Avala
Security
All posts
Program launchProgram launchBug bountyPhysical AISafe harbor

Launching the Avala Security Bounty Program

Today Avala launches a public bug bounty program. Up to $1,500 for findings that merit it (with discretionary bonuses for exceptional chains), safe harbor in writing, 48-hour acknowledgment, and a 90-day coordinated disclosure window.

Avala SecurityApr 18, 2026updatedApr 26, 20269 min read
Share
Launching the Avala Security Bounty Program

Highlights

  • Rewards from $25 up to $1,500 per finding when it merits it, with +50% multipliers stacking and discretionary bonuses for exceptional chains.
  • Safe harbor in writing; 48-hour acknowledgment; 90-day coordinated disclosure.
  • In scope: avala.ai, api.avala.ai + MCP endpoint, SDKs, and Avala-owned infrastructure.
  • MCP endpoint is defended by two independent layers (staff-only auth plus SELECT-only SQL on a READ ONLY Postgres session).
  • Seed-stage program. Today's reward ceiling grows as we do.

Update (2026-04-26): We've right-sized reward tiers to reflect what we can sustainably pay as a pre-Series-A startup. Top of band is now $1,500 for findings that merit it (with discretionary bonuses for exceptional chains), and the monthly bounty pool is capped at $5,000 aggregate. The top of each tier is a ceiling, not the default — most findings land within their CVSS band. Current numbers and full rationale at /rewards. The sections below preserve the original launch post; the canonical tier table lives at /rewards.

Avala launches a public bug bounty program today. $25 up to $1,500 per finding when it merits it, with +50% multipliers for quality and novelty, and discretionary bonuses for exceptional chains. Safe harbor is in writing. 48-hour acknowledgment. 90-day coordinated disclosure. We produce the ground-truth training datasets behind autonomous vehicles, robotics, and embodied AI. A tampered annotation silently poisons a customer's perception stack. A cross-tenant leak breaks NDAs and regulatory commitments. The program exists to find those bugs before attackers do.

What's shipping today

  • Rewards from $25 for informational findings up to $1,500 for criticals when they merit it, with discretionary bonuses for exceptional chains. The top of each tier is a ceiling, not the default. A +25% quality bonus and a +25% novelty bonus stack on top. Full tier table at /rewards.
  • Safe harbor in writing, modeled on the disclose.io framework. Good-faith research that follows our rules is authorized conduct under the CFAA and DMCA.
  • 48-hour acknowledgment SLA. 5-business-day triage. 90-day coordinated disclosure window from submission or fix deployment, whichever is sooner.
  • In scope: avala.ai (Mission Control, our Flutter web annotation tool), api.avala.ai (Django REST API + MCP endpoint), our SDKs (avala on PyPI, @avala-ai/sdk and @avala-ai/mcp-server on npm), Auth0 integration flaws in our configuration, and publicly-exposed Avala infrastructure on AWS and Cloudflare. Full scope at /scope.
  • Public hall of fame at /hall-of-fame, opt-in per researcher and per report.
  • Intake at security.avala.ai/submit with magic-link auth. Every report gets its own private thread.

Why now

Physical AI is about to become the most consequential training-data pipeline on Earth. Every autonomous vehicle, every humanoid, every embodied agent ships models trained on datasets like the ones we produce. The attack surface that comes with that is specific and underexamined.

Adversarial attacks on annotation pipelines are the subtle class, and they're also the most devastating. Model poisoning through tampered labels propagates silently into customer training runs. By the time the corruption surfaces, the model is already in production and the dataset is referenced in a dozen downstream jobs. A well-placed label injection against a single AV pre-production dataset could corrupt a perception model whose errors wouldn't show up on standard benchmarks, but would fail in specific real-world scenarios the attacker chose. That class of attack is the reason we prioritize defensive engineering at the data-pipeline layer, and it's where a thoughtful bounty program pays off the most.

We've been paying researchers ad-hoc for a while now. Significant finding, quiet acknowledgment, ad-hoc payout. That works at our scale, but it doesn't incent the right research, and it doesn't give external researchers a reason to invest time here. A public program with clear reward bands, written safe harbor, and operational SLAs does. Today formalizes what's been informal.

What we pay

SeverityCVSS v3.1CashAlso
Informational / Low< 4.0$25Swag, hall of fame, CVE credit if applicable
Medium4.0 to 6.9$100 to $150Swag, hall of fame
High7.0 to 8.9$250 to $500Swag, hall of fame
Critical9.0 to 10.0$500 to $1,500Swag, hall of fame
Exceptional chain or broad impactDiscretionary bonusCase-by-case, Avala discretion

Multipliers are discretionary and stack up to +50%.

  • +25% quality bonus when the initial submission includes reproduction steps, impact analysis, and a suggested fix.
  • +25% novelty bonus for the first finding of its kind in an AI/LLM-specific class, or a genuinely new vulnerability class on our platform.

First-to-report wins. Duplicates earn CVE credit but no cash. Payment targets within 30 days of the bounty decision. Full details at /rewards.

What's already hardened

Start here so you know the floor. Every sustained attack has to land below this.

The platform enforces per-customer workspace isolation at the Django permission layer. Auth0 JWT with RS256 validates every request. API keys are scoped by role and capability, not issued as bearer all-access credentials.

The MCP endpoint at api.avala.ai/api/v1/mcp/ runs two independent defenses. Staff-only API-key auth at the HTTP boundary. SELECT-only SQL enforcement inside the query tool, built on a sqlglot AST walk (not regex), which catches CTE-hidden writes and FOR UPDATE locks. The Postgres connection itself is opened with SET SESSION CHARACTERISTICS AS TRANSACTION READ ONLY, so engine-level rejection is the last line of defense. Two independent layers have to fail before a write can land.

The API uses parameterized queries throughout. Django ORM or cursor.execute(..., params) for every database call. Secrets live in environment variables, never hardcoded, and CI blocks commits matching credential patterns via Gitleaks. Production deployment uses IAM role assumption rather than long-lived access keys.

Infrastructure is in Terraform Cloud. Production RDS has deletion protection on and automated daily snapshots. Compliance posture is SOC 2 Type II, with the Vanta trust center at trust.avala.ai. Third-party integrations are scoped: Auth0 handles identity, Stripe handles billing and never touches our card-data path, and customer-uploaded sensor files go through content-type validation and size caps before any decode path runs.

None of the above means the work is done. It means the obvious attacks are blocked, and your research is most useful when it targets the edges.

Where we think interesting work lives

Pointing at surfaces, not enumerating bugs. These are the places where, with unlimited time, we'd look ourselves.

Prompt injection into LLM-powered customer surfaces. We handle customer-supplied text (dataset descriptions, annotation guidelines, labels) that can flow into LLM prompts alongside system instructions. The boundary between untrusted customer input and privileged system context is where the interesting work is.

MCP authorization edges. The staff-gate plus SELECT-only layering is sound, but the interesting attack paths run around it. Auth-to-tool handoff: does every MCP tool share the same permission class, or is there a path that skips it? CTE-hidden writes that sqlglot normalizes differently than Postgres executes. Connection-pooling edge cases where a session's READ ONLY flag isn't applied.

SDK credential lifecycle. Both the Python SDK (avala on PyPI) and the TypeScript SDK (@avala-ai/sdk on npm) ship with API-key-scoped auth. A credential-theft chain that works against SDK users, whether through dependency confusion, cache poisoning, or SDK-side validation gaps, would land in the top reward band.

Cross-tenant edges in the annotation pipeline. Per-workspace isolation is enforced at the model, permission, and storage layers. The interesting surface is anywhere those three layers hand off to each other.

MCAP visualizer. We decode customer-provided zstd-compressed binary robot telemetry (MCAP files) in WebAssembly, then render point clouds through WebGPU. Memory-safety bugs in the decode path, cross-origin isolation gaps, or arbitrary-code execution in WASM would be high-impact.

None of the above is a known weakness. They're surfaces where we'd expect attackers to look if they wanted to break us, and where we'd spend our own time if we had the bandwidth. A report that explains why one of these actually matters, with a working proof of concept, is the shape of submission we're most interested in.

Our commitments

  • Acknowledgment within 48 hours of submission
  • Triage within 5 business days
  • Status updates every 7 days until the report is resolved
  • Fix deployment: 72 hours for critical, 14 days for high, 30 days for medium and low
  • Bounty decision on fix-deployed, duplicate determination, or non-applicability
  • Payment within 30 days of the decision

Miss these SLAs and we owe you an explanation. Usually a bigger bounty, too.

Where we go from here

Avala is a seed-stage company. Today's reward ceiling reflects that. As the company grows, the program grows with it: larger individual bounties, expanded categories, and, when our platform scale warrants it, a research-device or flag-based accelerated-award system in the shape of what Apple has shipped. We'll publish program changes here as they happen, rather than quietly updating price tags.

The first researchers through a new program get disproportionate influence on what it becomes. If you land a valid finding in these early months, you're not just collecting a bounty. You're testing operational rough edges, shaping which categories we double down on, and setting the bar for every researcher who comes after. We credit you explicitly on /hall-of-fame and prioritize your future reports.

One more thing on values. Avala's Master Plan (2023) and Part II (2025) lay out the thesis the company was founded on: pay the humans who train AI as partners, not disposable inputs. That's People-First AI as operational necessity, not a slogan. Security researchers sit at the same table. You're the labor that keeps the platform safe for the 15,000+ coworkers who do the annotation work, and for the customers whose models depend on their output. So we pay fast, credit honestly, and write this program the way we'd want it written if we were the ones submitting.

Safe harbor

Research conducted in good faith, within the scope at /scope and rules at /rules, is authorized conduct under the CFAA, the DMCA, and applicable anti-hacking laws. We don't pursue civil action or file complaints with law enforcement against researchers acting within policy. If a third party initiates legal action against someone acting within our policy, we take reasonable steps to make it known the activity was authorized. Full text, modeled on the disclose.io framework, is at /rules.

Submit

Intake: security.avala.ai/submit. Magic-link auth, no password. Every report gets its own private thread.

Questions that don't belong in a report: security@avala.ai.

Program details: /bounty. Scope: /scope. Rules and safe harbor: /rules. Full reward tiers: /rewards.

The first valid high- or critical-severity external report earns the inaugural hall-of-fame slot.

Help us find the next one.

All postsSubmit a report