ExpressVPN Bug Bounty Program
ExpressVPN strives to build the highest quality service that delivers a smooth user experience and adheres to high security and privacy standards. We, therefore, encourage anyone to submit bug reports to us, and we may choose to pay compensation for valuable and security relevant reports.
Bugs ExpressVPN is interested in
We are interested in bugs that compromise the functionality of our services, in particular:
- security vulnerabilities
- privacy leaks
Platforms ExpressVPN is interested in
- All ExpressVPN apps and platforms (excluding alpha and beta versions)
- The ExpressVPN website
- ExpressVPN VPN servers
Rewards and recognition
ExpressVPN offers financial rewards and recognizes your contribution to the security of our services. We pay for valid bug reports (see below for more information) that are reported for the first time. ExpressVPN will decide the appropriate reward on a case by case basis.
In addition, and with your permission, your findings may be publicly acknowledged and credited to you in a blog post or the release notes of future software updates.
How to submit your bug report
Bug reports should be sent by email to firstname.lastname@example.org
What does a valid bug report look like?
Let us know where you found it:
- For apps: state the platform and versions you’re using
- For website: please state the browser version and your OS version
- Clearly explain the steps needed to reproduce the bug
- Describe the bug in as much detail as you can (include any logs, if available)
- State what you expected to happen
- Assess the impact this issue may have on ExpressVPN and our users
- If possible, suggest a way to fix the bug
Please include any other information that might be relevant.
For security bugs, ExpressVPN requests that you only disclose bugs directly to us. Please allow adequate time for the bug to be fixed.
ExpressVPN will acknowledge the receipt of all bug reports. If you have not received an initial reply from our support team within 7 days, please follow up on your report.
Should we decide to fix the bug, an appropriate time frame for the resolution will be communicated to you.