Nothing matters more to us than keeping our users safe online. We constantly monitor and test our systems, but we are aware that as a global software company we will always be a popular target for cybercriminals.
We run a responsible disclosure program that offers a reward for anyone finding and reporting to us a vulnerability in our products, website, or systems. We take all reports regarding a security issue seriously and will work with you to thoroughly analyze your findings.
If you find any indications of a vulnerability in any of our systems, we kindly ask you to inform us as soon as possible, preferably using our PGP Key. Please don’t take advantage of the vulnerability. We will not only be slightly pissed off, we might also have to take legal action.
We also ask you not to disclose your findings externally until you have reported it to us and we’ve been able to investigate. This is to ensure that we can protect our users by preventing a malicious actor from taking advantage of the situation.
Please provide as much information as possible (including available indications such as IP addresses, logs, screenshots, etc).
We ask you not to take advantage of the potential vulnerability or to attempt to capture, change or delete any more data than necessary to demonstrate the vulnerability. And once again, please do not mention the vulnerability publicly until we’ve been able to take a look.
Once you report a vulnerability, we will respond within two business days to work with you on evaluating the issue and determining next steps. We’ll keep you informed as we resolve the issue.
Don’t worry, we will handle your report with the strictest confidence and will not pass any of your details to any third party without your explicit permission. However, if you are happy to be recognized, we’d be delighted to give you credit for your work and even make you a proud member of the Hacker Hall of Fame (woohoo)!
To show our gratitude, we’ll be happy to provide you with some cool Avast swag (and if the vulnerability reported was really scary, we’ll make sure you really get some other cool stuff).
Vulnerabilities are evaluated based on their severity in the context of our environment.
Therefore not every flaw can be evaluated as true positive. Vulnerabilities must be original and previously unreported. If two or more people submit the same report, only the researcher who submitted their report first will be recognized. Please be aware there is no legal claim for a reward.
Important update: Until further notice, we have postponed sending Avast swag during the Covid-19 pandemic situation.