ExpressVPN just dramatically increased its bug bounty reward


ExpressVPN revealed that it now offers ten times more money to anyone who can find security bugs.

The company announced, through Bugcrowd’s Bug Bounty program, that it would reward anyone able to find and demonstrate a “critical security bug” in ExpressVPN’s in-house technology, TrustedServer, with $100,000.

The company’s previous main reward was $10,000.

User traffic monitoring

A “critical security bug” would either be something that would allow unauthorized access to a VPN server period, or allow remote code execution (like malware).

It would also mean any vulnerabilities in the VPN server that would leak clients’ real IP addresses or allow third parties to monitor user traffic.

TrustedServer’s goal, as ExpressVPN explains, is to “significantly minimize” the problems inherent in traditional server management.

At its core, it’s an operating system, with “multiple layers of protection”, like a custom Linux distribution built on Debian Linux and developed in-house, a reproducible build and verification system to ensure authenticity source code and build system, or the ability for ExpressVPN to know exactly what is running on each server.

“Traditionally, VPN infrastructure can be vulnerable to several privacy and security risks,” commented Shaun Smith, Software Engineering Fellow at ExpressVPN and the architect behind TrustedServer.

“Indeed, most traditional server infrastructure management approaches cannot account for the various security and privacy risks that are important for VPN service providers to mitigate. We built TrustedServer to address these risks and make the same solution scalable, consistent, and secure across all of our servers.

Virtual private networks were once an essential part of network security. However, in recent times, especially with the emergence of remote and hybrid working, and cybercrime becoming more dangerous than ever, organizations are increasingly turning to Trustless Network Access (ZTNA).


Comments are closed.