Due to holidays, the response team handling the Bug Bounty program will take a short break between Dec 19th 2016 until Jan 16th 2017. You are encouraged to keep sending your submissions but only the highly critical ones (RCE in a critical asset, for example) will receive a response. Usual activity will resume on January 16th 2017. A great THANK YOU to all participants past present and future. You guys help us keep our name as best-of-breed in the security space. Happy Holidays to everyone!
Here you can check bitdefender hall of fame.
The Bug Bounty Reward program encourages security researchers to identify and submit vulnerability reports regarding virtually everything that bears the Bitdefender brand, including but not limited to the website, products and services.
Please note that, for the time being, the following assets are out of the scope of this program:
bitdefender.com.pl / bitdefender.emarken.pl
bitdefender.com.tw / bitdefender.qcomgroup.com.tw
bitdefender.sk / bitdef.sk
bitdefender.cz / bitdef.cz
Bitdefender Free Antispam for Mail Servers (FRAMS)
Both product and website (http://frams.bitdefender.com)
Bitdefender security for Mail Servers
Participation in the Bitdefender Bug Bounty Reward program is voluntary and subject to the legal terms and conditions detailed on Terms and Conditions page. By submitting a vulnerability report to Bitdefender, you acknowledge that you have read and agreed to our program terms.
The program covers any exploitable vulnerability that can compromise the integrity of our user data, crash applications (leading to compromise of data) or disclose sensitive information (for example remote code execution, SQL injection, Cross-Site Scripting, Cross-Site Request Forgery, information disclosure of sensitive data, authentication theft or bypass, clickjacking).
Make sure your submission report includes the proof of concept and replication information.
Submissions that include just the output of automated tools will be marked as invalid. You must clearly outline the attack vectors and reproduction steps to accomplish the compromise
We encourage you to send your submissions in an encrypted format to email@example.com
We prefer PGP and you can import our public key from here. Make sure your report includes:
There is no fixed price for submissions. They will all be evaluated and rewards will be issued based on impact. Obviously an XSS submission will value less than RCE.
The minimum reward is set at $250. We’re not setting an upper limit on rewards at this time. The rewards will be issued if you are the first one to submit a specific vulnerability and your report is determined to address a valid issue by our response team.
When does it start?
The Bitdefender Bug Bounty Program opens on 10th December 2015.