Details

{F2076724}

Here at Malwarebytes, we believe that when you’re free from threats, you’re free to thrive. It all started with one person who needed help with a malware infection, and a community coming together to find solutions. In that moment in time a product was born for all people, with a mission to rid the world of malware.

Our product has since grown and evolved. From removing malware, to protecting devices, to ever-changing prevention.

Now we’re doing so much more than just malware remediation. We’ve forged ahead into the world of cyberprotection, privacy, and beyond.

Our products are robust, and our tech effective, across devices and the cloud. We’re trusted by businesses large and small, and institutions like schools, hospitals and governments. We’re powered by AI, and behavioral-based technology, and driven by hundreds of researchers, hunters, and innovators. All committed to delivering the best cyberprotection available anywhere.

We’re intuitive to use, and we’re more accessible to more people from all walks of life, from grandparents to geeks.

Malwarebytes is at home in the home, on-the-go, and in the corporate conference room. Made for individuals, public organizations, private entities, and everything in between.

This is what we live for, and we’re relentlessly committed to bringing effective, intuitive, and inclusive solutions to the people, families, and businesses of all kinds.

Malwarebytes looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Response Targets

Malwarebytes will make a best effort to meet the following SLAs for hackers participating in our program:

Type of Response	SLA in business days
First Response	2 days
Time to Triage	10 days
Time to Resolution	Depends on severity and complexity
Time to Bounty	Dependent on the Time to Resolution

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
Follow HackerOne's disclosure guidelines.

CVE

When deemed applicable, we request and publish CVEs at: https://www.malwarebytes.com/secure/cves

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
All reports for the same endpoint - regardless the HTTP verbs used (e.g. GET, POST, PUT, DELETE) will be considered duplicates as long as the underlying issue is not resolved. After the fix is applied, new reports will be triaged accordingly.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
The Malwarebytes team is still interested in vulnerabilities outside of the listed scope should anything critical be discovered.

Test Plan

When registering an account on Malwarebytes' services be sure to use your @wearehackerone.com email alias.

Scope Exclusions

Sub-domains that point to third-party service providers are eligible for reputation, but are not eligible for a bounty from Malwarebytes. Please check the DNS entry to verify ownership of the platform prior to performing any security testing.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope. However, depending on the context of the report we may still accept an out of scope issue:

Self-Protection must be enabled for Malwarebytes for Windows.
Software should be the latest version currently available for download
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
DoS/DDoS of web services. DoS is in scope for host (Windows, Mac, Mobile) applications
Brute-force attacks (* Rate limiting or bruteforce issues on non-authentication endpoints)
Do not attempt to access user profiles other than your own
Vulnerabilities that require unlikely, uncommon, or otherwise contrived system or application configurations
Clickjacking on pages with no sensitive actions
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Any activity that could lead to the disruption of our service (DoS).
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Missing best practices in Content Security Policy.
Missing HttpOnly or Secure flags on cookies
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
Tabnabbing
Open redirect - unless an additional security impact can be demonstrated
Issues that require unlikely user interaction
Vulnerabilities that are resolved via product documentation updates without a change in product code or configuration.
Software detection gaps are considered valuable improvement suggestions and not vulnerabilities.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Malwarebytes and our users safe!

Response Targets

Malwarebytes will make a best effort to meet the following SLAs for hackers participating in our program:

Type of Response	SLA in business days
First Response	2 days
Time to Triage	10 days
Time to Resolution	Depends on severity and complexity
Time to Bounty	Dependent on the Time to Resolution

We’ll try to keep you informed about our progress throughout the process.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

All reports for the same endpoint - regardless the HTTP verbs used (e.g. GET, POST, PUT, DELETE) will be considered duplicates as long as the underlying issue is not resolved. After the fix is applied, new reports will be triaged accordingly.

Social engineering (e.g. phishing, vishing, smishing) is prohibited.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

The Malwarebytes team is still interested in vulnerabilities outside of the listed scope should anything critical be discovered.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope. However, depending on the context of the report we may still accept an out of scope issue:

Self-Protection must be enabled for Malwarebytes for Windows.

Software should be the latest version currently available for download

Social engineering (e.g. phishing, vishing, smishing) is prohibited.

DoS/DDoS of web services. DoS is in scope for host (Windows, Mac, Mobile) applications

Brute-force attacks (* Rate limiting or bruteforce issues on non-authentication endpoints)

Do not attempt to access user profiles other than your own

Vulnerabilities that require unlikely, uncommon, or otherwise contrived system or application configurations

Clickjacking on pages with no sensitive actions

Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

Attacks requiring MITM or physical access to a user's device.

Previously known vulnerable libraries without a working Proof of Concept.

Comma Separated Values (CSV) injection without demonstrating a vulnerability.

Missing best practices in SSL/TLS configuration.

Any activity that could lead to the disruption of our service (DoS).

Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

Missing best practices in Content Security Policy.

Missing HttpOnly or Secure flags on cookies

Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]

Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).

Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.

Tabnabbing

Open redirect - unless an additional security impact can be demonstrated

Issues that require unlikely user interaction

Vulnerabilities that are resolved via product documentation updates without a change in product code or configuration.

Software detection gaps are considered valuable improvement suggestions and not vulnerabilities.

Safe Harbor

Thank you for helping keep Malwarebytes and our users safe!