We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at AVG Technologies. Every day new security issues and attack vectors are created. AVG Technologies strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.

This program is targeted purely on the client side applications. Any server / back-end testing is out of scope of this program.

Targets

In scope

  • AVG AntiVirus for Mac (Mac single device client side application)
  • AVG Antivirus Protection PRO (PC multi-device client side application)
  • AVG Antivirus Protection FREE (PC multi-device client side application)
  • AVG Internet Security (PC single device client side application)
  • AVG AntiVirus FREE (PC single device client side application)

This program is targeted purely on the client side applications. Any server / back-end testing is out of scope of this program.

Please, always download the latest installation package:

  • AV Free: http://www.avg.com/us-en/free-antivirus-download (use Free Download button)
  • IS: http://www.avg.com/us-en/internet-security (use Free Trial Download button)
  • Protection Free: http://www.avg.com/ww-en/free-antivirus-download (use Free Download button)
  • Protection Pro: http://www.avg.com/ww-en/free-antivirus-protection (use Free Trial Download button)
  • Mac AV: http://www.avg.com/ww-en/avg-antivirus-for-mac (use Free Download button)

Focus Areas:

We are interested in security related bugs only:

  • Remote code execution
  • Local privilege escalation: e.g. situations when AVG allows a non-privileged user to gain Administrator or System rights
  • Denial of service (DoS): e.g. crashes of AVG processes or BSOD caused by AVG drivers
  • Self Protection bypass (from user-mode only): e.g. causing corruption of AVG files, registry keys or running processes or making key components of AVG product nonfunctional
  • other security related bugs with a severe impact on the system security or stability

Please read and follow the rules in the Standard Disclosure Terms.

Out of Scope:

All AVG systems and services not listed above are explicitly excluded from the bounty program. Any researcher seeking to perform vulnerability testing upon excluded systems, including server or back-end testing, must have prior written consent from the SVP of Engineering at AVG Technologies. We may legally pursue researchers conducting vulnerability testing on excluded systems without prior written consent.

The following finding types are specifically excluded from the program:

  • Functional, UI and UX bugs and spelling or localization mistakes.
  • False positive clean app detection or False negative malware detection -- please report these here: http://www.avg.com/submit-sample
  • Bugs in Windows OS and libraries, even though AVG may be using them

Legal notes:

Your submission of a bug constitutes acceptance of the AVG End User License Agreement (www.avg.com/eula) for the corresponding product, and all submissions will be considered user comments in accordance with the EULA.
We reserve the right to cancel this program at any time and the decision to reward a bounty or not is entirely at our discretion. In participating in this program, you must not violate any law. You also must not disrupt any service or compromise anyone’s data.

Rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for Informational (P5) findings. Learn more about Bugcrowd's VRT.

This bounty requires explicit permission to disclose the results of a submission.