Malwarebytes Coordinated Vulnerability Disclosure Program Guidelines

Responsible vs non-responsible disclosure

From our experience (a) disclosure of proof of concept exploit code, (b) unnecessary details to get the point across or (c) releasing vulnerability details prior to availability of a fix represents non-responsible disclosure which does more harm than good as it brings unnecessary attention to a security issue. Even if an issue is fixed through full and non-responsible disclosure, a determined and skilled attacker will always be able to find and exploit yet another vulnerability, so non-responsible or full disclosure will not make a positive difference on any given product and will generally result in putting real people at risk. Therefore, the Malwarebytes CVD program will only award bug bounties to reporters who follow responsible disclosure guidelines.

What do we mean by Bug Bounty?

Malwarebytes offers cash bug bounties for the most interesting bugs. The amount awarded for interesting bugs is between $100 and $1000 depending on the bug severity and exploitability. However, Malwarebytes reserves the right to increase this amount on a per case basis. Additionally, the most innovative submissions, as decided by our research team, are entered into the Malwarebytes Hall of Fame and get a package of cool Malwarebytes swag.

What confidentiality obligations do I take on by providing a submission?

If you send us a submission for this program, you are agreeing that you will never disclose functioning exploit code (including binaries of that code) for the applicable vulnerability to any other entity, unless Malwarebytes makes that code generally publicly available or you are required by law to disclose it. This does not prevent you from discussing the vulnerability or showing the effects of the exploit in code.

What types of vulnerabilities does the CVD program accept?

The scope of the program is for remote code execution vulnerabilities in our products and disclosure of private user information in the www.malwarebytes.com domain. Sub-domains which redirect to third-party platforms that are NOT owned by Malwarebytes are out of scope of the Bug Bounty. Malwarebytes does not and cannot grant permission to perform penetration tests on platforms which are not owned by Malwarebytes. This includes sub-domains like info.malwarebytes.com, support.malwarebytes.com, forums.malwarebytes.org, blog.malwarebytes.com, store.malwarebytes.com, etc. Please check the DNS entry to verify ownership of the platform prior to performing any penetration tests.

It is required the reporter include proof of exploitability with the vulnerability report in the form of a proof-of-concept. While non-exploitable bugs which result in crashes and stability issues are welcomed, they may not be subject to the Bug Bounty. Eligibility of Bug Bounty for non-exploitable bugs will be considered by the Malwarebytes team on a case by case basis.

Malwarebytes is also interested in vulnerabilities in its web services (websites, portals, etc.) which may result in compromise, disclosure of confidential or personal information or which may otherwise put our users at risk.

Last edited March 15, 2016

Select your language