Program stats

188 vulnerabilities rewarded

Validation within 12 days
75% of submissions are accepted or rejected within 12 days

Latest hall of famers

Recently joined this program

After almost a decade of being part of the online security industry, PureVPN has grown into one of the market leaders of the VPN industry. With continuously expanding server base, server locations, compatible software, data encryption tools, authentication protocols, customer support options and payment methods, PureVPN has been relentlessly working towards delivering the best value to its users.

PureVPN's network of 550+ servers is spread across more than 145 countries, serving over 1 million users from all over the world. PureVPN’s service has proved to be practical solution for travelers or teleworkers looking to encrypt their Internet activity on a hotel/airport or other insecure public Wi-if, businesses who want remote secure access, people who want to avoid being on the radar of marketers, advertisers, and third-party agencies, and internet users that want their privacy to remain intact.


Our focus is on the following:

Sensitive areas to focus are our 3rd party CRM namely WHMcs at, our partner API at and our 3rd party Affiliate Management panel "PostAffiliatePro" at

Then there are custom clients (software) for Windows, MAC, iOS and Android links can be found in the Target area.

Lastly there is the core service and production network that compromises of several hundreds of Windows based VPN servers hosted across more than 45 countries. Servers are connected to from within those software however for those who wish to access the network without the software can use the following host addresses

On the server end we have RRAS window service and OpenVPN installed running on ports UDP 53 and TCP 80.

The following is considered out of the scope:

  • Banner/version disclosure
  • Brute Force attacks
  • Clickjacking
  • DDOS attacks
  • CRIME/BEAST attacks
  • Issues that cannot be reproduced
  • Issues found through use of automated tools must not be a simple copy/paste of the result. A PoC and detailed description on how it can affect a user's data or PureVPN's data/infrastructure need to be included
  • URL redirection

Happy bounty hunting people!


This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for Informational (P5) findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.