ExpressVPN’s bug bounty program has been revamped to make it more attractive to ethical hackers, now paying out a one-time bug prize of $100,000 to anyone who can infiltrate its systems.
ExpressVPN is one of the most popular VPN (virtual private network) solutions, offering customers online browsing privacy and the ability to bypass geo-restrictions.
$100,000 Express VPN Bounty Program
This privacy is achieved by routing the user’s Internet traffic through encryption tunnels, while the user’s real IP address is hidden behind the one given by the VPN provider.
As a result, undermining the security of this type of system compromises one of the most important selling features of these products, consumer privacy.
That’s why ExpressVPN has a bug bounty program, which allows security auditors and researchers to disclose vulnerabilities in the company’s infrastructure and software in exchange for monetary bug bounty payments. A new incentive of $100,000 has been established for serious defaults.
ExpressVPN today announced a $100,000 bug bounty for serious vulnerabilities in its internal technology, TrustedServer.
“This is the largest single bounty awarded on the Bugcrowd system and ten times greater than ExpressVPN’s previous best payout,” the company said in an email to BleepingComputer.
The new one-time $100,000 incentive comes with the following conditions: The US$100,000 prize will be awarded to the first individual to submit a legitimate vulnerability that allows unauthorized access or exposes consumer data. This one-time bonus will be active until the reward is claimed.
Only ExpressVPN’s VPN server vulnerabilities are eligible for the one-time $100,000 incentive. Activities must be limited to the TrustedServer platform.
If you are unsure if your tests are in scope, please contact [email protected] first to verify. ExpressVPN also urges security researchers to investigate potential methods of leaking real customer IP addresses and monitoring user activity.
The bug bounty program is run by BugCrowd, which provides a haven for researchers attempting to hack ExpressVPN’s servers under the program.
A hard nut to crack
TrustedServer is a proprietary operating system based on Debian Linux that is suitable for use in a VPN infrastructure. ExpressVPN’s servers are RAM-only, with a periodic data cleaning procedure that starts when the computer is restarted.
The system has a build verification feature that prevents insider code tampering situations, and it is regularly patched with clean installs on all ExpressVPN servers.
Finding loopholes to exploit will likely be difficult, especially since the bug bounty program has been around for six years, which has resulted in increased rewards.