[Maxstar]

The bounty program is designed for security-related bugs only. Sorry, we’re not paying for other types of issues like bugs in the UI, localization etc. (nevertheless, if you find such a bug, we will of course very much appreciate if you report it).

We’re generally only interested in these types of bugs (in the order of importance):

• Remote code execution. These are the most critical bugs.
• Local privilege escalation. That is, using Avast to e.g. gain admin rights from a non-admin account.
• Denial-of-service (DoS). In case of Avast, that would typically be BSODs or crashes of the AvastSvc.exe process.
• Escapes from the avast! Sandbox (via bugs in our code)
• Certain scanner bypasses. These include include straightforward, clear bypasses (i.e. scenarios that lead to direct infection, with no additional user input), as opposed to things like deficiencies in the unpacking engine etc. In other words, we’re interested only in cases that cannot be mitigated by adding a new virus definition (please don’t report undetected malware)
• Other bugs with serious security implications (will be considered on a case by case basis).

The base payment is $200 per bug. Depending on the criticality of the bug (as well as its neatness) the bounty will go much higher (each bug will be judged independently by a panel of experts). Remote code execution bugs will pay at least $3,000 – $5,000 or more.

http://blog.avast.com/2013/01/25/introd ... ug-bounty/