Virtual private network service ExpressVPN this week announced the launch of a bug bounty program managed by crowdsourced security testing platform Bugcrowd.
ExpressVPN has been running a bug bounty rewards program for four years, paying tens of thousands of dollars to security researchers who reported vulnerabilities in its apps, network, servers, site, and routers, among other assets.
“Today we are pleased to announce the launch of our newly extended bug-bounty program managed by Bugcrowd, and we encourage researchers, testers, and white-hat hackers to submit their findings through this platform,” the company announced.
By launching the program on Bugcrowd, ExpressVPN hopes to attract more security researchers to look for vulnerabilities in its systems, to improve the overall security and safety of users.
The VPN service will focus on identifying issues leading to data leaks, weaknesses in encryption protocols, and flaws that could allow attackers to access its servers, or do harm to systems and users.
All of ExpressVPN’s properties are within the scope of the program, including apps (both mobile and desktop), browser extensions, APIs, servers, and website.
ExpressVPN is willing to pay between $2,100 and $2,500 for critical vulnerabilities, between $1,000 and $1,250 for issues rated high risk, $450 to $600 for medium-severity flaws, and $150 to $200 for low-risk bugs.
Only vulnerabilities that are responsibly disclosed, without breaking user privacy, and which are within the scope of the program will be considered valid. Further details on what interested security researchers should expect when participating are available on Bugcrowd.
“We provide safe harbor in accordance with disclose.io’s terms. This means you can expect us to validate, respond to, and work on your report in a timely manner, then recognize you if your report leads to a change in our code,” ExpressVPN says, adding that it won’t pursue legal action against research done in good faith.
Hackers interested in the program can head to the “Get Credentials” section on Bugcrowd to receive complimentary ExpressVPN credentials for testing purposes. All submissions will be handled by Bugcrowd, including those received via email.
“Carefully read about the program, especially the scope, the ground rules, the safe harbor agreement, and Bugcrowd’s standard disclosure terms. Please play by the rules, disclose vulnerabilities promptly, and keep them confidential until they are fixed,” ExpressVPN notes.