NOTE: This post was originally published on July 15, 2020
At ExpressVPN, nothing is more important than our users’ privacy, which we ensure through our policies and the security of our service and systems.
Since 2016, ExpressVPN has maintained a bug bounty to reward researchers who find bugs and vulnerabilities in our website, network, servers, apps, routers, and other assets. Over the years, we have gratefully paid out tens of thousands of dollars to security researchers for their help.
Today we are pleased to announce the launch of our newly extended bug-bounty program managed by Bugcrowd, and we encourage researchers, testers, and white-hat hackers to submit their findings through this platform.
Bugcrowd is a platform that lets companies crowdsource the hunt for bugs and vulnerabilities in software and services. Bugcrowd helps with assessing and triaging initial bug reports, allowing our engineers to focus on fixing them.
Using Bugcrowd makes our bug-bounty program more accessible, which we hope will draw more talented researchers to attempt to find bugs in our systems, leading to better protection of our users’ privacy and security.
Our interests and your safety
Our focus is on finding vulnerabilities that would allow an attacker to access customer data, break encryption protocols, or access our servers, as well as any bugs that can harm our systems and users.
We encourage you to look for these bugs and vulnerabilities in our apps, website, servers, and all other ExpressVPN properties. You can find full details of the scope on our Bugcrowd page.
We provide safe harbor in accordance with disclose.io’s terms. This means you can expect us to validate, respond to, and work on your report in a timely manner, then recognize you if your report leads to a change in our code.
In return, we expect you to responsibly disclose vulnerabilities only to us, to honor our users’ privacy, to respect the scope of the program, and to only use official channels in your communications.
We will not take legal action against you as long as your research is done in good faith. We will also not support others that might take legal actions against you for researching our products. In case others take action against you, we will make it publicly known if you have followed our policy.
How to get started
Head to Bugcrowd to sign in or open an account. You can get complimentary ExpressVPN credentials for testing purposes in the “Get Credentials” section of your Bugcrowd account page. We continue to welcome submissions via email, but note that they will also be handled by Bugcrowd.
Carefully read about the program, especially the scope, the ground rules, the safe harbor agreement, and Bugcrowd’s standard disclosure terms. Please play by the rules, disclose vulnerabilities promptly, and keep them confidential until they are fixed.
You will be recognized on Bugcrowd if you successfully find a bug. Additionally, you may request to be listed on our bug bounty acknowledgment page.
We’re looking forward to your submissions.