ExpressVPN’s $100,000 bug bounty bonus for VPN server vulnerabilities

The one-time award is the highest bounty offered on Bugcrowd
$10K with a bug and magnifying glass.

At ExpressVPN, we’ve devised meticulous cybersecurity controls to keep our systems and users protected from attacks and intrusions. To ensure that our VPN software and systems meet the high standards of privacy and security that we promise to our customers, we rigorously test them in-house and invite auditors to conduct independent reviews.

As part of our external validations, we have a long-running bug bounty program, with which we invite security researchers to test our systems and receive financial rewards for any problems they find. Over the years, we have awarded tens of thousands of dollars to successful bug bounty hunters.

And now we have created a more enticing reward: The first person to find and demonstrate a security-critical bug on our VPN server technology, TrustedServer, will receive a new bonus award of US$100,000. This is one of the highest bounties ever offered on Bugcrowd, the platform that hosts our bug bounty program, and 10 times the highest reward previously offered by ExpressVPN.

With this new incentive, we seek to underline our confidence in TrustedServer’s design and our commitment to providing essential privacy protections to users. Do we want someone to win the award? On the one hand, no—because that would confirm the strength of our server security. But we are also deeply invested in discovering any vulnerabilities if they exist and are keen for feedback from the community. We would be thrilled to work with and reward anyone who successfully finds a bug.

Bonus US$100,000 award: How to win it

To win the one-time bonus award, you must find one of these security issues within our VPN servers:

  • unauthorized access to a VPN server or remote code execution
  • vulnerabilities in our VPN server that result in leaking the real IP addresses of clients or the ability to monitor user traffic

The award will be given to the first person to submit a valid vulnerability. Activities should remain in scope to the TrustedServer platform. See full details about scope and exclusions for the bonus award.

What is TrustedServer?

TrustedServer is the world’s most advanced VPN server technology, which we created in 2019 to deliver greater security to our users.

With TrustedServer, ExpressVPN prevents the server operating system and apps from ever writing to the hard drive. Instead, the server is run entirely on volatile memory, or RAM. All information on a server is wiped every time the operating system is reinstalled, which happens at least weekly, stopping both data and potential intruders from persisting on the machine. 

The weekly reinstallation also ensures that every one of ExpressVPN’s servers runs the most up-to-date software, rather than each server receiving an update at different times as needed. That means ExpressVPN knows exactly what’s running on each and every server—minimizing the risk of vulnerabilities or misconfiguration and dramatically improving VPN security.

Phone protected by ExpressVPN.
Protect your online privacy and security

30-day money-back guarantee

Various devices protected.
Take the first step to protect yourself online. Try ExpressVPN risk-free.
What is a VPN?
ExpressVPN is dedicated to your online security and privacy. Posts from this account will focus on company news or significant privacy and security stories.