skip to Main Content
This website use cookies which are necessary to its functioning and required to achieve the purposes illustrated in the privacy policy. To learn more or withdraw consent please click on Learn More. By continued use of this website you are consenting to our use of cookies.

Program Spotlight: ExpressVPN Public Bug Bounty

Program Spotlight: ExpressVPN Public Bug Bounty

About ExpressVPN:

ExpressVPN operates thousands of VPN servers and makes cross-platform VPN applications for all major desktop and mobile operating systems as well as routers and browser extensions.

About the Program:

ExpressVPN’s public program will be focused on:

  • Vulnerabilities in its client applications, especially vulnerabilities that lead to privilege escalation
  • Any kind of unauthorized access on its VPN servers
  • Vulnerabilities that exposes or puts customer data at risk to unauthorized persons
  • Vulnerabilities that weaken, break or otherwise subvert VPN communications in a way that exposes the traffic to other VPN product users 

What’s In It For You:

ExpressVPN has a self-hosted, public bug bounty program since 2016 and is now leveraging the growing talent of the Crowd. This program has a P1 reward range of $2,100 – $2,500 and an average payout of $750. With a variety of target assets and skill types, this program has opportunities for all researchers in both recon and deep-diving security vulnerabilities.


Assets in scope include:

  • VPN servers
  • ExpressVPN iOS application
  • ExpressVPN android application
  • ExpressVPN Linux application
  • ExpressVPN macOS application
  • ExpressVPN Windows application
  • ExpressVPN Router
  • ExpressVPN Firefox extension
  • ExpressVPN Chrome extension
  • MediaStreamer DNS servers
  • ExpressVPN APIs
  • *
  • *
  • *.expressobutiolem.onion
  • Apple App Store (886492891)
  • Google Play (com.expressvpn.vpn)
  • Internal systems:
    1. Employee email
    2. Internal chat messages
    3. Source code hosting
    4. Any vulnerability that compromises the privacy of our employees
  • Additionally, any publicly accessible host that is owned or operated by ExpressVPN that is not in the above list may be considered in-scope on a case-by-case basis.

Valid bug reports include any bugs related to the privacy and security capabilities of:

  • ExpressVPN’s VPN and DNS servers
  • ExpressVPN apps
  • ExpressVPN browser extensions
  • ExpressVPN websites
  • ExpressVPN profiles on the App Store and Google Play Store


This is an attractive program for anyone with skills in:

  • Web app security
  • API security
  • Thick client security in Windows, Mac and Linux apps
  • Mobile device app service for iOS and Android
  • Browser extension security for Edge, Firefox, and Chrome
  • Router firmware and related security
  • Security and encryption protocol security 

What Can You Expect From This Program:

When working with the ExpressVPN team, you can expect them to:

  • Extend Safe Harbor for your vulnerability research
  • Work with you to understand and validate your report, including a timely initial response to the submission
  • Work to remediate discovered vulnerabilities in a timely manner
  • Recognize your contribution to improving their security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change

Interested in learning more?


Bugcrowd Customer Marketing

Bugcrowd Customer Marketing

Back To Top