PureVPN

  • $50 – $1,500 per vulnerability
  • Managed by Bugcrowd

Program stats

150 vulnerabilities rewarded

Validation within 13 days
75% of submissions are accepted or rejected within 13 days

$376.56 average payout (last 3 months)

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

About PureVPN:

After almost a decade of being part of the online security industry, PureVPN has grown into one of the market leaders of the VPN industry. With continuously expanding server base, server locations, compatible software, data encryption tools, authentication protocols, customer support options and payment methods, PureVPN has been relentlessly working towards delivering the best value to its users.

PureVPN's network of 2000+ servers is spread across more than 140+ countries, serving over 3 million users from all over the world. PureVPN’s service has proved to be practical solution for travelers or teleworkers looking to encrypt their Internet activity on a hotel/airport or other insecure public Wi-if, businesses who want remote secure access, people who want to avoid being on the radar of marketers, advertisers, and third-party agencies, and internet users that want their privacy to remain intact.

We are not only concerned with vulnerabilities and loopholes encircling enumeration, information gathering but vulnerabilities that leads to infrastructure compromise. We are also interested in conventional web application as well as desktop application vulnerabilities, as well as other vulnerabilities/loopholes that can have direct impact.


Rewards/Ratings:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy - that is, excepting issues listed in the "non-rewarded" section near the bottom of this page; please ensure you review this table! It is also important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
We typically reward lower amounts for vulnerabilities that require significant user interaction.

Please be aware that PureVPN may take up to three weeks to accept any given submission and allocate the reward. No rewards should take longer than three weeks to process.

Reward Range

Last updated
Technical severity Reward range
p1 Critical $600 - $1,500
p2 Severe $300 - $600
p3 Moderate $100 - $300
p4 Low $50 - $100
P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name Type
PureVPN Windows App Other
PureVPN MAC App Other
PureVPN iOS App iOS
PureVPN Android App Android
PureVPN Chrome Extension Other
PureVPN Linux App Other
PureVPN DDwrt Applet Other
PureVPN Firefox Extension Other
PureVPN Kodi Add-on Other

Out of scope

Target name Type
*.purevpn.com Other
www.purevpn.com Website

Any domain/property of PureVPN or associated entities which is not listed in the targets section is out of scope. This includes any/all subdomains not listed above.


Credentials & Access:

Credentials are not provided for this program, and researchers are encouraged to create their own as they're able to. To this end, please feel free to create trials, or use any existing accounts you already own. However, please ONLY test against accounts you expressly own, and not against any other users.

Target info:

(when testing the thick clients, please be sure to only test against the latest version)

  1. PureVPN Windows App
    Download URL: https://s3.amazonaws.com/purevpn-dialer-assets/windows/app/purevpn_setup.exe

  2. PureVPN MAC App
    Download URL: https://s3.amazonaws.com/purevpn-dialer-assets/mac/app/purevpn_setup.dmg

  3. PureVPN iOS App
    Download URL : On Apple App Store

  4. PureVPN Android App
    Download URL: On the Google Play Store

  5. PureVPN Chrome Extension
    Download URL: https://chrome.google.com/webstore/detail/purevpn-free-vpn-proxy-un/bfidboloedlamgdmenmlbipfnccokknp

  6. PureVPN Linux App
    Download URL: https://s3.amazonaws.com/purevpn-dialer-assets/linux/app/purevpn_1.2.2_amd64.deb

  7. PureVPN DDwrt Applet
    Download URL: http://routerapplet.purevpn.com/cgi-bin/applet-cgi.py

  8. PureVPN Firefox Extension
    Download URL: https://addons.mozilla.org/en-US/firefox/addon/purevpn-for-privacy-security/?src=recommended

  9. PureVPN Kodi Add-on
    Download URL: https://www.purevpn.com/Kodi-repo

Focus Areas:

  • RCE, SQLi, XSS, CSRF, authentication bypass, horizontal privilege escalation, vertical privilege escalation
  • Custom clients (software) for Windows, MAC, iOS and Android links can be found in the Target area.
  • Our core service and production network that is comprised of several hundreds of Windows based VPN servers hosted across more than 145 countries. The application connects to PureVPN servers, however for those who wish to access the network without the software can use the following host addresses
    • http://billing.purevpn.com/pptp_l2tp_hostname_list.php
    • On the server end we have RRAS window service and OpenVPN installed running on ports UDP 53 and TCP 80.
  • All the application listed in the targets section apart from web applications are mainly VPN dialers. A VPN Dialer is an application that initiates the VPN connection from client all the way to VPN server.

Out-of-Scope:

  • Self XSS
  • Misconfigured or lack of SPF records
  • Out of date software versions (without PoC)
  • Content Spoofing
  • Vulnerabilities that are limited to unsupported browsers will not be accepted. Exploit must work at least on > IE 8.
  • .htaccess downloadable file without a real security misconfiguration that can have a demonstrable security impact
  • Login page or one of our websites served over HTTP.
  • Password not enforced on user accounts
  • Clickjacking or any issue exploitable through clickjacking
  • Lack of Secure and HTTPOnly cookie flags.
  • Username / email enumeration
  • CORS issues without a working PoC
  • Brute Force attacks
  • URL redirection
  • DDoS attacks
  • CRIME/BEAST attacks
  • Non-technical attacks (ie. social engineering, phishing or unauthorized access to infrastructure).

Program Rules:

  • Please ensure that assets or data residing on the assets is not affected as a result of your testing. Please make all efforts to avoid being destructive during testing.
  • All the vulnerabilities reported in a submission should be exploitable directly.
  • Rewards are at the discretion of PureVPN and we withhold the right to grant, modify or deny rewards.
  • Reports must be submitted in plain text (pictures/videos must be in standard formats). Non-plain text reports (e.g. PDF, DOCX) will be asked to be resubmitted in plain text.
  • Issues found through use of automated tools must not be a simple copy/paste of the result. A PoC and detailed description (with reproduction steps) on how it can affect a user's data or PureVPN's data/infrastructure/Web/mobile/thick-clients must be included with each report.
  • Public vulnerability disclosure is NOT allowed (remediated or otherwise)

Program Update: 6th December 2018

In addition to the BugCrowd’s VRT, following service related specific issues can also be reported by the researchers that will be rewarded under the P4 category.

Rules:

  • No manipulation of services running on client system will be accepted except where manipulation is solely based on network/protocol traffic level and is reproducible at will

  • For following tests, it is mandatory to attach the screen-shot of trace-route/MTR to bugcrowd.com after establishing VPN Connection

  • It is mandatory to attach the screen-shot of your assigned IP after successful VPN Connection

  • All following tests should be performed after establishing VPN/Proxy Connection to PureVPN's Canada Location

  • Report will be marked incomplete/invalid on violation of above mentioned points

1) DNS Leak (Except Ozone and Gravity services)

A DNS leak refers to a security flaw that allows DNS requests to be revealed to ISP DNS servers, despite the use of a VPN service to attempt to conceal them. Test if developed DNS leak protection mechanism within the client apps is appropriate for purpose.

2) IPv6 Leak

This refers to a scenario where vpn_user’s ISP is providing IPv6 addresses however user’s VPN Server doesn’t support IPv6, the IPv6 traffic goes without any blocking and results into a leak of real IPv6 address of the user to a third party. Test if developed IPv6 blocking mechanism within the client apps is appropriate for purpose.

3) Real IP Leak via Chrome Browser Extension only (VPN service is NOT in scope)

Any misconfiguration/vulnerability on server/client side which results into a leak of real IP address of the user to a third party. Test if developed leak protection mechanism within the browser extension is appropriate for purpose.

4) WebRTC Leak via Chrome Browser Extension only (VPN service is not in scope)

WebRTC leaks basically allow a third party service to detect user’s real IP address when user browses through a misconfigured web browser. Test if developed leak protection mechanism within the browser extension is appropriate for purpose.

5) Session Hijacking

A targeted attack against a user connected over a VPN to hijack its web session. Example cases where it was possible in the past.

1- HeartBleed type of issues.

2- Insecure handling of sessions through the (ISAKMP) Security Associations (SAs).

6) Man in Middle Attack (Network level)

A scenario where an attacker over a local LAN, acts like a proxy in between the vpn_user and the vpn server and is successfully able to manipulate vpn_user’s traffic in plain text. (Attacks generated through social engineering or fake certificate acceptance are not allowed)

7) Incorrect network access rights

A scenario where a misconfigured vpn server/client allows one connected vpn_user to access network shares of other users connected to the same vpn server.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.