After almost a decade of being part of the online security industry, PureVPN has grown into one of the market leaders of the VPN industry. With continuously expanding server base, server locations, compatible software, data encryption tools, authentication protocols, customer support options and payment methods, PureVPN has been relentlessly working towards delivering the best value to its users.
PureVPN's network of 2000+ servers is spread across more than 140+ countries, serving over 3 million users from all over the world. PureVPN’s service has proved to be practical solution for travelers or teleworkers looking to encrypt their Internet activity on a hotel/airport or other insecure public Wi-if, businesses who want remote secure access, people who want to avoid being on the radar of marketers, advertisers, and third-party agencies, and internet users that want their privacy to remain intact.
We are not only concerned with vulnerabilities and loopholes encircling enumeration, information gathering but vulnerabilities that leads to infrastructure compromise. We are also interested in conventional web application as well as desktop application vulnerabilities, as well as other vulnerabilities/loopholes that can have direct impact.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy - that is, excepting issues listed in the "non-rewarded" section near the bottom of this page; please ensure you review this table! It is also important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
We typically reward lower amounts for vulnerabilities that require significant user interaction.
Please be aware that PureVPN may take up to three weeks to accept any given submission and allocate the reward. No rewards should take longer than three weeks to process.
|Technical severity||Reward range|
|p1 Critical||$600 - $1,500|
|p2 Severe||$300 - $600|
|p3 Moderate||$100 - $300|
|p4 Low||$50 - $100|
Any domain/property of PureVPN or associated entities which is not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
Credentials & Access:
Credentials are not provided for this program, and researchers are encouraged to create their own as they're able to. To this end, please feel free to create trials, or use any existing accounts you already own. However, please ONLY test against accounts you expressly own, and not against any other users.
(when testing the thick clients, please be sure to only test against the latest version)
PureVPN Windows App
Download URL: https://s3.amazonaws.com/purevpn-dialer-assets/windows/app/purevpn_setup.exe
PureVPN MAC App
Download URL: https://s3.amazonaws.com/purevpn-dialer-assets/mac/app/purevpn_setup.dmg
PureVPN iOS App
Download URL : On Apple App Store
PureVPN Android App
Download URL: On the Google Play Store
PureVPN DDWRT Router Applet
Download URL: http://routerapplet.purevpn.com/cgi-bin/applet-cgi.py
- RCE, SQLi, XSS, CSRF, authentication bypass, horizontal privilege escalation, vertical privilege escalation
- Custom clients (software) for Windows, MAC, iOS and Android links can be found in the Target area.
- Our core service and production network that is comprised of several hundreds of Windows based VPN servers hosted across more than 145 countries. The application connects to PureVPN servers, however for those who wish to access the network without the software can use the following host addresses
- On the server end we have RRAS window service and OpenVPN installed running on ports UDP 53 and TCP 80.
- All the application listed in the targets section apart from web applications are mainly VPN dialers. A VPN Dialer is an application that initiates the VPN connection from client all the way to VPN server.
- Self XSS
- Misconfigured or lack of SPF records / DMARC records
- Email spoofing
- Out of date software versions (without PoC)
- Content Spoofing
- Vulnerabilities that are limited to unsupported browsers will not be accepted. Exploit must work at least on > IE 8.
- .htaccess downloadable file without a real security misconfiguration that can have a demonstrable security impact
- Login page or one of our websites served over HTTP.
- Password not enforced on user accounts
- Clickjacking or any issue exploitable through clickjacking
- Lack of Secure and HTTPOnly cookie flags.
- Username / email enumeration
- CORS issues without a working PoC
- Brute Force attacks
- URL redirection
- DDoS attacks
- CRIME/BEAST attacks
- Non-technical attacks (ie. social engineering, phishing or unauthorized access to infrastructure).
- Please ensure that assets or data residing on the assets is not affected as a result of your testing. Please make all efforts to avoid being destructive during testing.
- All the vulnerabilities reported in a submission should be exploitable directly.
- Rewards are at the discretion of PureVPN and we withhold the right to grant, modify or deny rewards.
- Reports must be submitted in plain text (pictures/videos must be in standard formats). Non-plain text reports (e.g. PDF, DOCX) will be asked to be resubmitted in plain text.
- Issues found through use of automated tools must not be a simple copy/paste of the result. A PoC and detailed description (with reproduction steps) on how it can affect a user's data or PureVPN's data/infrastructure/Web/mobile/thick-clients must be included with each report.
- Public vulnerability disclosure is NOT allowed (remediated or otherwise)
Program Update: 6th December 2018
In addition to the BugCrowd’s VRT, following service related specific issues can also be reported by the researchers that will be rewarded under the P3 category (Reward Range $100 - $300)
No manipulation of services running on client system will be accepted except where manipulation is solely based on network/protocol traffic level and is reproducible at will
For following tests, it is mandatory to attach the screen-shot of trace-route/MTR to bugcrowd.com after establishing VPN Connection
It is mandatory to attach the screen-shot of your assigned IP after successful VPN Connection
All following tests should be performed after establishing VPN/Proxy Connection to PureVPN's Canada Location
Report will be marked incomplete/invalid on violation of above mentioned points
1) DNS Leak (Except Ozone and Gravity services)
A DNS leak refers to a security flaw that allows DNS requests to be revealed to ISP DNS servers, despite the use of a VPN service to attempt to conceal them. Test if developed DNS leak protection mechanism within the client apps is appropriate for purpose.
2) IPv6 Leak
This refers to a scenario where vpn_user’s ISP is providing IPv6 addresses however user’s VPN Server doesn’t support IPv6, the IPv6 traffic goes without any blocking and results into a leak of real IPv6 address of the user to a third party. Test if developed IPv6 blocking mechanism within the client apps is appropriate for purpose.
3) Real IP Leak via Chrome Browser Extension only (VPN service is NOT in scope)
Any misconfiguration/vulnerability on server/client side which results into a leak of real IP address of the user to a third party. Test if developed leak protection mechanism within the browser extension is appropriate for purpose.
4) WebRTC Leak via Chrome Browser Extension only (VPN service is not in scope)
WebRTC leaks basically allow a third party service to detect user’s real IP address when user browses through a misconfigured web browser. Test if developed leak protection mechanism within the browser extension is appropriate for purpose.
5) Session Hijacking
A targeted attack against a user connected over a VPN to hijack its web session. Example cases where it was possible in the past.
1- HeartBleed type of issues.
2- Insecure handling of sessions through the (ISAKMP) Security Associations (SAs).
6) Man in Middle Attack (Network level)
A scenario where an attacker over a local LAN, acts like a proxy in between the vpn_user and the vpn server and is successfully able to manipulate vpn_user’s traffic in plain text. (Attacks generated through social engineering or fake certificate acceptance are not allowed)
7) Incorrect network access rights
A scenario where a misconfigured vpn server/client allows one connected vpn_user to access network shares of other users connected to the same vpn server.
Program Update: 3rd April 2019
PureVPN is excited to announce additions in their targets. We encourage responsible reporting of vulnerabilities that may be found in newly added targets. PureVPN is committed to work with security researchers to verify and address any potential vulnerabilities that are reported to us.
Documentation & Demo Application:
- The target URLs are the same as those used by our real customers, please keep this in mind and act accordingly.
- Please use the Secret Key provided above while testing SDK, otherwise no report will be considered valid.
- Stress testing is strictly prohibited.
- Testing of Demo Application is strictly prohibited.
- No submissions will be entertained related to Demo Application.
- Each submission should come with a full and detailed explanation.
- PureVPN will rely on the Bugcrowd Vulnerability Rating Taxonomy for prioritization of findings- but reserve the right to either downgrade or upgrade findings’ severity based on the criticality of their underlying risk to PureVPN.