ExpressVPN’s bug bounty program has been revamped to make it more appealing to ethical hackers, now paying a one-time $100,000 bug prize to anyone who can infiltrate its systems.
ExpressVPN is one of the most popular VPN (virtual private network) solutions, providing customers with online surfing privacy and the ability to circumvent geo-restrictions.
Express VPN $100000 bounty program
This privacy is accomplished by routing the user’s internet traffic through encryption tunnels, while the user’s actual IP address is concealed behind one given by the VPN provider.
As a result, undermining the security of this sort of system compromises one of the most important selling features of these goods, consumers’ privacy.
This is why ExpressVPN has a bug bounty program, which allows security auditors and researchers to disclose vulnerabilities in the company’s infrastructure and software in exchange for monetary bug bounty payouts. A new $100,000 incentive has been established for serious flaws.
ExpressVPN today announced a $100,000 bug bounty for severe vulnerabilities in its in-house technology, TrustedServer.
“This is the greatest single bounty granted on the Bugcrowd system and ten times greater than ExpressVPN’s previous best payout,” the firm said in an email to BleepingComputer.
The new $100,000 one-time incentive comes with the following terms: The US$100,000 prize will be awarded to the first individual who submits a legitimate vulnerability that allows unauthorized access or exposes consumer data. This one-time bonus will be active until the reward is claimed.
Only vulnerabilities in ExpressVPN’s VPN Server are eligible for the one-time US$100,000 incentive. Activities should be restricted to the TrustedServer platform.
If you are unclear if your testing is in-scope, please contact firstname.lastname@example.org first to check. ExpressVPN also welcomes security researchers to investigate potential methods of leaking clients’ actual IP addresses and monitoring user activity.
The bug bounty program is managed by BugCrowd, which provides a safe harbor for researchers who attempt to hack into ExpressVPN’s servers as part of the program.
A difficult nut to crack
TrustedServer is a proprietary operating system based on Debian Linux that is appropriate for usage in a VPN infrastructure. ExpressVPN’s servers are RAM-only, with a periodic data cleaning procedure that kicks off when the computer reboots.
The system has a build verification function that prevents insider code tampering situations, and it is patched regularly with clean installations on all ExpressVPN servers.
It will most likely be tough to find flaws to exploit, especially given that the bug bounty program has been in existence for the preceding six years, resulting in the rise in reward.