Security vendor Avast has introduced Bug bounty program to find issues in their product Avast free antivirus, Avast Pro antivirus and Avast Internet Security and report -who reports the bug in latest shipped versions gets reward starting from $200 to 5000$. Reward amount depends on the criticality of bug, where submitting remote code execution bug gets higher amount from $3000-$5000.
Till now we know Google rewarding researchers for finding bugs in their Chrome browser, however Avast is the first security company to offer reward program like this.
Avast bug bounty
If you’re a security researcher or software developer found bug in Avast software you should report that to Avast through email, more details how to report can be found here. Once you submitted the bug their panel of experts will review it and you’ll be paid only after Avast fixes the issue and releases the update.
Any one can submit the bug except from residing in countries like Iran, Syria, Cuba, North Korea and Sudan.
Avast currently giving importance to following bugs
# Remote code execution. These are the most critical bugs.
# Local privilege escalation. That is, using Avast to e.g. gain admin rights from a non-admin account.
# Denial-of-service (DoS). In case of Avast, that would typically be BSODs or crashes of the AvastSvc.exe process.
# Escapes from the avast! Sandbox (via bugs in our code)
# Certain scanner bypasses. These include include straightforward, clear bypasses (i.e. scenarios that lead to direct infection, with no additional user input), as opposed to things like deficiencies in the unpacking engine etc. In other words, we’re interested only in cases that cannot be mitigated by adding a new virus definition (please don’t report undetected malware)
Do you think this is a good move from Avast? after all, all users using Avast will be more protected when bug bounty program becomes successful.