ExpressVPN Bug Bounty Program

ExpressVPN strives to build a top-quality service that delivers a smooth user experience and adheres to the highest security and privacy standards. We encourage anyone to submit bug reports to us, and we may choose to pay a reward for valuable and security-relevant reports.

Bugs ExpressVPN is interested in

We are interested in bugs that compromise the functionality of our services, in particular:

  • security vulnerabilities
  • privacy leaks

Platforms ExpressVPN is interested in

Rewards and recognition

ExpressVPN offers financial rewards and recognizes your contribution to the security of our services. We pay for valid bug reports (see below for more information) that are reported for the first time. ExpressVPN will decide the appropriate reward on a case-by-case basis.

In addition, and with your permission, your findings may be publicly acknowledged and credited to you in a blog post or the release notes of future software updates.

How to submit your bug report

Bug reports should be sent by email to

What does a valid bug report look like?

  1. Let us know where you found it:
    1. For apps: State the platform and versions you are using
    2. For website: Please state the browser version and your OS version
  2. Clearly explain the steps needed to reproduce the bug
  3. Describe the bug in as much detail as you can (include any logs, if available)
  4. State what you expected to happen
  5. Assess the impact this issue may have on ExpressVPN and our users
  6. If possible, suggest a way to fix the bug

Please include any other information that might be relevant.

Responsible disclosure

ExpressVPN asks that you disclose security bugs directly to us, and to no one else. Please allow enough time for the bug to be fixed.

ExpressVPN will acknowledge the receipt of all bug reports. If you have not received a reply from our Support Team within seven days, please send a follow-up message.

Should we decide to fix the bug, we will tell you when we expect to resolve it.