Issues are unavoidable in the IT world – but problems can be a matter of choice. At Avira, we’ve chosen a pro-active approach as the single best way to respond to new or potential security issues before a full-blown problem can emerge. This approach requires working with and listening to the leading researchers and companies in the security space. We appreciate and fully support this community’s efforts to create a more secure world.
This program is a pilot initiative from Avira. Therefore and based on the success of this initiative, we may decide to change, pause or cancel the program at any time and without further notice. We encourage you to check the status of the program on a regular basis.
This program is targeted purely at the client side applications. Any server/back-end testing is out of scope of this program. [this is to say that any request, regardless of origin, to any web-based property is out of scope]
Please, always download the latest installation package:
We are interested in security related bugs only:
- Remote code execution
- Local privilege escalation: e.g. situations when Avira allows a non-privileged user to gain Administrator or System rights
- Denial of service (DoS): e.g. crashes of Avira processes or BSOD caused by Avira drivers
- Self Protection bypass (from user-mode only): e.g. causing corruption of Avira files, registry keys or running processes or making key components of Avira product nonfunctional
- Other security related bugs with a severe impact on the system security or stability
Please read and follow the rules in the Standard Disclosure Terms.
Out of Scope
All Avira systems and services not expressly listed above (see 'Targets') are explicitly excluded from the bounty program. Any researcher seeking to perform vulnerability testing upon excluded systems, including server or back-end testing, must have prior written consent from the Security Manager Products & Services at Avira. We reserve the right to legally pursue researchers conducting vulnerability testing on excluded systems without prior written consent.
Our Antivirus software (targets mentioned above), does communicate with backends/web services, e.g. sends data or fetches updates. As stated above, all those backends/web services must not be a target and are out-of-scope)
The following finding types are specifically excluded from the program:
- Functional, UI and UX bugs, and spelling or localization mistakes.
- False positive clean app detection or False negative malware detection -- please report these here: https://analysis.avira.com/en/submit
- Specific preparation of a system done by Windows Safe Mode or administrative or elevated permissions
- Bugs in Windows OS and libraries, even though Avira may be using them
- All applications offered inside or managed through the 'Avira Launcher' are excluded and out of scope from the program (except our Free AntiVirus)
For out of scope inquiries, please send us an email: firstname.lastname@example.org
To participate, download a product and submit a bug, you must accept the Avira End User License Agreement (http://www.avira.com/en/license-agreement-terms-of-use/) for the corresponding product. We reserve the right to cancel this program at any time and the decision to reward a bounty or not is entirely at our discretion. In participating in this program, you must comply with all applicable laws and regulations. You may not disrupt any service or compromise anyone’s data.
Basic rules of participation
The bounty program is designed for security-related bugs only. The following bugs will qualify for the bounty (in order of importance):
- Remote code execution. These are the most critical bugs: up to 2,500$
- Local privilege escalation. That is, using Avira to e.g. gain admin rights from a non-admin account: up to 1,500$
- Denial-of-service (DoS). In case of Avira, that would typically be BSODs or crashes of the avguard.exe process: up to 500$
- Certain scanner bypasses. These include straightforward, clear bypasses (i.e. scenarios that lead to direct infection, with no additional user input), as opposed to things like deficiencies in the unpacking engine etc. In other words, we’re interested only in cases that cannot be mitigated by adding a new virus definition (please don’t report undetected malware): up to 200$
- Other bugs with serious security implications (will be considered on a case by case basis): up to 100$
The aforementioned amounts are suggested maximum amounts only. The final determination of the payouts is subject to Avira's exclusive discretion.
- The above-mentioned ranges may change at any time - typically based on the number and quality of incoming reports.
- This bounty is subject to Bugcrowd’s (standard disclosure terms)[https://bugcrowd.com/resources/standard-disclosure-terms].
- The reports must be submitted in English.
- All files which have been sent to Avira has to be in typical and common file formates. So video files should be sent as .mp4 or .avi format.
- If it is recommended to send a 'Proof of concept' file, this file has to send as running version (compiled file) AND as the Source-code project. Please put this together in an archive like zip, rar or 7zip.
- All vulnerabilities have to describe step by step. They have to be complete with detailed information. The way to reproduce it must work from the beginning.
- We reserve the right to change the report to 'Not reproducible' in case the report needs to long to get all necessary information.
- We do not accept submissions from the following countries: Iran, Syria, Cuba, North Korea, and Sudan.
- The program is currently limited to the following consumer Windows applications of Avira only:
- Avira Free Antivirus
- Avira Launcher.
- Only submissions about bugs in Avira proprietary libraries will be considered and any submission related to 3rd party libraries shall be rejected. For example, if you find a bug in a Microsoft library or any other 3rd party library (even if it’s used by Avira), please report it to Microsoft or the owner of the library instead (but ideally let us know as well).
- Only bugs in the most current and updated versions of these products will be considered, which includes (potentially already fixed) file versions which are available via update only (the fixes might not be included in the download package yet).
- It is the researcher’s own responsibility to pay any taxes and other applicable fees in his/her country of residence.
- In order to be eligible for the bounty, the bug must be original and previously unreported.
- A bounty shall only pay for bugs which have been unknown to Avira. Already known bugs will not receive a bounty. Note: Reference is our internal bug tracking system
- If two or more researchers happen to find the same bug, the bounty will be paid only to the one whose submission came in first.
- You must not publicly disclose the bug until after an updated version of Avira that fixes the bug is released. Otherwise, the bounty will not be paid.
- The bounty will be paid after Avira fixed the issue (or, in specific cases, decides to not fix it).
- Some bugs may take longer to correct. We will do our best to fix any critical bugs in a timely manner. We appreciate your patience.
- Employees of Avira and their close relatives (parents, siblings, children, or spouse) and Avira business partners, consultants, sub-contractors, vendors, agencies, distributors, and their employees are excluded from this program.
- We reserve the right to change the rules of the program, pause or to cancel it at any time.