Coordinated Vulnerability Disclosure
Help us build a safer world
Nothing matters more to us than keeping our users safe online. We constantly monitor and test our systems, but we are aware that as a global software company we will always be a popular target for cybercriminals.
We run a responsible disclosure program that offers a reward for anyone finding and reporting to us a vulnerability in our products, website, or systems. We take all reports regarding a security issue seriously and will work with you to thoroughly analyze your findings.
What to do if you find a vulnerability
If you find any indications of a vulnerability in any of our systems, we kindly ask you to inform us as soon as possible, preferably using our PGP Key. Please don’t take advantage of the vulnerability. We will not only be slightly pissed off, we might also have to take legal action.
We also ask you not to disclose your findings externally until you have reported it to us and we’ve been able to investigate. This is to ensure that we can protect our users by preventing a malicious actor from taking advantage of the situation.
How to make a report
- Submit any potential vulnerabilities to firstname.lastname@example.org
- Don’t worry, if you don’t want to give your personal details, you can stay anonymous if you prefer
What to put in your email
Please provide as much information as possible (including available indications such as IP addresses, logs, screenshots, etc).
We ask you not to take advantage of the potential vulnerability or to attempt to capture, change or delete any more data than necessary to demonstrate the vulnerability. And once again, please do not mention the vulnerability publicly until we’ve been able to take a look.
What happens next?
Once you report a vulnerability, we will respond within two business days to work with you on evaluating the issue and determining next steps. We’ll keep you informed as we resolve the issue.
Don’t worry, we will handle your report with the strictest confidence and will not pass any of your details to any third party without your explicit permission. However, if you are happy to be recognized, we’d be delighted to give you credit for your work and even make you a proud member of the Hacker Hall of Fame (woohoo)!
To show our gratitude, we’ll be happy to provide you with some cool Avast swag (and if the vulnerability reported was really scary, we’ll make sure you really get some other cool stuff).