Issues are unavoidable in the IT world – but problems can be a matter of
choice. At Avira, we’ve chosen a pro-active approach as the single best way to
respond to new or potential security issues before a full-blown problem can
emerge. This approach requires working with and listening to the leading
researchers and companies in the security space. We appreciate and fully
support this community’s efforts to create a more secure world.
This program is a pilot initiative from Avira. Therefore and based on the
success of this initiative, we may decide to change, pause or cancel the
program at any time and without further notice. We encourage you to check the
status of the program on a regular basis.
Target name | Type
Avira Free Antivirus (PC client side application) | Other
Avira Launcher Windows (PC client side application) | Other
This program is targeted purely at the client side applications. Any
server/back-end testing is out of scope of this program. [this is to say that
any request, regardless of origin, to any web-based property is out of
Please, always download the latest installation package:
We are interested in security related bugs only:
- Remote code execution
- Local privilege escalation: e.g. situations when Avira allows a non-privileged user to gain Administrator or System rights
- Denial of service (DoS): e.g. crashes of Avira processes or BSOD caused by Avira drivers
- Self Protection bypass (from user-mode only): e.g. causing corruption of Avira files, registry keys or running processes or making key components of Avira product nonfunctional
- Other security related bugs with a severe impact on the system security or stability
Please read and follow the rules in the Standard Disclosure Terms.
Out of Scope
All Avira systems and services not expressly listed above (see 'Targets') are
explicitly excluded from the bounty program. Any researcher seeking to perform
vulnerability testing upon excluded systems, including server or back-end
testing, must have prior written consent from the Security Manager Products &
Services at Avira. We reserve the right to legally pursue researchers
conducting vulnerability testing on excluded systems without prior written
Our Antivirus software (targets mentioned above), does communicate with
backends/web services, e.g. sends data or fetches updates. As stated above,
all those backends/web services must not be a target and are out-of-scope)
The following finding types are specifically excluded from the program:
- Functional, UI and UX bugs, and spelling or localization mistakes.
- False positive clean app detection or False negative malware detection -- please report these here: https://analysis.avira.com/en/submit
- Specific preparation of a system done by Windows Safe Mode or administrative or elevated permissions
- Bugs in Windows OS and libraries, even though Avira may be using them
- All applications offered inside or managed through the 'Avira Launcher' are excluded and out of scope from the program (except our Free AntiVirus)
For out of scope inquiries, please send us an email:
To participate, download a product and submit a bug, you must accept the Avira
End User License Agreement (http://www.avira.com/en/license-agreement-terms-
of-use/) for the corresponding product. We reserve the right to cancel this
program at any time and the decision to reward a bounty or not is entirely at
our discretion. In participating in this program, you must comply with all
applicable laws and regulations. You may not disrupt any service or compromise
Basic rules of participation
The aforementioned amounts are suggested maximum amounts only. The final
determination of the payouts is subject to Avira's exclusive discretion.
- The above-mentioned ranges may change at any time - typically based on the number and quality of incoming reports.
- This bounty is subject to Bugcrowd’s (standard disclosure terms)[https://bugcrowd.com/resources/standard-disclosure-terms].
- The reports must be submitted in English.
- All files which have been sent to Avira has to be in typical and common file formates. So video files should be sent as .mp4 or .avi format.
- If it is recommended to send a 'Proof of concept' file, this file has to send as running version (compiled file) AND as the Source-code project. Please put this together in an archive like zip, rar or 7zip.
- All vulnerabilities have to describe step by step. They have to be complete with detailed information. The way to reproduce it must work from the beginning.
- We reserve the right to change the report to 'Not reproducible' in case the report needs to long to get all necessary information.
- We do not accept submissions from the following countries: Iran, Syria, Cuba, North Korea, and Sudan.
- The program is currently limited to the following consumer Windows applications of Avira only :
- Avira Free Antivirus
- Avira Launcher.
- Only submissions about bugs in Avira proprietary libraries will be considered and any submission related to 3rd party libraries shall be rejected. For example, if you find a bug in a Microsoft library or any other 3rd party library (even if it’s used by Avira), please report it to Microsoft or the owner of the library instead (but ideally let us know as well).
- Only bugs in the most current and updated versions of these products will be considered, which includes (potentially already fixed) file versions which are available via update only (the fixes might not be included in the download package yet).
- It is the researcher’s own responsibility to pay any taxes and other applicable fees in his/her country of residence.
- In order to be eligible for the bounty, the bug must be original and previously unreported.
- A bounty shall only pay for bugs which have been unknown to Avira. Already known bugs will not receive a bounty. Note: Reference is our internal bug tracking system
- If two or more researchers happen to find the same bug, the bounty will be paid only to the one whose submission came in first.
- You must not publicly disclose the bug until after an updated version of Avira that fixes the bug is released. Otherwise, the bounty will not be paid.
- The bounty will be paid after Avira fixed the issue (or, in specific cases, decides to not fix it).
- Some bugs may take longer to correct. We will do our best to fix any critical bugs in a timely manner. We appreciate your patience.
- Employees of Avira and their close relatives (parents, siblings, children, or spouse) and Avira business partners, consultants, sub-contractors, vendors, agencies, distributors, and their employees are excluded from this program.
- We reserve the right to change the rules of the program, pause or to cancel it at any time.
This program follows Bugcrowd’s standard disclosure
This program does not offer financial or point-based rewards for P5 —
Informational findings. Learn more about Bugcrowd’s VRT.
This bounty requires explicit permission to disclose the results of a