bitdefender products & services are available via BOX, but are out-of-scope for this program).

  • If you find a vulnerability on a non-BOX product or service, please submit it via the Bitdefender Public Program.


A closer look at how it works:

    1. SAFE BROWSING - Bitdefender BOX blocks all unsafe or malicious URLs to protect against phishing & online fraud.
    1. VULNERABILITY ASSESSMENT - Bitdefender BOX continuously scans, identifies and highlights network security flaws.
    1. EXPLOIT PREVENTION - Identify and block attempts to exploit vulnerabilities in your devices and network.
    1. ADVANCED PARENTAL CONTROLS - Efficient and intuitive tools to manage daily Internet time, set content filters by age categories or pause the Internet altogether for precious family time.
    1. DEVICE MANAGEMENT - Whenever a new device connects to your network, Bitdefender BOX promptly detects it and sends an instant notification to your Bitdefender Central app so you can take action and control what that device is allowed to do.
    1. LOCAL DEVICE SECURITY - Bitdefender BOX includes Total Security, our award winning cybersecurity suite to protect all your laptops, desktops, smartphones and tablets, across Windows, macOS, iOS and Android. These are not in the scope of this program. You can submit any issues related to Bitdefender Total Security on the Bugcrowd Bitdefender Public Program.
    1. ANOMALY DETECTION - Bitdefender BOX understands how devices should behave under normal circumstances and is able to accurately identify, block and alert you upon any malicious activity. The learning period is about 2 weeks in which the BOX generates a model for the protected device. The model won't be created for devices which generate a lot of noise ( e.g. laptops). It will be generated for devices which have simple patterns - e.g. IOT devices
    1. BRUTE-FORCE PROTECTION - The brute force protection technology will prevent hackers from taking control over your devices.
    1. SENSITIVE DATA PROTECTION - No sensitive information sent without encryption. This feature will identify whenever credit card information, authentication information or location data is sent over a non-encrypted connection and block the attempt.

Program Rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.