ExpressVPN

We are pleased to announce ExpressVPN is now offering bonuses starting as of October 22, 2020 and will end on March 31, 2021!

Below are the bonus details:

First Valid Submission Bonus

Considering joining our bug bounty program? As a first-time submitter, you’ll get a 25% bonus on your bounty for your first valid submission!

TrustedServer - First Critical Finding Bonus

We have designed our ExpressVPN VPN servers to be secure and resilient. We even have an audited design called TrustedServer that dramatically improves the security posture of our servers. We’re confident in our work in this area and aim to ensure that our VPN servers meet our security expectations. As such, we’re inviting our researchers to focus testing on the following types of security issues within our VPN servers:

• Unauthorized access to a VPN server
• Vulnerabilities in our VPN server that weaken our customer’s privacy.

To make this challenge more enticing, we are introducing the following bonus: the first person to submit a valid P1-P2 vulnerability, granting unauthorized access or exposing customer data, will receive an additional $10,000 USD bonus bounty.

Please ensure that your activities remain in-scope to the program. For example, admin panels for data center services we utilize are out of scope because they are not owned, hosted, and operated by ExpressVPN. If you are unsure if your testing is considered in-scope please reach out to support@bugcrowd.com to confirm first. A researcher found to be testing out of scope will be ineligible for a reward and we will reserve the right to immediately remove you from the program.

Note, bonuses are subject to change. If you have any questions about the bonuses, please reach out to support@bugcrowd.com.