Skip to main content

Calling all ethical VPN hackers: ExpressVPN launches new-look bug bounty program

(Image credit: Future)

Leading VPN provider ExpressVPN has expanded its bug bounty program in a bid to encourage the widest possible pool of white hat hackers to help root out vulnerabilities in its products and infrastructure.

The firm has operated a bug bounty program since 2016, rewarding tens of thousands of dollars to third party researchers, but has now given the initiative a face-lift with the support of security crowdsourcing platform Bugcrowd.

According to an ExpressVPN blog post, hosting the bug bounty program via Bugcrowd will improve accessibility, draw a wider variety of security talent to the project and thereby ensure customers remain protected.

The new-look program will also allow in-house engineers to focus on addressing any bugs that might be identified, with the assessment and triage of bug reports handled by Bugcrowd.

Express VPN bug bounty program

According to ExpressVPN, the expansion of the bug bounty program was motivated by a fierce commitment to its users’ privacy - the core premise at the heart of the company’s offering.

“Our focus is on finding vulnerabilities that would allow an attacker to access customer data, break encryption protocols, or access our servers, as well as any bugs that can harm our systems and users,” explained ExpressVPN.

“We encourage you to look for these bugs and vulnerabilities in our apps, website, servers, and all other ExpressVPN properties.”

According to the Bugcrowd page, ExpressVPN is offering bounties between $150 - $2,500 per bug, depending on severity. Since the page was launched, 21 vulnerabilities have been rewarded, with an average payout of $726.92, which suggests most were classified as moderately severe.

The company has also pledged “safe harbor” to security researchers, provided their work is performed in good faith, which amounts to a promise not to take legal action against ethical hackers.  

While the program brief is broad, the company will not pay out for bugs found in alpha and beta versions, nor for the discovery of social engineering attacks or physical security flaws at ExpressVPN premises.