Amnpardaz Bug Bounty Program

Discover vulnerabilities and receive rewards from Amnpardaz.

The Amnpardaz Bug Bounty Program invites cybersecurity researchers and security specialists from around the world to identify hidden vulnerabilities within our systems. Each valid finding contributes to strengthening digital security and may qualify for rewards valued up to the equivalent of several million tomans.

How Does the Amnpardaz Bug Bounty Program Work?

Amnpardaz has allocated a grand prize equivalent to USD 110,000 for qualifying bug bounty findings. Previously, this program was available only to selected security researchers. In line with Amnpardaz's ongoing objective of strengthening cybersecurity and digital trust, the program details are now publicly available to the broader security community. The program is conducted across two categories: Amnpardaz products and infrastructure systems.

Product Bug Bounty Program

Systems Bug Bounty Program

Eligible Products and Conditions:

Latest version of the Amnpardaz Anti-Ransomware solution.
Latest publicly available version of Amnpardaz antivirus products at the time of reporting, including Amnpardaz Base and Amnpardaz Corporate.
For beta-version reports, the latest beta release must be tested.
Windows 10 or later, fully updated and without unauthorized modifications.

Vulnerability Type	Remote(without access to the network behind NAT)	LAN(host access through the network)	Local vector(direct host access using a standard user)
Remote Code Execution (RCE)in main process (SYSTEM-level privileges)	Up to equivalent of$20,000	Up to equivalent of$5,000	——
Remote Code Execution (RCE)in UI process (low-level privileges)	Up to equivalent of$10,000	Up to equivalent of$2,000	——
Local Privilege Escalation (LPE)	——	——	Up to equivalent of$1,000
Product Disruption by a Non-Administrator User	——	——	Up to equivalent of$200

USD 110,000 Grand Prize

Vulnerabilities that enable remote exploitation outside the target network through man-in-the-middle attacks against supporting services, allowing malicious code execution with unrestricted privileges, without user awareness, and with persistence after system restart.

Additional Notes

Reward amounts are determined proportionally based on the vulnerability score under the CVSSv3 standard.
Reports containing complete technical details and clear PoC source code may qualify for higher rewards.
Reports related to new malware detection or issues addressable through signatures, unpackers, or similar methods are excluded from this program.
To review the definitions of RCE, LPE, and other technical terms used within the Amnpardaz Bug Bounty Program, please refer to the following article:

https://kb.amnpardaz.com/en/2018/274/definitions-and-terms-of-the-Amnpardaz-bug-hunting-award-program/

Program Process:

The participant submits the vulnerability report to bug@amnpardaz.com in accordance with the reporting format defined in this program.

The Amnpardaz security team reviews the report and may request additional information if required.

The vulnerability is validated by the Amnpardaz security team, and the participant is notified within three business days.

Bug Fixing and Patch Release - Vulnerabilities must not be disclosed through any means until the relevant patch has been released across all associated products and made available to users. Given that not all users update their antivirus software immediately, a timeframe for full patch propagation must be allowed to ensure user protection. Additionally, some resolutions may be time-consuming or involve certain considerations; these will be decided by the Padvish Security Team and communicated to the participant.

Following patch release and after a reasonable period, technical details may be disclosed with written approval from the Amnpardaz security team. Exploit code may not be published.

Upon request, the participant's name may be acknowledged by the Amnpardaz team as the vulnerability reporter.

Report Submission Format

To ensure accurate review and communication, submitted reports must follow the formats below.

For infrastructure-related reports, a HAR file generated during exploit execution must also be attached (Guide)

Program Requirements

To participate in the program, reports must be submitted exclusively to bug@amnpardaz.com and follow the required format.
Submitted reports must include a PoC code sample or, at minimum, precise reproduction steps that can be executed and tested on an installed product environment.
The vulnerability must be reported under responsible disclosure principles. Reports are not eligible if vulnerability information, with or without technical details, has been shared with third parties. Additionally, both parties must sign a non-disclosure agreement before payment is processed.
Members of the Amnpardaz team, employees of Amnpardaz, and their immediate family members are excluded from participation.
Before submission, please review the Bug Bounty Program Guide: https://kb.amnpardaz.com/en/2018/274/definitions-and-terms-of-the-Amnpardaz-bug-hunting-award-program/

Cases Outside the Bug Bounty Program

The Amnpardaz security team also accepts security-related reports concerning other systems and products developed by Amnpardaz Software Company. Researchers and security specialists may submit reports outside the formal bug bounty program through the following channels:

Email:bug@amnpardaz.comFor reporting security issues and vulnerabilities

Email:virus@amnpardaz.comDirect communication with the malware laboratory for submitting new malware samples or requesting detection analysis

Email:support@amnpardaz.comContact Amnpardaz support regarding non-security-related issues across all Amnpardaz products or backend systems