Everything you need to know about the Avast Bug Bounty Program

Where to submit your bug

What to put in your bug report

A good bug report needs to contain enough key information so that we can reliably reproduce the bug ourselves. Our bounty program is designed for software developers and security researchers, so reports should be technically sound. Make sure to include:

  • A detailed bug description
  • The exact product version and environment you found the bug on
  • Sample code (if relevant)

What happens next?

Once we get your report, a member of our team will respond to you as soon as possible. If you submitted the report via email and don’t get a response within a few days, there’s a chance you have been blocked by a spam filter, so don’t be afraid to resend.

What bugs are eligible for the bounty?

To claim the bounty, bugs must be original and previously unreported. If two or more people submit the same bug, the bounty will go to the researcher who submitted their report first.

If you disclose the bug publicly before a fix is released or try to exploit it, you won’t be eligible for the bounty. After all, that would be a little bit evil.

How long does the process take?

Just like bugs in real life, every software bug has its own personality and charms, so we can’t promise exactly how long it will take to fix one. We always do our best to solve issues as fast as possible, and we will communicate with you throughout this process.

What types of bugs are we looking for?

Our bounty program is designed for security-related bugs only. It applies to products from all of our brands, including Avast, AVG, CCleaner, and HMA. A full list of all products can be found below.

If you find a bug in a product or tool that Avast uses but that was potentially built by someone else, or on our website, we’d love it if you let us know. However, these kinds of bugs are not part of our bounty program and should be reported to us via our Coordinated Vulnerability Disclosure Program.

The following bugs qualify for our bounty program:

  • Remote code execution
    These are the most critical bugs, we particularly appreciate your help stomping these out.
  • Local privilege escalation
    That is, using Avast, for instance, to gain admin rights from a non-admin account.
  • Denial-of-service (DoS)
    Typically, in relation to Avast, these include BSODs or crashes of the AvastSvc.exe process.
  • Certain scanner bypasses
    These include straightforward, clear bypasses (i.e., scenarios that lead to direct infection, with no additional user input), as opposed to things like deficiencies in the unpacking engine, etc. In other words, we’re interested only in cases that cannot be mitigated by adding a new virus definition.

If you have any undetected malware, please report it here.

Bugs come in many guises. So if the type you found isn’t listed above but has the potential to really wreak havoc, we would certainly consider it for the program.

How much is a bug worth?

If your bug is enough to make our security team’s skin crawl and is accepted as eligible for the bounty, the base payment is $400 per bug.

But if you find a really nasty type, the bounty goes much higher. A panel of independent Avast experts will consider the criticality of the bug (as well as its neatness) and may pay out in the thousands.

How we pay bounties

Payment can be made by PayPal or wire transfer. Let us know your preferred method. Take note, paying taxes (or any other relevant fees in your country of residence) is up to you. Sorry about that!

Payment is made once we have fixed the bug in question (or, in very specific cases, once we have decided not to fix it).

Eligibility for the program Employees of Avast and their close relatives (parents, siblings, children, or spouses) are not eligible for bounties (this applies to you too, QA-ers). Additionally, Avast business partners, agencies, distributors, and their employees are also excluded from this program. Sorry, Lubos.

We do not accept submissions from the following countries: Syria, North Korea and Crimea.

Report Now