Bitdefender Vulnerability Disclosure Program

1. PURPOSE STATEMENT

Bitdefender is committed to providing a secure environment for their customers. As part of this commitment, we engage the efforts of the security researchers to identify potential vulnerabilities in our products and services. We follow the guidelines of responsible disclosure to ensure our customers address potential vulnerabilities as quickly as possible to mitigate associated risks.

2. DEFINITIONS

Vulnerability - weakness or flaw in a product or service which can be exploited by a threat actor, to perform unauthorized actions within a computer system, such as compromising the confidentiality, integrity or availability.

Vulnerability disclosure - the practice of reporting newly discovered vulnerabilities in products and services directly to the vendors of the affected product

Security advisory - document or message that provides vulnerability information intended to reduce risk

3. APPLICABILITY AND SCOPE

Bitdefender encourage security researchers to identify and submit vulnerability reports regarding virtually everything that bears the Bitdefender scope, including but not limited to the website, products and services.

In scope targets are the following:

  • Bitdefender Consumer Line Products (Bitdefender Antivirus Plus, Bitdefender Internet Security, Bitdefender Total Security, Bitdefender Antivirus for Mac, Bitdefender Mobile Security, Bitdefender Antivirus Free)
  • Bitdefender GravityZone Business Security
  • *.bitdefender.com
  • *.bitdefender.net

4. RESPONSIBILITIES

Security researcher

  • Submit the vulnerability report in an encrypted format;
  • Include in the report the affected Bitdefender product name and version, a description of the vulnerability, a proof of concept, and additional information in order to reproduce the issue;
  • Maintain communication with Bitdefender Information Security team;

Bitdefender Information Security team

  • Acknowledge the receipt of the report;
  • Validate and reproduce the issue;
  • Provide the product manager all the information necessary to help fixing the vulnerability;
  • Maintain communication with security researcher, providing updates on the fixing process and timeline;
  • Development and dissemination of vulnerability security advisory;

5. REPORT VULNERABILITY

Bitdefender encourages security researchers to submit the vulnerability reports in an encrypted format to bugbounty@bitdefender.com. Our PGP key can be found here.

We also run a bugbounty program managed by Bugcrowd. Please see here the program description. All the reports submitted there must follow Bugcrowd’s standard disclosure terms.

Bitdefender Information Security team will acknowledge the receipt of the report, validate and reproduce the issue together with product manager, security engineers or developers. Additional help and collaboration might be required from security researchers to go through these steps and to make sure the potential issue is confirmed.

6. SECURITY ADVISORIES AND ACKNOWLEDGMENT

Bitdefender is committed to resolving confirmed vulnerabilities as fast as possible.

An advisory will be published on our Security Advisories section to ensure that affected customers are kept informed about the vulnerabilities in our products and services.

All the vulnerability reports submitted to us can be subject to our bug bounty program if the required qualification criteria are met. Bug bounties are only offered provided that the researcher agrees to our bug bounty terms and conditions for eligibility and legal aspects.