Bug Bounty & Vulnerability Disclosure
Help us secure the data platform for Physical AI.
Avala builds ground-truth datasets for the world's leading autonomy and robotics companies. We depend on security researchers to keep our systems safe — and we pay for your work. Cash bounties up to $5,000 per report, plus recognition in our hall of fame.
48-hour acknowledgmentSafe harbor guaranteed90-day coordinated disclosure
Rewards at a glance
What we pay for high-impact findings
| Severity | CVSS v3.1 | Cash |
|---|---|---|
| Informational / Low | < 4.0 | $25 – $50 |
| Medium | 4.0 – 6.9 | $100 – $250 |
| High | 7.0 – 8.9 | $500 – $1,500 |
| Critical | 9.0 – 10.0 | $1,500 – $3,000 |
| Exceptional chain / broad impact | — | Up to $5,000 |
Response SLA
We respond quickly and you always know where your report stands.
- Initial acknowledgment
- Within 48 hours
- Severity assessment & triage
- Within 5 business days
- Status update cadence
- Every 7 days until resolved
- Fix deployment (critical)
- Within 72 hours
- Fix deployment (high)
- Within 14 days
- Fix deployment (medium/low)
- Within 30 days
- Bounty decision
- On fix-deployed or determination of non-applicability
- Bounty payment
- Within 30 days of decision
Found something?
Sign in with a magic link, submit your report, and we'll take it from there.