About

ExpressVPN operates thousands of VPN servers and makes cross-platform VPN applications for all major desktop and mobile operating systems as well as routers and browser extensions.

ExpressVPN takes the security of its applications and services seriously. We've offered an in-house bug bounty program for years and paid out thousands of dollars to security researchers in that time. We value excellent engineering and are always looking for ways to improve the security of our products and services.

---

Special Bonuses and Rewards

TrustedServer — First Critical Finding Bonus

We have designed our ExpressVPN VPN servers to be secure and resilient. We even have an audited design called TrustedServer that dramatically improves the security posture of our servers. We’re confident in our work in this area and aim to ensure that our VPN servers meet our security expectations.

As such, we’re inviting our researchers to focus testing on the following types of security issues within our VPN servers:

• Unauthorized access to a VPN server or remote code execution
• Vulnerabilities in our VPN server that result in leaking the real IP addresses of clients or the ability to monitor user traffic

In order to qualify to claim this bounty, we will require proof of impact to our user’s privacy. This will require demonstration of unauthorized access, remote code execution, IP address leakage or the ability to monitor unencrypted (non-VPN encrypted) user traffic.

To make this challenge more enticing, we are introducing the following bonus: the first person to submit a valid vulnerability will receive an additional $100,000 USD bonus bounty. This bonus will be valid until the prize has been claimed.

Scope

We use TrustedServer as a platform for all the protocols that we offer our users, so all our VPN servers are considered in scope.

Please ensure that your activities remain in-scope to the program. For example, admin panels for data center services we utilize are out of scope because they are not owned, hosted, and operated by ExpressVPN. If you are unsure if your testing is considered in-scope please reach out to support@bugcrowd.com to confirm first. A researcher found to be testing out of scope will be ineligible for a reward and we will reserve the right to immediately remove the individual from the program.

Exclusions

We strive to ensure that our challenges are on a level playing field. Thus, the following individuals are not eligible to claim the bonus for the first critical finding:

• Full-time or part-time employees of ExpressVPN or any other subsidiary of Kape Technologies, as well as their friends and family; and
• Contractors, consultants, representatives, suppliers, vendors, or any other persons related to or otherwise affiliated with ExpressVPN.

---

Ratings/Rewards

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

We will review coordinated disclosures on a case by case basis. However, please note that we will automatically reject any findings that are marked as duplicates or not applicable. Please do not submit a disclosure request if your submission fits into these categories.

API keys and login information such as usernames and passwords may be submitted to the program and will initially be rated as a P5. We recommend you submit this information, and we'll review your submission and determine if it qualifies for an upgraded severity and reward.