The Avast bug bounty program
The Avast bug bounty program was designed to reward security researchers for finding issues in our software.
How to report a bug and qualify for the bounty:
- Please submit bugs to email address email@example.com. It is recommended to encrypt your email - here's our PGP key.
- A good bug report needs to contain sufficient information to reliably reproduce the bug on our side. Please include all information that may be relevant – your exact environment, detailed bug description, sample code (if applicable) etc. It also needs to contain a decent analysis – this is a program designed for security researchers and software developers and we expect certain quality level.
- You will receive a response from an Avast team member acknowledging receipt of your email. If you do not receive a response, please do not assume we’re ignoring you – we will do our best to follow up with you asap. Also, in such a case it is possible your email didn’t make it through a spam filter - so resending it may be a good idea in this case.
- The bounty program is designed for security-related bugs only. Namely, these bugs will qualify for the bounty (on the order of importance):
- Remote code execution. These are the most critical bugs.
- Local privilege escalation. That is, using Avast to e.g. gain admin rights from a non-admin account.
- Denial-of-service (DoS). In case of Avast, that would typically be BSODs or crashes of the AvastSvc.exe process.
- Certain scanner bypasses. These include straightforward, clear bypasses (i.e. scenarios that lead to direct infection, with no additional user input), as opposed to things like deficiencies in the unpacking engine etc. In other words, we’re interested only in cases that cannot be mitigated by adding a new virus definition (please don’t report undetected malware)
- Other bugs with serious security implications (will be considered on a case by case basis).
- The base payment is $400 per bug. Depending on the criticality of the bug (as well as its neatness) the bounty goes much higher (each bug is judged independently by a panel of Avast experts). Remote code execution bugs pay at least $6,000 – $10,000 or more.
- The above mentioned ranges may change at any time - typically based on the number and quality of incoming reports.
- This program is only about bugs in Avast itself. For example, if you find a bug in a Microsoft library (even if it’s used by Avast), please report it to Microsoft instead (but ideally let us know as well).
- The program is currently limited to consumer Windows versions of Avast only (i.e.: Avast Free Antivirus, Avast Pro Antivirus, Avast Internet Security and Avast Premier). Only bugs in the latest shipping versions of these products will be considered.
- Payment will be done preferably by PayPal. If you can’t accept PayPal (e.g. because it doesn’t work in your country), please get in touch with us and we will try to figure out something else.
- The reports should be submitted in English
- We do not accept submissions from the following countries: Iran, Syria, Cuba, North Korea and Sudan.
- It is the researcher’s own responsibility to pay any taxes and other applicable fees in his/her country of residence.
- In order to be eligible for the bounty, the bug must be original and previously unreported.
- If two or more researchers happen to find the same bug, the bounty will be paid only to the one whose submission came in first.
- You must not publicly disclose the bug until after an updated version of Avast that fixes the bug is released. Otherwise, the bounty will not be paid.
- The bounty will be paid after we fix the issue (or, in specific cases, decide to not fix it).
- Some bugs may take longer to correct. We will do our best to fix any critical bugs in a timely fashion. We appreciate your patience.
- Employees of Avast and their close relatives (parents, siblings, children, or spouse) and Avast business partners, agencies, distributors, and their employees are excluded from this program.
- We reserve the right to change the rules of the program or to cancel it at any time.