Avala
Security

Rules & Safe Harbor

The ground rules.

These rules protect your research and our customers. Following them is what earns you legal safe harbor.

Researcher code of conduct

  1. 01Monthly bounty pool is capped at $5,000 aggregate while we are pre-Series-A. Reports past the cap are still triaged and fixed on SLA — payment is queued to the following month, in order received.
  2. 02Conduct research in good faith and within the scope defined above.
  3. 03Stop at proof-of-concept. Do not exfiltrate data beyond what is needed to demonstrate impact.
  4. 04Do not access, modify, or destroy data that is not yours.
  5. 05Do not degrade availability (no load or DDoS testing).
  6. 06Do not pivot into internal networks after establishing an initial foothold.
  7. 07Do not use automated scanners against production without prior written approval.
  8. 08Report findings within 48 hours of discovery.
  9. 09Honor a 90-day coordinated disclosure window after report submission; extensions by mutual agreement.
  10. 10Do not publicly disclose before the agreed-upon release date.
  11. 11Do not use social engineering against Avala staff, customers, or contractors.
  12. 12Do not submit reports generated primarily by automated tools or LLMs without independent validation.

Safe harbor

Avala considers security research and vulnerability disclosure activities conducted consistent with this policy to be "authorized" conduct under the Computer Fraud and Abuse Act (CFAA), the DMCA, and applicable anti-hacking laws.

We will not pursue civil action or file a complaint with law enforcement for accidental, good-faith violations of our policy. If legal action is initiated by a third party against someone acting in compliance with our policy, we will take reasonable steps to make it known that the activities were authorized.

You must still comply with all applicable laws. Safe harbor does not extend to activities that exceed the program scope or rules, or to research conducted outside good-faith security testing.

This policy is modeled on the disclose.io open framework. It is not a substitute for legal advice. If you have legal questions, consult counsel before testing.

Coordinated disclosure

90-day window. You agree to hold public disclosure for 90 days after report submission, or until the fix is deployed, whichever is sooner.

Extensions.Complex issues may need longer. We'll ask and explain why. Extensions are mutual, not unilateral.

Joint publication.Want to co-publish a blog post or advisory once the fix is live? We're in. Either way, you're credited in our hall of fame.

CVE assignment. For qualifying issues, we'll request a CVE on your behalf through MITRE.

Our response SLA

Miss these targets and we owe you an explanation. Usually a bigger bounty, too.

Initial acknowledgment
Within 48 hours
Severity assessment & triage
Within 5 business days
Status update cadence
Every 7 days until resolved
Fix deployment (critical)
Within 72 hours
Fix deployment (high)
Within 14 days
Fix deployment (medium/low)
Within 30 days
Bounty decision
On fix-deployed or determination of non-applicability
Bounty payment
Within 30 days of decision

Ready to submit?

Submit a report