Avast News

Avast's new bug bounty program offers up to thousands for reports

Emma McGowan, 9 November 2020

Our revamped program comes with straightforward rules and added features

In an ideal world, every company would have flawless software. No holes. No bugs. Airtight. But in the real world, every company has cracks that, if left undetected, can threaten security — even security companies. That’s why Avast Chief Information Security Officer (CISO) Jaya Baloo relaunched the Avast Bug Bounty Program, complete with a new look, new rules, and a new Hacker Hall of Fame.

“You can only find so much stuff yourself,” Baloo says. “What you want in an ideal world is to deliver software that has no issues; that it’s just perfect in the first run in your own tests. But that’s not always possible. We’re not perfect.” 

The bug bounty rules are pretty simple: Use the submission form to send in a detailed bug description, exactly where you found it, and any relevant code. The first researcher to report a bug gets the bounty, which starts at $400 and increases based on the severity of the bug, potentially up to thousands of dollars per report. And if you try to exploit the bug yourself or publicly expose it? No bounty for you.

“The bug bounty program uses the power of community,” Baloo says. “And frankly I find it fair that we pay for the effort put in by the security researcher to find the vulnerability and report it to us.”

While Avast is interested in knowing about vulnerabilities in products that we use that aren’t built by us, those don’t qualify for a bounty and should be reported to the Coordinated Vulnerability Disclosure Program. Here’s a quick overview of the types of bugs that do qualify:

  • Remote code execution
  • Local privilege escalation
  • Denial-of-service (DoS)
  • Certain scanner bypasses

And you can check out the Bug Bounty Rules for more info on each.

Baloo also created a Hacker Hall of Fame to publicly acknowledge the ethical hackers who are helping Avast secure both Avast products and the website itself. (There’s also the option to remain anonymous, for bounty hunters who prefer to work in the shadows.)

“It’s about giving credit where credit is due,” Baloo says. “We’re trying to make the world safer and if people help us do that, we want to acknowledge that.”

Baloo also wanted the new site to have a brand new feel, highlighting the fact that “bug bounty researchers are cool and the work they do is really meaningful.” To that end, the site features sci-fi imagery that’s meant to be a call out to the most famous bounty hungers in nerd culture: those found in Star Wars and The Mandalorian. 

“This whole bounty hunter thing is a long tradition amongst nerds,” Baloo says. “It’s way cooler than that Discovery show about bounty hunters.”

The goal of the new Avast bug bounty program is to not only secure the Avast site and products, but to help make the digital world safer for everyone. And for that, we need your help.

“Tell us what you find,” Baloo says. “We are really, really grateful.”