Questions we get about the program.

They work together. A pen test is a scoped, time-boxed vendor engagement that produces a formal report. Avala runs those annually, separately from the bounty program. The bug bounty is always on, open to anyone, and pays per valid finding. Bounty findings feed back into the next pen test scope.

Yes. We use magic-link sign-in (no password) so every report has a private thread, status tracking, and a payout channel. Creating an account takes one email. We store your email, display name, and (once a bounty is approved) payment details.

Yes. On each report you can choose to be credited by real name, pseudonym, or anonymously. If you want to receive a cash bounty we'll need a PayPal address and a W-9 or W-8BEN, but your public attribution on hall-of-fame / CVE credits can still be anonymous.

CVSS v3.1. The severity table in Rewards maps CVSS bands to cash ranges. We accept your self-assessment as a starting point and may adjust the score during triage.

First-to-report wins the bounty. Duplicates receive CVE credit if applicable and a thank-you, but not cash. If you believe your report provides materially different information or a better exploit chain, flag it in the submission and we'll review.

Our target is within 30 days of the bounty decision. All payouts are via PayPal. A W-9 (US) or W-8BEN (non-US) form is required before first payout.

Hold disclosure for 90 days from submission, or until the fix ships, whichever comes first. We coordinate the public timeline with you and will happily co-publish a blog post or advisory once the fix is live.

These are explicitly in scope. Indirect prompt injection via customer-uploaded annotation data, authz bypass in our MCP server, model exfiltration through prompts, and novel AI-specific attack classes are particularly valuable to us and eligible for the novel-class multiplier.

Right now: cash bounties and public recognition. Researchers with 3+ valid criticals may be considered for a paid security advisor engagement. If that sounds interesting, reach out after your first few reports land.

Email security@avala.ai with your pre-submission question. For anything that involves a working exploit, please submit through the portal to keep it in a secure thread.