A good bug report needs to contain enough key information so that we can reliably reproduce the bug ourselves. Our bounty program is designed for software developers and security researchers, so reports should be technically sound. Make sure to include:
Once we get your report, a member of our team will respond to you as soon as possible. If you submitted the report via email and don’t get a response within a few days, there’s a chance you have been blocked by a spam filter, so don’t be afraid to resend.
To claim the bounty, bugs must be original and previously unreported. If two or more people submit the same bug, the bounty will go to the researcher who submitted their report first.
If you disclose the bug publicly before a fix is released or try to exploit it, you won’t be eligible for the bounty. After all, that would be a little bit evil.
Just like bugs in real life, every software bug has its own personality and charms, so we can’t promise exactly how long it will take to fix one. We always do our best to solve issues as fast as possible, and we will communicate with you throughout this process.
Our bounty program is designed for security-related bugs only. It applies to products from all of our brands, including Avast, AVG, CCleaner, and HMA. A full list of all products can be found below.
If you find a bug in a product or tool that Avast uses but that was potentially built by someone else, or on our website, we’d love it if you let us know. However, these kinds of bugs are not part of our bounty program and should be reported to us via our Coordinated Vulnerability Disclosure Program.
The following bugs qualify for our bounty program:
Bugs come in many guises. So if the type you found isn’t listed above but has the potential to really wreak havoc, we would certainly consider it for the program.
If your bug is enough to make our security team’s skin crawl and is accepted as eligible for the bounty, the base payment is $400 per bug.
But if you find a really nasty type, the bounty goes much higher. A panel of independent Avast experts will consider the criticality of the bug (as well as its neatness) and may pay out in the thousands.
Payment can be made by PayPal or wire transfer. Let us know your preferred method. Take note, paying taxes (or any other relevant fees in your country of residence) is up to you. Sorry about that!
Payment is made once we have fixed the bug in question (or, in very specific cases, once we have decided not to fix it).
Eligibility for the program Employees of Avast and their close relatives (parents, siblings, children, or spouses) are not eligible for bounties (this applies to you too, QA-ers). Additionally, Avast business partners, agencies, distributors, and their employees are also excluded from this program. Sorry, Lubos.
We do not accept submissions from the following countries: Syria, North Korea and Crimea.