Malwarebytes Responsible Disclosure Program Guidelines

Responsible vs non-responsible disclosure

From our experience (a) public disclosure of proof of concept exploit code, (b) unnecessary details to get the point across or (c) releasing vulnerability details prior to availability of a fix represents non-responsible disclosure which does more harm than good as it brings unnecessary attention to a security issue. Therefore, the Malwarebytes CVD program will only award bug bounties to reporters who follow responsible disclosure guidelines.

What do we mean by Bug Bounty?

Malwarebytes offers cash bug bounties for the most interesting bugs. The amount awarded for interesting bugs depends on the bug severity and exploitability. However, Malwarebytes reserves the right to increase this amount on a per case basis. Additionally, CVEs are assigned and listed at https://www.malwarebytes.com/secure/cves.

What confidentiality obligations do I take on by providing a submission?

If you send us a submission for this program, you are agreeing that you will never disclose functioning exploit code (including binaries of that code) for the applicable vulnerability to any other entity until after the fix is acknowledged, unless Malwarebytes makes that code generally publicly available or you are required by law to disclose it. This does not prevent you from discussing the vulnerability or showing the effects of the exploit in code.

What types of vulnerabilities does the CVD program accept?

Please follow the HackerOne program guideline.

Last edited August 13, 2025