• Points per vulnerability
  • Managed by Bugcrowd

Program stats

28 vulnerabilities rewarded

Validation within 4 days
75% of submissions are accepted or rejected within 4 days

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

ActiVPN provides an easy-to-use anonymizing VPN service. <b>This is a points-only program and is managed by the ActiVPN team.</b>

The target hosts for this bounty are:

  • *
  • ActiVPN infrastructure

Focus areas:

  • Code Execution at server side: BOF, UAF in our server applications
  • Web Command Injection: Shell Injection, XSS, SQL Injection, PHP injection
  • Open redirect
  • Authentication or authorization flaw, or significant info leak of customer data

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

Specifically excluded from this bounty:

- Spam
- Phishing
- Logout CSRF
- ClickJacking
- Directory Listing (unless you get server interpreted source code)
- CSRF (unless affects the confidentiality or the availability of the user data)
- Session Fixation
- Missing Content-Type header unless you can upload a file
- Cookie set without secure flag
- no HSTS flag
- Cache settings (unless you get code execution or privilege escalation or significant infoleak)
- Path/Exception disclosure (we voluntarily setup an exception mechanism that indicates you information about the failure for helping pentesting)
- Password auto-complete in Browser
- password policy