The Avast Bug Bounty Program rewards those who help us make the world a safer place

Help us crush the bugs in our products and claim a bounty as your reward

At Avast, our mission is to make the world a safer place. We know we aren’t fighting alone either. There is a huge community of security researchers out there who are committed to the same goal.

That’s why we created the Avast Bug Bounty Program. If you identify a security bug and help us make our products safer and more secure for our customers, we want to reward you. And for those of you who help us eliminate a really nasty bug, not only will we pay a bounty, we may even give you a shoutout on our Hacker Hall of Fame.

These pages detail everything you need to know about to help us squash some bugs. The Avast Bug Bounty Program is all about security bugs (naturally), but if you’ve found any other vulnerabilities relating to our website or business operations, take a look at our Coordinated Vulnerability Disclosure Program.

Everything you need to know about the Avast Bug Bounty Program

Where to submit your bug

  • Send it to bugs@avast.com (please use English when submitting)
  • We recommend you encrypt your email — you can use our PGP key

What to put in your bug report
A good bug report needs to contain enough key information so that we can reliably reproduce the bug ourselves. Our bounty program is designed for software developers and security researchers, so reports should be technically sound. Make sure to include:

  • A detailed bug description
  • The exact product version and environment you found the bug on
  • Sample code (if relevant)

What happens next?
Once we get your report, a member of our team will respond to your email as soon as possible. If you don’t get a response within a few days, there’s a chance our spam filter blocked you, so don’t be afraid to resend.

What bugs are eligible for the bounty?
To claim the bounty, bugs must be original and previously unreported. If two or more people submit the same bug, the bounty will go to the researcher who submitted their report first.

If you disclose the bug publicly before a fix is released or try to exploit it, you won’t be eligible for the bounty. After all, that would be a little bit evil.

How long does the process take?
Just like bugs in real life, every software bug has its own personality and charms, so we can’t promise exactly how long it will take to fix one. We always do our best to solve issues as fast as possible, and we will communicate with you throughout this process.

What types of bugs are we looking for?
Our bounty program is designed for security-related bugs only. It applies to products from all of our brands, including Avast, AVG, CCleaner, and HMA. A full list of all products can be found below.

If you find a bug in a product or tool that Avast uses but that was potentially built by someone else, or on our website, we’d love it if you let us know. However, these kinds of bugs are not part of our bounty program and should be reported to us via our Coordinated Vulnerability Disclosure Program.

The following bugs qualify for our bounty program:

  • Remote code execution - These are the most critical bugs, we particularly appreciate your help stomping these out.
  • Local privilege escalation - That is, using Avast, for instance, to gain admin rights from a non-admin account.
  • Denial-of-service (DoS) - Typically, in relation to Avast, these include BSODs or crashes of the AvastSvc.exe process.
  • Certain scanner bypasses - These include straightforward, clear bypasses (i.e., scenarios that lead to direct infection, with no additional user input), as opposed to things like deficiencies in the unpacking engine, etc. In other words, we’re interested only in cases that cannot be mitigated by adding a new virus definition.
  • If you have any undetected malware, please report it here.

Bugs come in many guises. So if the type you found isn’t listed above but has the potential to really wreak havoc, we would certainly consider it for the program.

How much is a bug worth?
If your bug is enough to make our security team’s skin crawl and is accepted as eligible for the bounty, the base payment is $400 per bug.

But if you find a really nasty type, the bounty goes much higher. A panel of independent Avast experts will consider the criticality of the bug (as well as its neatness) and may pay out in the thousands.

How we pay bounties
Payment can be made by PayPal or wire transfer. Let us know your preferred method. Take note, paying taxes (or any other relevant fees in your country of residence) is up to you. Sorry about that!

Payment is made once we have fixed the bug in question (or, in very specific cases, once we have decided not to fix it).

Eligibility for the program Employees of Avast and their close relatives (parents, siblings, children, or spouses) are not eligible for bounties (this applies to you too, QA-ers). Additionally, Avast business partners, agencies, distributors, and their employees are also excluded from this program. Sorry, Lubos.

We do not accept submissions from the following countries: Syria, North Korea and Crimea.

Help us crush bugs in the following products:

Avast

Windows

MacOS

Linux

iOS

Android

OS: Multiplatform

AVG

Windows

MacOS

iOS

Android

Multiplatform

HMA

Multiplatform

CCleaner

Windows

MacOS

Android

Multiplatform

:(

Close