ExpressVPN

Help us improve the security and privacy of ExpressVPN users.

  • $150 – $2,500 per vulnerability
  • Up to $10,000 maximum reward
  • Safe harbor
  • Managed by Bugcrowd
Submit report

Program stats

61 vulnerabilities rewarded

Validation within 4 days
75% of submissions are accepted or rejected within 4 days

$430.35 average payout (last 3 months)

Latest hall of famers

View all 61

Recently joined this program

329 total

About

ExpressVPN operates thousands of VPN servers and makes cross-platform VPN applications for all major desktop and mobile operating systems as well as routers and browser extensions.

ExpressVPN takes the security of its applications and services seriously. We've offered an in-house bug bounty program for years and paid out thousands of dollars to security researchers in that time. We value excellent engineering and are always looking for ways to improve the security of our products and services.

Special Bonuses and Rewards

First Valid Submission Bonus

Considering joining our bug bounty program? As a first-time submitter, you’ll get a 25% bonus on your bounty for your first valid submission! This is a limited-time bonus, so make sure you submit before 2021-03-31.

TrustedServer — First Critical Finding Bonus

We have designed our ExpressVPN VPN servers to be secure and resilient. We even have an audited design called TrustedServer that dramatically improves the security posture of our servers. We’re confident in our work in this area and aim to ensure that our VPN servers meet our security expectations. As such, we’re inviting our researchers to focus testing on the following types of security issues within our VPN servers:

  • unauthorized access to a VPN server,
  • vulnerabilities in our VPN server that weaken our customer’s privacy.

To make this challenge more enticing, we are introducing the following bonus: the first person to submit a valid P1-P2 vulnerability, granting unauthorized access or exposing customer data, will receive an additional $10,000 USD bonus bounty. This limited-time bonus will be valid until 2021-03-31 or until the prize has been claimed.

Please ensure that your activities remain in-scope to the program. For example, admin panels for data center services we utilize are out of scope because they are not owned, hosted, and operated by ExpressVPN. If you are unsure if your testing is considered in-scope please reach out to support@bugcrowd.com to confirm first. A researcher found to be testing out of scope will be ineligible for a reward and we will reserve the right to immediately remove you from the program.

Ratings/Rewards

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.