Good questions.

Bug bounty and pen testing are complementary. A penetration test is a scoped, time-boxed engagement with a contracted vendor that produces a formal report — Avala runs annual third-party pen tests separately. The bug bounty program is always on, open to any good-faith researcher, and pays per valid finding. Bug bounty findings inform the pen test scope.

Yes — we use magic-link sign-in (no password) to keep a secure, private thread with each researcher, track report status, and manage bounty payouts. Creating an account takes one email. We store only your email, preferred display name (if any), and payment details (once a bounty is approved).

Yes. On each report you can choose to be credited by real name, pseudonym, or anonymously. If you want to receive a cash bounty we'll need a PayPal address and a W-9 or W-8BEN, but your public attribution on hall-of-fame / CVE credits can still be anonymous.

CVSS v3.1. The severity table in Rewards maps CVSS bands to cash ranges. We accept your self-assessment as a starting point and may adjust the score during triage.

First-to-report wins the bounty. Duplicates receive CVE credit if applicable and a thank-you, but not cash. If you believe your report provides materially different information or a better exploit chain, flag it in the submission and we'll review.

Our target is within 30 days of the bounty decision. All payouts are via PayPal. A W-9 (US) or W-8BEN (non-US) form is required before first payout.

Please hold disclosure for the 90-day coordinated window from submission, or until we've deployed a fix — whichever comes first. We'll work with you on the public disclosure timeline and happily coordinate on a blog post or advisory once the fix is live.

These are explicitly in scope. Indirect prompt injection via customer-uploaded annotation data, authz bypass in our MCP server, model exfiltration through prompts, and novel AI-specific attack classes are particularly valuable to us and eligible for the novel-class multiplier.

At this stage we reward research with cash bounties and recognition. Sustained exceptional contributors (3+ valid criticals) may be considered for a formal security advisor engagement with additional compensation — reach out after your first few reports land if that interests you.

Email security@avala.ai with your pre-submission question. For anything that involves a working exploit, please submit through the portal to keep it in a secure thread.