PureVPN

  • $50 – $1,500 per vulnerability
  • Managed by Bugcrowd

Program stats

127 vulnerabilities rewarded

Validation within 4 days
75% of submissions are accepted or rejected within 4 days

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

About PureVPN:

After almost a decade of being part of the online security industry, PureVPN has grown into one of the market leaders of the VPN industry. With continuously expanding server base, server locations, compatible software, data encryption tools, authentication protocols, customer support options and payment methods, PureVPN has been relentlessly working towards delivering the best value to its users.

PureVPN's network of 2000+ servers is spread across more than 140+ countries, serving over 3 million users from all over the world. PureVPN’s service has proved to be practical solution for travelers or teleworkers looking to encrypt their Internet activity on a hotel/airport or other insecure public Wi-if, businesses who want remote secure access, people who want to avoid being on the radar of marketers, advertisers, and third-party agencies, and internet users that want their privacy to remain intact.

We are not only concerned with vulnerabilities and loopholes encircling enumeration, information gathering but vulnerabilities that leads to infrastructure compromise. We are also interested in conventional web application as well as desktop application vulnerabilities, as well as other vulnerabilities/loopholes that can have direct impact.


Rewards/Ratings:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy - that is, excepting issues listed in the "non-rewarded" section near the bottom of this page; please ensure you review this table! It is also important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
We typically reward lower amounts for vulnerabilities that require significant user interaction.

Please be aware that PureVPN may take up to three weeks to accept any given submission and allocate the reward. No rewards should take longer than three weeks to process.

Reward Range

Last updated
Technical severity Reward range
p1 Critical $600 - $1,500
p2 Severe $300 - $600
p3 Moderate $100 - $300
p4 Low $50 - $100
P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name Type
PureVPN Windows App Other
PureVPN MAC App Other
PureVPN iOS App iOS
PureVPN Android App Android
PureVPN Chrome Extension Other
PureVPN Linux App Other
PureVPN DDwrt Applet Other
PureVPN Firefox Extension Other
PureVPN Kodi Add-on Other

Out of scope

Target name Type
*.purevpn.com Other
www.purevpn.com Website

Any domain/property of PureVPN or associated entities which is not listed in the targets section is out of scope. This includes any/all subdomains not listed above.


Credentials & Access:

Credentials are not provided for this program, and researchers are encouraged to create their own as they're able to. To this end, please feel free to create trials, or use any existing accounts you already own. However, please ONLY test against accounts you expressly own, and not against any other users.

Target info:

(when testing the thick clients, please be sure to only test against the latest version)

  1. PureVPN Windows App
    Download URL: https://s3.amazonaws.com/purevpn-dialer-assets/windows/app/purevpn_setup.exe

  2. PureVPN MAC App
    Download URL: https://s3.amazonaws.com/purevpn-dialer-assets/mac/app/purevpn_setup.dmg

  3. PureVPN iOS App
    Download URL : On Apple App Store

  4. PureVPN Android App
    Download URL: On the Google Play Store

  5. PureVPN Chrome Extension
    Download URL: https://chrome.google.com/webstore/detail/purevpn-free-vpn-proxy-un/bfidboloedlamgdmenmlbipfnccokknp

  6. PureVPN Linux App
    Download URL: https://s3.amazonaws.com/purevpn-dialer-assets/linux/app/purevpn_amd64.deb
    https://s3.amazonaws.com/purevpn-dialer-assets/linux/app/purevpn-1.0.0-1.amd64.rpm

  7. PureVPN DDwrt Applet
    Download URL: http://routerapplet.purevpn.com/cgi-bin/applet-cgi.py

  8. PureVPN Firefox Extension
    Download URL: https://addons.mozilla.org/en-US/firefox/addon/purevpn-for-privacy-security/?src=recommended

  9. PureVPN Kodi Add-on
    Download URL: https://www.purevpn.com/Kodi-repo

Focus Areas:

  • RCE, SQLi, XSS, CSRF, authentication bypass, horizontal privilege escalation, vertical privilege escalation
  • Custom clients (software) for Windows, MAC, iOS and Android links can be found in the Target area.
  • Our core service and production network that is comprised of several hundreds of Windows based VPN servers hosted across more than 145 countries. The application connects to PureVPN servers, however for those who wish to access the network without the software can use the following host addresses
    • http://billing.purevpn.com/pptp_l2tp_hostname_list.php
    • On the server end we have RRAS window service and OpenVPN installed running on ports UDP 53 and TCP 80.
  • All the application listed in the targets section apart from web applications are mainly VPN dialers. A VPN Dialer is an application that initiates the VPN connection from client all the way to VPN server.

Out-of-Scope:

  • Self XSS
  • Misconfigured or lack of SPF records
  • Out of date software versions (without PoC)
  • Content Spoofing
  • Vulnerabilities that are limited to unsupported browsers will not be accepted. Exploit must work at least on > IE 8.
  • .htaccess downloadable file without a real security misconfiguration that can have a demonstrable security impact
  • Login page or one of our websites served over HTTP.
  • Password not enforced on user accounts
  • Clickjacking or any issue exploitable through clickjacking
  • Lack of Secure and HTTPOnly cookie flags.
  • Username / email enumeration
  • CORS issues without a working PoC
  • Brute Force attacks
  • URL redirection
  • DDoS attacks
  • CRIME/BEAST attacks
  • Non-technical attacks (ie. social engineering, phishing or unauthorized access to infrastructure).

Program Rules:

  • Please ensure that assets or data residing on the assets is not affected as a result of your testing. Please make all efforts to avoid being destructive during testing.
  • All the vulnerabilities reported in a submission should be exploitable directly.
  • Rewards are at the discretion of PureVPN and we withhold the right to grant, modify or deny rewards.
  • Reports must be submitted in plain text (pictures/videos must be in standard formats). Non-plain text reports (e.g. PDF, DOCX) will be asked to be resubmitted in plain text.
  • Issues found through use of automated tools must not be a simple copy/paste of the result. A PoC and detailed description (with reproduction steps) on how it can affect a user's data or PureVPN's data/infrastructure/Web/mobile/thick-clients must be included with each report.
  • Public vulnerability disclosure is NOT allowed (remediated or otherwise)

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.