• Points per vulnerability
  • Managed by Bugcrowd

Program stats

125 vulnerabilities rewarded

Validation within 4 days
75% of submissions are accepted or rejected within 4 days

Latest hall of famers

Recently joined this program

After almost a decade of being part of the online security industry, PureVPN has grown into one of the market leaders of the VPN industry. With continuously expanding server base, server locations, compatible software, data encryption tools, authentication protocols, customer support options and payment methods, PureVPN has been relentlessly working towards delivering the best value to its users.

PureVPN's network of 550+ servers is spread across more than 145 countries, serving over 1 million users from all over the world. PureVPN’s service has proved to be practical solution for travelers or teleworkers looking to encrypt their Internet activity on a hotel/airport or other insecure public Wi-if, businesses who want remote secure access, people who want to avoid being on the radar of marketers, advertisers, and third-party agencies, and internet users that want their privacy to remain intact.


In scope

Our focus is on the following:

  • *.purevpn.com

  • Sensitive areas to focus on are our 3rd party CRM namely WHMcs at billing.purevpn.com, our partner API at reseller.purevpn.com/partner/api.php and our 3rd party Affiliate Management panel "PostAffiliatePro" at billing.purevpn.com/affiliates.

  • Custom clients (software) for Windows, MAC, iOS and Android links can be found in the Target area.

  • Core service and production network that compromises of several hundreds of Windows based VPN servers hosted across more than 45 countries. The application connects to PureVPN servers, however for those who wish to access the network without the software can use the following host addresses

    • http://billing.purevpn.com/pptp_l2tp_hostname_list.php
    • On the server end we have RRAS window service and OpenVPN installed running on ports UDP 53 and TCP 80.
  • RCE leads to privilege escalation, code execution or denial of service


  • Banner/version disclosure
  • Brute Force attacks
  • Clickjacking
  • DDOS attacks
  • CRIME/BEAST attacks
  • Issues that cannot be reproduced
  • Issues found through use of automated tools must not be a simple copy/paste of the result. A PoC and detailed description on how it can affect a user's data or PureVPN's data/infrastructure need to be included
  • URL redirection

Happy Hunting!

Program Rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.