Avala
Security

Program Overview

The Avala Security Bug Bounty Program.

We welcome security researchers and developers to help us identify vulnerabilities in our systems. Avala pays cash rewards for high-impact findings and recognizes every valid report in our public hall of fame.

We have received false public vulnerability reports in the past and want to reward and encourage honest, constructive, and reproducible research. This page explains what we pay for, how to submit, and what you can expect from us.

What we reward

We pay for security vulnerabilities with demonstrable impact on Avala production systems. We prioritize high-severity findings that affect customer data, authentication, privilege escalation, and remote code execution.

Strong candidates

  • Authentication / authorization bypass
  • Remote code execution
  • SQL injection, command injection, SSRF
  • Unauthenticated access to customer data or PII
  • Account takeover
  • Prompt injection with data exfiltration in our LLM-powered endpoints
  • MCP server (SELECT-only bypass, role-bypass, injection)
  • Subdomain takeover on Avala-owned domains

Weaker candidates

  • Self-XSS without amplification
  • Clickjacking without state-changing impact
  • Missing security headers without a working exploit
  • Version disclosure
  • Open redirects without impact
  • CSRF on unauthenticated routes
  • Rate-limiting issues without demonstrated abuse
  • Findings only against non-production environments

Full in/out of scope at /scope.

How the program works

Scope is published and specific.
Every domain, product, SDK, and AI endpoint we consider in scope — and everything we don't — is listed at /scope. Out-of-scope findings (third-party services, DoS, social engineering) aren't eligible for a bounty but are still triaged.
Rewards are tiered by CVSS.
Tiers run from $25 for low-severity findings up to $5,000 for exceptional impact. Quality and novelty multipliers can add up to +50% to the base bounty. Full table at /rewards.
Safe harbor is explicit.
Good-faith research that follows our rules is "authorized" conduct under the CFAA and DMCA. We don't sue or report researchers acting within our policy. Full terms at /rules.
90-day coordinated disclosure.
You hold public disclosure for 90 days after report submission (or until the fix ships, whichever is sooner). We coordinate with you on the public timeline and credit you in our hall of fame.

How to submit

  1. 1

    Sign in

    Enter your email at /login — we'll send a magic link. No password. We keep a private thread with you for each report.

  2. 2

    Fill out the report

    Affected area, title, reproduction steps, expected vs actual results, impact, optional CVSS self-assessment, and credit preference.

  3. 3

    Attach proof of concept

    Screenshots, short videos, or redacted code. Max 500 MB per attachment. Do not include real customer data.

  4. 4

    Submit

    You receive a public ID (AVALA-SEC-2026-XXXX), a confirmation email, and immediate access to the status thread.

  5. 5

    Triage & disclosure

    We acknowledge within 48h, triage within 5 business days, and work with you through fix deployment and coordinated disclosure.

Submit a report