Customer Spotlight: ExpressVPN Public Bug Bounty
About ExpressVPN:
ExpressVPN operates thousands of VPN servers and makes cross-platform VPN applications for all major desktop and mobile operating systems as well as routers and browser extensions.
About the Program:
ExpressVPN’s public program will be focused on:
- Vulnerabilities in its client applications, especially vulnerabilities that lead to privilege escalation
- Any kind of unauthorized access on its VPN servers
- Vulnerabilities that exposes or puts customer data at risk to unauthorized persons
- Vulnerabilities that weaken, break or otherwise subvert VPN communications in a way that exposes the traffic to other VPN product users
What’s In It For You:
ExpressVPN has a self-hosted, public bug bounty program since 2016 and is now leveraging the growing talent of the Crowd. This program has a P1 reward range of $2,100 – $2,500 and an average payout of $750. With a variety of target assets and skill types, this program has opportunities for all researchers in both recon and deep-diving security vulnerabilities.
Scope:
Assets in scope include:
- VPN servers
- ExpressVPN iOS application
- ExpressVPN android application
- ExpressVPN Linux application
- ExpressVPN macOS application
- ExpressVPN Windows application
- ExpressVPN Router
- ExpressVPN Firefox extension
- ExpressVPN Chrome extension
- MediaStreamer DNS servers
- ExpressVPN APIs
- expressvpn.com
- *.expressvpn.com
- *.xvservice.net
- *.expressobutiolem.onion
- Apple App Store (886492891)
- Google Play (com.expressvpn.vpn)
- Internal systems:
- Employee email
- Internal chat messages
- Source code hosting
- Any vulnerability that compromises the privacy of our employees
- Additionally, any publicly accessible host that is owned or operated by ExpressVPN that is not in the above list may be considered in-scope on a case-by-case basis.
Valid bug reports include any bugs related to the privacy and security capabilities of:
- ExpressVPN’s VPN and DNS servers
- ExpressVPN apps
- ExpressVPN browser extensions
- ExpressVPN websites
- ExpressVPN profiles on the App Store and Google Play Store
Skills:
This is an attractive program for anyone with skills in:
- Web app security
- API security
- Thick client security in Windows, Mac and Linux apps
- Mobile device app service for iOS and Android
- Browser extension security for Edge, Firefox, and Chrome
- Router firmware and related security
- Security and encryption protocol security
What Can You Expect From This Program:
When working with the ExpressVPN team, you can expect them to:
- Extend Safe Harbor for your vulnerability research
- Work with you to understand and validate your report, including a timely initial response to the submission
- Work to remediate discovered vulnerabilities in a timely manner
- Recognize your contribution to improving their security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change
Interested in learning more?
- Portswigger’s Web Security Academy: https://portswigger.net/web-security
- Cyber Mentor’s video course on Web Application Hacking: https://www.youtube.com/watch?v=24fHLWXGS-M
- OWASP’s Mobile Security Guide: https://owasp.org/www-project-mobile-security-testing-guide/
- OWASP’s Guide to IoT: https://owasp.org/www-pdf-archive/OWASP-IoT-Top-10-2018-final.pdf
