Program stats

27 vulnerabilities rewarded

3 days average response time

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

ActiVPN provides an easy-to-use anonymizing VPN service. <b>This is a points-only program and is managed by the ActiVPN team.</b>

The target hosts for this bounty are:

  • *.activpn.com
  • ActiVPN infrastructure

Focus areas:

  • Code Execution at server side: BOF, UAF in our server applications
  • Web Command Injection: Shell Injection, XSS, SQL Injection, PHP injection
  • Open redirect
  • Authentication or authorization flaw, or significant info leak of customer data

Rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for Informational (P5) findings. Learn more about Bugcrowd’s VRT.

Specifically excluded from this bounty:

- DDOS
- Spam
- Phishing
- Logout CSRF
- ClickJacking
- Directory Listing (unless you get server interpreted source code)
- CSRF (unless affects the confidentiality or the availability of the user data)
- Session Fixation
- Missing Content-Type header unless you can upload a file
- Cookie set without secure flag
- no HSTS flag
- Cache settings (unless you get code execution or privilege escalation or significant infoleak)
- Path/Exception disclosure (we voluntarily setup an exception mechanism that indicates you information about the failure for helping pentesting)
- Password auto-complete in Browser
- password policy