After almost a decade of being part of the online security industry, PureVPN has grown into one of the market leaders of the VPN industry. With continuously expanding server base, server locations, compatible software, data encryption tools, authentication protocols, customer support options and payment methods, PureVPN has been relentlessly working towards delivering the best value to its users.
PureVPN's network of 2000+ servers is spread across more than 140+ countries, serving over 3 million users from all over the world. PureVPN’s service has proved to be practical solution for travelers or teleworkers looking to encrypt their Internet activity on a hotel/airport or other insecure public Wi-if, businesses who want remote secure access, people who want to avoid being on the radar of marketers, advertisers, and third-party agencies, and internet users that want their privacy to remain intact.
We are not only concerned with vulnerabilities and loopholes encircling enumeration, information gathering but vulnerabilities that leads to infrastructure compromise. We are also interested in conventional web application as well as desktop application vulnerabilities, as well as other vulnerabilities/loopholes that can have direct impact.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy - that is, excepting issues listed in the "non-rewarded" section near the bottom of this page; please ensure you review this table! It is also important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
We typically reward lower amounts for vulnerabilities that require significant user interaction.
Please be aware that PureVPN may take up to three weeks to accept any given submission and allocate the reward. No rewards should take longer than three weeks to process.
Reward RangeLast updated
|Technical severity||Reward range|
|p1 Critical||$600 - $1,500|
|p2 Severe||$300 - $600|
|p3 Moderate||$100 - $300|
|p4 Low||$50 - $100|
Out of scope
Any domain/property of PureVPN or associated entities which is not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
Credentials & Access:
Credentials are not provided for this program, and researchers are encouraged to create their own as they're able to. To this end, please feel free to create trials, or use any existing accounts you already own. However, please ONLY test against accounts you expressly own, and not against any other users.
(when testing the thick clients, please be sure to only test against the latest version)
PureVPN Windows App
Download URL: https://s3.amazonaws.com/purevpn-dialer-assets/windows/app/purevpn_setup.exe
PureVPN MAC App
Download URL: https://s3.amazonaws.com/purevpn-dialer-assets/mac/app/purevpn_setup.dmg
PureVPN iOS App
Download URL : On Apple App Store
PureVPN Android App
Download URL: On the Google Play Store
PureVPN Chrome Extension
Download URL: https://chrome.google.com/webstore/detail/purevpn-free-vpn-proxy-un/bfidboloedlamgdmenmlbipfnccokknp
PureVPN DDwrt Applet
Download URL: http://routerapplet.purevpn.com/cgi-bin/applet-cgi.py
PureVPN Firefox Extension
Download URL: https://addons.mozilla.org/en-US/firefox/addon/purevpn-for-privacy-security/?src=recommended
PureVPN Kodi Add-on
Download URL: https://www.purevpn.com/Kodi-repo
- RCE, SQLi, XSS, CSRF, authentication bypass, horizontal privilege escalation, vertical privilege escalation
- Custom clients (software) for Windows, MAC, iOS and Android links can be found in the Target area.
- Our core service and production network that is comprised of several hundreds of Windows based VPN servers hosted across more than 145 countries. The application connects to PureVPN servers, however for those who wish to access the network without the software can use the following host addresses
- On the server end we have RRAS window service and OpenVPN installed running on ports UDP 53 and TCP 80.
- All the application listed in the targets section apart from web applications are mainly VPN dialers. A VPN Dialer is an application that initiates the VPN connection from client all the way to VPN server.
- Self XSS
- Misconfigured or lack of SPF records
- Out of date software versions (without PoC)
- Content Spoofing
- Vulnerabilities that are limited to unsupported browsers will not be accepted. Exploit must work at least on > IE 8.
- .htaccess downloadable file without a real security misconfiguration that can have a demonstrable security impact
- Login page or one of our websites served over HTTP.
- Password not enforced on user accounts
- Clickjacking or any issue exploitable through clickjacking
- Lack of Secure and HTTPOnly cookie flags.
- Username / email enumeration
- CORS issues without a working PoC
- Brute Force attacks
- URL redirection
- DDoS attacks
- CRIME/BEAST attacks
- Non-technical attacks (ie. social engineering, phishing or unauthorized access to infrastructure).
- Please ensure that assets or data residing on the assets is not affected as a result of your testing. Please make all efforts to avoid being destructive during testing.
- All the vulnerabilities reported in a submission should be exploitable directly.
- Rewards are at the discretion of PureVPN and we withhold the right to grant, modify or deny rewards.
- Reports must be submitted in plain text (pictures/videos must be in standard formats). Non-plain text reports (e.g. PDF, DOCX) will be asked to be resubmitted in plain text.
- Issues found through use of automated tools must not be a simple copy/paste of the result. A PoC and detailed description (with reproduction steps) on how it can affect a user's data or PureVPN's data/infrastructure/Web/mobile/thick-clients must be included with each report.
- Public vulnerability disclosure is NOT allowed (remediated or otherwise)