Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

ExpressVPN Announces Bug Bounty Program on Bugcrowd

Virtual private network service ExpressVPN this week announced the launch of a bug bounty program managed by crowdsourced security testing platform Bugcrowd.

Virtual private network service ExpressVPN this week announced the launch of a bug bounty program managed by crowdsourced security testing platform Bugcrowd.

ExpressVPN has been running a bug bounty rewards program for four years, paying tens of thousands of dollars to security researchers who reported vulnerabilities in its apps, network, servers, site, and routers, among other assets.

“Today we are pleased to announce the launch of our newly extended bug-bounty program managed by Bugcrowd, and we encourage researchers, testers, and white-hat hackers to submit their findings through this platform,” the company announced.

By launching the program on Bugcrowd, ExpressVPN hopes to attract more security researchers to look for vulnerabilities in its systems, to improve the overall security and safety of users.

The VPN service will focus on identifying issues leading to data leaks, weaknesses in encryption protocols, and flaws that could allow attackers to access its servers, or do harm to systems and users.

All of ExpressVPN’s properties are within the scope of the program, including apps (both mobile and desktop), browser extensions, APIs, servers, and website.

ExpressVPN is willing to pay between $2,100 and $2,500 for critical vulnerabilities, between $1,000 and $1,250 for issues rated high risk, $450 to $600 for medium-severity flaws, and $150 to $200 for low-risk bugs.

Only vulnerabilities that are responsibly disclosed, without breaking user privacy, and which are within the scope of the program will be considered valid. Further details on what interested security researchers should expect when participating are available on Bugcrowd.

“We provide safe harbor in accordance with’s terms. This means you can expect us to validate, respond to, and work on your report in a timely manner, then recognize you if your report leads to a change in our code,” ExpressVPN says, adding that it won’t pursue legal action against research done in good faith.

Hackers interested in the program can head to the “Get Credentials” section on Bugcrowd to receive complimentary ExpressVPN credentials for testing purposes. All submissions will be handled by Bugcrowd, including those received via email.

“Carefully read about the program, especially the scope, the ground rules, the safe harbor agreement, and Bugcrowd’s standard disclosure terms. Please play by the rules, disclose vulnerabilities promptly, and keep them confidential until they are fixed,” ExpressVPN notes.

Related: Sony Launches PlayStation Bug Bounty Program on HackerOne

Related: Tencent Offers Up to $140,000 for Operating System Vulnerabilities

Related: Apple Kicks Off Public Bug Bounty Program

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.