Bug Bounty

Here you can check bitdefender hall of fame.

The Bug Bounty Reward program encourages security researchers to identify and submit vulnerability reports regarding virtually everything that bears the Bitdefender brand, including but not limited to the website, products and services.
Please note that, for the time being, the following assets are out of the scope of this program:
bitdefender.eu/bitdef.eu
bitdefender.in
bitdefender.com.pl / bitdefender.emarken.pl
bitdefender-ea.com
bitdefender.dk
bitdefender.com.tw / bitdefender.qcomgroup.com.tw
bitdefender.sk / bitdef.sk
bitdefender.com.br
bitdefender.ge
bitdefender.com.bd
bitdefender.cz / bitdef.cz
bitdefender.my
bitdefender.rs
bitdefender.co.jp
bitdefender.co.il
bitdefender.com.tr
bitdefender.com.kh
bitdefender.co.th
bitdefender.az
bitdefender.vn
bitdefenderthailand.com
bitdefendervietnam.com
bitdefender.pl
bitdefenderlaos.com
bitdefendercambodia.com
bitdefendermyanmar.com
bitdefender.la
bitdefender.pt
bitdefender.br
bitdefender.nl
bitdefender.de
bitdefender.it
bitdefender.ru
bitdefender.cz
bitdefender.gr
bitdefender.bo
bitdefender.com.ua
Bitdefender Free Antispam for Mail Servers (FRAMS)
Both product and website (http://frams.bitdefender.com)
Bitdefender security for Mail Servers
elearning.bitdefender.com
cloud.bitdefender.net

The following kinds of findings are specifically non-rewardable within this program:

Self XSS
Descriptive error messages (e.g. stack traces, application or server errors).
HTTP 404 codes/pages or other HTTP non-200 codes/pages.
Fingerprinting/banner disclosure on common/public services.
Disclosure of known public files or directories, (e.g. robots.txt).
Clickjacking and issues only exploitable through clickjacking.
CSRF on forms that are available to anonymous users, (e.g. the contact form).
Logout Cross-Site Request Forgery (logout CSRF).
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
Lack of Secure and HTTPOnly cookie flags.
Weak Captcha/Captcha Bypass.
Login or Forgot Password page brute force and account lockout not enforced.
OPTIONS HTTP method enabled.
HTTPS Mixed Content Scripts.
Username / email enumeration
- via Login Page error message
- via Forgot Password error message
Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers)
- Strict-Transport-Security
- X-Frame-Options
- X-XSS-Protection
- X-Content-Type-Options
- Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
- Content-Security-Policy-Report-Only
Missconfigured or lack of SPF records
Out of date software versions
Email spoofing (including SPF, DKIM, From: spoofing, and visually similar, and related issues)

Program Terms

Participation in the Bitdefender Bug Bounty Reward program is voluntary and subject to the legal terms and conditions detailed on Terms and Conditions page. By submitting a vulnerability report to Bitdefender, you acknowledge that you have read and agreed to our program terms.

Qualification Criteria

The program covers any exploitable vulnerability that can compromise the integrity of our user data, crash applications (leading to compromise of data) or disclose sensitive information (for example remote code execution, SQL injection, Cross-Site Scripting, Cross-Site Request Forgery, information disclosure of sensitive data, authentication theft or bypass, clickjacking).

Make sure your submission report includes the proof of concept and replication information.

Non-qualifying vulnerabilities

Submissions that include just the output of automated tools will be marked as invalid. You must clearly outline the attack vectors and reproduction steps to accomplish the compromise

Submission process

We encourage you to send your submissions in an encrypted format to bugbounty@bitdefender.com

We prefer PGP and you can import our public key from here. Make sure your report includes:

A clear and relevant title
Affected product / service
Vulnerability details and impact
Reproduction steps / Proof of Concept

Rewards

There is no fixed price for submissions. They will all be evaluated and rewards will be issued based on impact. Obviously an XSS submission will value less than RCE.

The minimum reward is set at $100. We’re not setting an upper limit on rewards at this time. The rewards will be issued if you are the first one to submit a specific vulnerability and your report is determined to address a valid issue by our response team.

IMPORTANT

This program is open to participants worldwide, excluding locations where prohibited by law, who have reached the age of majority in his/her country, province or territory of residence.
Participants are responsible for any tax implications depending on the country of residency and citizenship. There may be additional restrictions on a participant’s ability to enter the program, depending upon local law.
Determining the validity and value of a submission lies exclusively with our team. We trust you to tinker with our technologies and you’ll have to trust us to be fair in our evaluation.

When does it start?
The Bitdefender Bug Bounty Program opens on 10th December 2015.

Meerlagige, Moderne Eindpuntbeveiliging,
nu met EDR

GravityZone Ultra Suite Met GravityZone XDR

Bitdefender brengt agentloze beveiliging naar VMware NSX-T Data Center

Bitdefender introduceert nieuwe threat intelligence service

Cybersecurity-oplossingen Bitdefender bekroond door gerenommeerde, onafhankelijke onderzoeksbureaus AV-TEST en AV Comparatives

Bitdefender, Europol, de Roemense politie en de Directorate for Investigating Organized Crime and Terrorism (DIICOT) bieden nieuwe, gratis decryptietool voor nieuwste GandCrab ransomware

Bitdefender stelt Christian Stanford aan als senior director EMEA Channels