Avala
Security

Program Overview

Find bugs. Get paid. Get credit.

Cash rewards for every high-impact security finding in Avala production, plus a public hall-of-fame slot. Top finding pays up to $1,500 when it merits it, with discretionary bonuses for exceptional chains. Avala is pre-Series-A — these tiers reflect what we can sustainably pay today, and we plan to raise them as we grow.

We've dealt with a few noisy and unreproducible public reports. This page spells out exactly what earns a bounty, what doesn't, and what you get back from us.

What we reward

Bugs with demonstrable impact on Avala production. Customer data, authentication, privilege escalation, and remote code execution pay the most.

Strong candidates

  • Authentication / authorization bypass
  • Remote code execution
  • SQL injection, command injection, SSRF
  • Unauthenticated access to customer data or PII
  • Account takeover
  • Prompt injection with data exfiltration in our LLM-powered endpoints
  • MCP server (SELECT-only bypass, role-bypass, injection)
  • Subdomain takeover on Avala-owned domains

Weaker candidates

  • Self-XSS without amplification
  • Clickjacking without state-changing impact
  • Missing security headers without a working exploit
  • Version disclosure
  • Open redirects without impact
  • CSRF on unauthenticated routes
  • Rate-limiting issues without demonstrated abuse
  • Findings only against non-production environments

Full in/out of scope at /scope.

Four ground rules.

Scope is published and specific.
Every in-scope domain, product, SDK, and AI endpoint is listed at /scope, along with what's out. Out-of-scope findings (third-party services, DoS, social engineering) get triaged, but not paid.
Rewards are tiered by CVSS.
Tiers run from $25 for low-severity findings up to $1,500 for criticals that merit it, with discretionary bonuses for exceptional chains. Quality and novelty multipliers can add up to +50% to the base bounty. Full table at /rewards.
Safe harbor, in writing.
Good-faith research that follows our rules is “authorized” conduct under the CFAA and DMCA. We don't sue or report researchers acting within policy. Full terms at /rules.
90-day coordinated disclosure.
You hold public disclosure for 90 days after report submission (or until the fix ships, whichever is sooner). We coordinate with you on the public timeline and credit you in our hall of fame.

How to submit

  1. 1

    Sign in

    Enter your email at /login. Magic link, no password. Every report gets its own private thread.

  2. 2

    Fill out the report

    Affected area, title, reproduction steps, expected vs actual results, impact, optional CVSS self-assessment, and credit preference.

  3. 3

    Attach proof of concept

    Screenshots, short videos, or redacted code. Max 500 MB per attachment. Do not include real customer data.

  4. 4

    Submit

    You receive a public ID (AVALA-SEC-2026-XXXX), a confirmation email, and immediate access to the status thread.

  5. 5

    Triage & disclosure

    We acknowledge within 48h, triage within 5 business days, and work with you through fix deployment and coordinated disclosure.

Submit a report