By Athena Peterson Jul 15, 2020Program Spotlight: ExpressVPN Public Bug Bounty About ExpressVPN:ExpressVPN operates thousands of VPN servers and makes cross-platform VPN applications for all major desktop and mobile operating systems as well as routers and browser extensions.About the Program:ExpressVPN’s public program will be focused on:Vulnerabilities in its client applications, especially vulnerabilities that lead to privilege escalationAny kind of unauthorized access on its VPN serversVulnerabilities that exposes or puts customer data at risk to unauthorized personsVulnerabilities that weaken, break or otherwise subvert VPN communications in a way that exposes the traffic to other VPN product users What’s In It For You: ExpressVPN has a self-hosted, public bug bounty program since 2016 and is now leveraging the growing talent of the Crowd. This program has a P1 reward range of $2,100 – $2,500 and an average payout of $750. With a variety of target assets and skill types, this program has opportunities for all researchers in both recon and deep-diving security vulnerabilities.Scope:Assets in scope include:VPN serversExpressVPN iOS applicationExpressVPN android applicationExpressVPN Linux applicationExpressVPN macOS applicationExpressVPN Windows applicationExpressVPN RouterExpressVPN Firefox extensionExpressVPN Chrome extensionMediaStreamer DNS serversExpressVPN APIsexpressvpn.com*.expressvpn.com*.xvservice.net*.expressobutiolem.onionApple App Store (886492891)Google Play (com.expressvpn.vpn)Internal systems:Employee emailInternal chat messagesSource code hostingAny vulnerability that compromises the privacy of our employeesAdditionally, any publicly accessible host that is owned or operated by ExpressVPN that is not in the above list may be considered in-scope on a case-by-case basis.Valid bug reports include any bugs related to the privacy and security capabilities of:ExpressVPN’s VPN and DNS serversExpressVPN appsExpressVPN browser extensionsExpressVPN websitesExpressVPN profiles on the App Store and Google Play StoreSkills:This is an attractive program for anyone with skills in:Web app securityAPI securityThick client security in Windows, Mac and Linux appsMobile device app service for iOS and AndroidBrowser extension security for Edge, Firefox, and ChromeRouter firmware and related securitySecurity and encryption protocol security What Can You Expect From This Program:When working with the ExpressVPN team, you can expect them to:Extend Safe Harbor for your vulnerability researchWork with you to understand and validate your report, including a timely initial response to the submissionWork to remediate discovered vulnerabilities in a timely mannerRecognize your contribution to improving their security if you are the first to report a unique vulnerability, and your report triggers a code or configuration changeInterested in learning more?Portswigger’s Web Security Academy: https://portswigger.net/web-securityCyber Mentor’s video course on Web Application Hacking: https://www.youtube.com/watch?v=24fHLWXGS-MOWASP’s Mobile Security Guide: https://owasp.org/www-project-mobile-security-testing-guide/OWASP’s Guide to IoT: https://owasp.org/www-pdf-archive/OWASP-IoT-Top-10-2018-final.pdfTags:Topics:Researcher ResourcesGuest BlogsCustomer Case Study Athena PetersonSenior Customer Experience Marketing Manager at Bugcrowd Recent Posts