Bitdefender Cybersecurity
  • Search icon
  • COMPANY
  • Blog
  • SUPPORT
    How can we help?
    Support for Home Products Support for Business Products
  • LOGIN
    Your Account
    Bitdefender Central GravityZone CLOUD Control Center MDR Portal
  • US-EN
Bitdefender Cybersecurity Bitdefender Cybersecurity
  • For Home
    • PRODUCTS
    • Bitdefender Ultimate Security new
    • Bitdefender Family Pack
    • Bitdefender Premium Security
    • Bitdefender Mobile Security for Android
    • Bitdefender Small Office Security
    • Bitdefender Mobile Security for iOS
    • Bitdefender Total Security
    • Bitdefender Smart Home Security
    • Bitdefender Internet Security
    • Bitdefender Antivirus Free
    • Bitdefender Antivirus Plus
    • Bitdefender Antivirus Free for Android
    • Bitdefender Antivirus for Mac
    • SERVICES
    • Bitdefender Identity Theft
      Protection new
    • Bitdefender Digital Identity Protection
    • Bitdefender Premium VPN
    • Bitdefender Premium Services
    • Bitdefender Password Manager
    • ALREADY A CUSTOMER?
    • Renewal & Upgrade
    • All Products
    • Compare Solutions
    • Trial Downloads
    • Free Tools
  • For Business
    • SECURITY PACKAGES
    • GravityZone Business Security Enterprise
    • GravityZone Business Security Premium
    • GravityZone Business Security
    • GravityZone Security for MSPs
    • SECURITY AS A SERVICE
    • Managed Detection and Response
    • Managed Detection and Response Services for MSPs
    • SECURITY PRODUCTS
    • GravityZone XDR
    • Cloud and Server Security
    • Security for Containers
    • GravityZone Security for Email
    • Endpoint Detection and Response
    • GravityZone Security for Workstations
    • GravityZone Security for Mobile Devices
    • GravityZone Patch Management
    • GravityZone Storage Security
    • All Products
    • Compare Products
    • Buy Online
    • Schedule a Demo
    Built for Resilience

    Choose our Security Platform or Managed Service to become a more cyber resilient business

    Learn More
  • For Partners
    • RESELLER
    • Reselling Partner Program Overview
    • Become a Reseller
    • Find a Reseller
    • Log in to PAN Portal
    • Affiliates Partners Program Overview
    • SERVICE PROVIDERS
    • MSP Partner Program Overview
    • Become an MSP Partner
    • Find an MSP Partner
    • Log in to PAN Portal
    • TECHNOLOGY LICENSING SOLUTIONS
    • OEM Technology Solutions
    • Advanced Threat Intelligence
    • Endpoint Protection SDKs
    • Gateway Protection SDKs
    • LICENSING OPTIONS
    • SDK Integration
    • Rebranding
    • Bundling
    • CONNECTED HOME PARTNERS
    • IoT Security Platform
    • Why Become a Partner?
    • Ask a Question
    • Find Partner
  • COMPANY
  • Blog
  • SUPPORT
    How can we help?
    Support for Home Products Support for Business Products
  • LOGIN
    Your Account
    Bitdefender Central GravityZone CLOUD Control Center MDR Portal
  • US-EN

Bitdefender Bug Bounty Program

Here you can check the Bitdefender hall of fame.

The Bug Bounty Reward program encourages security researchers to identify and submit vulnerability reports regarding virtually everything that bears the Bitdefender brand, including but not limited to the website, products and services.

We decided to offer rewards only for the following targets:

  • *.bitdefender.com
  • *.bitdefender.net
  • Bitdefender Total Security 2020
  • Bitdefender GravityZone Business Security
  • Bitdefender Antimalware Engines
The following kinds of findings are specifically non-rewardable within this program:
  • Self XSS
  • Descriptive error messages (e.g. stack traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Fingerprinting/banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users, (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure and HTTPOnly cookie flags.
  • Weak Captcha/Captcha Bypass.
  • Login or Forgot Password page brute force and account lockout not enforced.
  • OPTIONS HTTP method enabled.
  • HTTPS Mixed Content Scripts.
  • Username / email enumeration 
    • via Login Page error message
    • via Forgot Password error message
  • Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers) 
    • Strict-Transport-Security
    • X-Frame-Options
    • X-XSS-Protection
    • X-Content-Type-Options
    • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
    • Content-Security-Policy-Report-Only
  • Missconfigured or lack of SPF records
  • Out of date software versions
  • Email spoofing (including SPF, DKIM, From: spoofing, and visually similar, and related issues)
  • DLL hijacking and Inter-Process communications exploitation
  • AV bypass will be rewarded only if it outlines a method to bypass the engines that would genuinely work remotely. If a sample is simply not detected by the engines it won’t qualify for a reward
  • www.bitdefender.com & download.bitdefender.com vulnerable SWF files
  • Privilege escalation on GravityZone ISO
  • Failure to invalidate session on password change or MFA change.
Program Terms

Participation in the Bitdefender Bug Bounty Reward program is voluntary and subject to the legal terms and conditions detailed on Terms and Conditions page. By submitting a vulnerability report to Bitdefender, you acknowledge that you have read and agreed to our program terms.

Qualification Criteria

The program covers any exploitable vulnerability that can compromise the integrity of our user data, crash applications (leading to compromise of data) or disclose sensitive information (for example remote code execution, SQL injection, Cross-Site Scripting, Cross-Site Request Forgery, information disclosure of sensitive data, authentication theft or bypass, clickjacking).

Make sure your submission report includes the proof of concept and replication information.

Non-qualifying vulnerabilities

Submissions that include just the output of automated tools will be marked as invalid. You must clearly outline the attack vectors and reproduction steps to accomplish the compromise

Submission process

We encourage you to send your submissions in an encrypted format to 

 bugbounty@bitdefender.com

We prefer PGP and you can import our public key from here. Make sure your report includes:

  • A clear and relevant title
  • Affected product / service
  • Vulnerability details and impact
  • Reproduction steps / Proof of Concept
Rewards

There is no fixed price for submissions. They will all be evaluated and rewards will be issued based on impact. Obviously an XSS submission will value less than RCE.

The minimum reward is set at $100. We’re not setting an upper limit on rewards at this time. The rewards will be issued if you are the first one to submit a specific vulnerability and your report is determined to address a valid issue by our response team.

IMPORTANT
  • This program is open to participants worldwide, excluding locations where prohibited by law, who have reached the age of majority in his/her country, province or territory of residence.
  • Participants are responsible for any tax implications depending on the country of residency and citizenship. There may be additional restrictions on a participant’s ability to enter the program, depending upon local law.
  • Determining the validity and value of a submission lies exclusively with our team. We trust you to tinker with our technologies and you’ll have to trust us to be fair in our evaluation.

When does it start?
The Bitdefender Bug Bounty Program opened on 10th December 2015.

HotForSecurity Latest news
  • Bitdefender and SFR Partner to Deliver Advanced Cybersecurity Solutions Across France
  • Bitdefender Named a Strong Performer in Extended Detection and Response (XDR) Report by Leading Research Firm
  • New Bitdefender Report Reveals Majority of Online Consumers Practice Risky Behavior for Data Protection, Digital Identity and Device Management
HOTforSecurity
  • How to Keep Your Devices and Personal Data Safe on Summer Vacation
  • Don’t name your Wi-Fi hotspot this, unless you want to crash your iPhone
  • Repairmen suspected of installing ransomware on customers’ PCs. Arrests in South Korea
Videos
  • The Mind Online Podcast: De ce suntem atât de furioși online?
  • 20 YEARS OF CYBERSECURITY INNOVATION | ALWAYS DEFENDING
  • Update-Chamäleon
Security Guides
  • Tips and tricks on how to keep your blog and your identity safe
  • Tips and tricks on how to shield your home network from intruders
Quick Helpers
  • TrafficLight
Books

Test the Bitdefender products

Available Now

Become a more cyber resilient business today

We’re here to help you choose the solution or service that’s right for your business

Start Free Trial Contact Us
b-red-mask cta-circle
Bitdefender Cybersecurity
  • For Home
  • For Business
  • For Partners
  • Company

Follow Bitdefender

  • Facebook
  • Twitter
  • Linkedin
  • Youtube

Quick Links

  • Bitdefender Central
  • Gravityzone Cloud Control Center
  • Bitdefender Cyberpedia
  • Partner Advantage Network Portal
  • Support for Home Products
  • Support for Business Products
  • Investors
  • Careers

Quick Links

  • Bitdefender Central
  • Gravityzone Cloud Control Center
  • Bitdefender Cyberpedia
  • Partner Advantage Network Portal
  • Support for Home Products
  • Support for Business Products
  • Investors
  • Careers
Choose Your Country
  • Australia - English
  • België - Nederlands
  • Belgique - Français
  • Brasil - Português
  • España - Español
  • France - Français
  • Italia - Italiano
  • Nederland - Nederlands
  • Österreich - Deutsch
  • Portugal - Português
  • România - Română
  • Sverige - Svenska
  • United Kingdom - English
  • United States - English
  • WorldWide - English
  • 日本 - 日本語

Follow Bitdefender

  • Facebook
  • Twitter
  • Linkedin
  • Youtube
  • Legal Information
  • Privacy Policy
  • Site Map
  • Contact Us
  • Privacy Settings

Copyright © 1997 - 2023 Bitdefender