About ExpressVPN:

ExpressVPN operates thousands of VPN servers and makes cross-platform VPN applications for all major desktop and mobile operating systems as well as routers and browser extensions.

About the Program:

ExpressVPN’s public program will be focused on:

  • Vulnerabilities in its client applications, especially vulnerabilities that lead to privilege escalation
  • Any kind of unauthorized access on its VPN servers
  • Vulnerabilities that exposes or puts customer data at risk to unauthorized persons
  • Vulnerabilities that weaken, break or otherwise subvert VPN communications in a way that exposes the traffic to other VPN product users 

What’s In It For You:

ExpressVPN has a self-hosted, public bug bounty program since 2016 and is now leveraging the growing talent of the Crowd. This program has a P1 reward range of $2,100 – $2,500 and an average payout of $750. With a variety of target assets and skill types, this program has opportunities for all researchers in both recon and deep-diving security vulnerabilities.


Assets in scope include:

  • VPN servers
  • ExpressVPN iOS application
  • ExpressVPN android application
  • ExpressVPN Linux application
  • ExpressVPN macOS application
  • ExpressVPN Windows application
  • ExpressVPN Router
  • ExpressVPN Firefox extension
  • ExpressVPN Chrome extension
  • MediaStreamer DNS servers
  • ExpressVPN APIs
  • expressvpn.com
  • *.expressvpn.com
  • *.xvservice.net
  • *.expressobutiolem.onion
  • Apple App Store (886492891)
  • Google Play (com.expressvpn.vpn)
  • Internal systems:
    1. Employee email
    2. Internal chat messages
    3. Source code hosting
    4. Any vulnerability that compromises the privacy of our employees
  • Additionally, any publicly accessible host that is owned or operated by ExpressVPN that is not in the above list may be considered in-scope on a case-by-case basis.

Valid bug reports include any bugs related to the privacy and security capabilities of:

  • ExpressVPN’s VPN and DNS servers
  • ExpressVPN apps
  • ExpressVPN browser extensions
  • ExpressVPN websites
  • ExpressVPN profiles on the App Store and Google Play Store


This is an attractive program for anyone with skills in:

  • Web app security
  • API security
  • Thick client security in Windows, Mac and Linux apps
  • Mobile device app service for iOS and Android
  • Browser extension security for Edge, Firefox, and Chrome
  • Router firmware and related security
  • Security and encryption protocol security 

What Can You Expect From This Program:

When working with the ExpressVPN team, you can expect them to:

  • Extend Safe Harbor for your vulnerability research
  • Work with you to understand and validate your report, including a timely initial response to the submission
  • Work to remediate discovered vulnerabilities in a timely manner
  • Recognize your contribution to improving their security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change

Interested in learning more?