Anti-virus vendor Avast has announced the launch of a bug bounty program.
With base payments of $200 (£126) per bug, though these could be higher depending on the criticality, Avast said that remote code execution bugs will pay at least $3,000 – $5,000 (£1,899 - £3,166) or more. It also said that it is only interested in remote code execution bugs, which it deems to be the most critical, as well as local privilege escalation, denial-of-service, sandbox bugs, scanner bypasses and other bugs with serious security implications that will be considered on a case by case basis.
According to the company, the bounty program is designed for security-related bugs only and for those within the product, and not within the Avast website and services. It is also currently limited to consumer Windows versions of Avast.
It said: “As a security company, we very much realise that security bugs in software are reality. But we also realise that companies that are able to use their user communities to find and fix bugs are generally more successful that those that don't.
“Therefore, we have decided to reward individuals who help us find and fix security-related bugs in our own software. This makes us probably the first security vendor with a reward program like this: I think it's mainly because the other companies generally take the position that ‘Hey, we're a security company. So we know security and it can't happen to us.' But in reality, that's not what's happening. Just look at bugtraq or the CVE databases and you will find that security software is no more immune to these issues than any other programs. A bit of irony, given that people generally install security software to fight security issues in the first place, isn't it?”
To be eligible for the bounty, the bug must be original and previously unreported and researchers are asked not to publicly disclose the bug until after an updated version of Avast that fixes the bug is released. “A good bug report needs to contain sufficient information to reliably reproduce the bug on our side. Please include all information that may be relevant – your exact environment, detailed bug description, sample code (if applicable) etc. It also needs to contain a decent analysis – this is a program designed for security researchers and software developers and we expect certain quality level,” it said.