Bitdefender Vulnerability Disclosure Program

1. PURPOSE STATEMENT

Bitdefender is committed to providing a secure environment for customers and partners. As part of this commitment, we engage the efforts of security researchers to identify potential vulnerabilities in our products and services. We follow responsible disclosure guidelines to ensure our customers address potential vulnerabilities as quickly as possible to mitigate associated risks.

2. DEFINITIONS

Vulnerability – a weakness or flaw in a product or service that can be exploited by a threat actor to perform unauthorized actions within a computer system, such as compromising its confidentiality, integrity or availability.

Vulnerability disclosure - the practice of reporting newly discovered vulnerabilities in products and services directly to the vendors of the affected product.

Security advisory - document or message that provides vulnerability information intended to reduce risk.

3. APPLICABILITY AND SCOPE

Bitdefender encourages security researchers to identify and submit vulnerability reports regarding virtually everything within Bitdefender’s scope, including but not limited to the website, products and services.

Targets within Bitdefender’s scope are the following:

  • Bitdefender Consumer Line Products (Bitdefender Antivirus Plus, Bitdefender Internet Security, Bitdefender Total Security, Bitdefender Antivirus for Mac, Bitdefender Mobile Security, Bitdefender Antivirus Free)
  • Bitdefender GravityZone Business Security
  • *.bitdefender.com
  • *.bitdefender.net
  • Bitdefender Engines and Software Development Kits

4. RESPONSIBILITIES

Security researcher

  • Submit the vulnerability report in an encrypted format;
  • Include the affected Bitdefender product name and version, a description of the vulnerability, a proof of concept and any additional information needed to help us reproduce the issue in the report;
  • Keep in touch with our Information Security team until the vulnerability is closed;

Bitdefender Information Security team

  • Acknowledge receipt of the report;
  • Validate and reproduce the issue;
  • Provide the product manager all the information necessary to help fix the vulnerability;
  • Maintain communication with security researcher, providing updates on the process of addressing the issue and the timeline;

5. REPORT A VULNERABILITY

Bitdefender encourages security researchers to submit vulnerability reports in an encrypted format to vulnerability-disclosure@bitdefender.com.

Our PGP key can be found here.

We also run a bug bounty program. If you wish to participate, refer to the program page for more details.

The Bitdefender Information Security team will acknowledge receipt of the report, and validate and reproduce the issue together with product teams, security engineers or developers. Additional help and collaboration might be required from security researchers to go through these steps and make sure the potential issue is confirmed.

6. SECURITY ADVISORIES AND ACKNOWLEDGMENT

Bitdefender is committed to resolving confirmed vulnerabilities as quickly as possible.

An advisory will be published in our Security Advisories section to ensure affected customers are kept informed about vulnerabilities in our products and services.

All vulnerability reports submitted to us can be subject to our bug bounty program if the required qualification criteria are met. Bug bounties are only offered if the researcher agrees to our bug bounty terms and conditions for eligibility and legal aspects.