In an era where we conduct even the most crucial, sensitive parts of our lives online, VPNs are critical tools for protecting our digital privacy and security. ExpressVPN is an industry-leading privacy and security company, providing an award-winning consumer VPN service, a password manager service, and more to empower millions to take control of their internet experience.
ExpressVPN takes the privacy and security of its users seriously. Since it operates in the privacy and security space, a security breach is a serious potential issue which could result in the loss of trust from its users. ExpressVPN was concerned about attackers obtaining access to its VPN infrastructure and compromising users through the use of its apps. As part of its in-depth security strategy, ExpressVPN decided to select a managed bug bounty provider as a way to continuously review its products and services and provide the most secure user experience possible.
ExpressVPN has been using the Bugcrowd Platform for managed bug bounty since 2020. Brian Schirmacher, Offensive Security Manager at ExpressVPN, has worked in lockstep with Bugcrowd to ensure the products ExpressVPN delivers to users are as safe as possible. “Bugcrowd allows us to become aware of vulnerabilities in areas we don’t have oversight on, such as vendors making changes to third party integrations without notifying us,” Schirmacher said. The ExpressVPN public program has uncovered nearly 100 valid vulnerabilities to date, and continues to see results as skilled hackers join the program.
Before Bugcrowd, ExpressVPN was running a self-managed bug bounty program. One key benefit of using the Bugcrowd Platform has been its focus on engineered triage for rapid validation and prioritization of vulnerabilities, which lets ExpressVPN’s engineers focus on remediation instead of filtering noise. Bugcrowd has also streamlined reporting and the reward and disclosure processes.
ExpressVPN has also found value in Bugcrowd’s CrowdMatch technology, matching the right hackers with the right skill sets to its needs—resulting in both a higher number of hackers reviewing its products and a more specialized group of hackers relevant to its scope.
ExpressVPN values the straightforward nature of the Bugcrowd Platform. “Bugcrowd offers reasonable terms without some of the admin/overhead/transaction fees that other players in this space have begun to add on. They’ve focused on their core service offering and ensured their primary product continues to meet customer needs,” Schirmacher said.
Another key differentiating factor for ExpressVPN is the heavy focus that Bugcrowd takes on acting as an independent mediator between companies and hackers. This helps maintain trust, and is a huge priority for Bugcrowd.
Learn more about ExpressVPN’s Bug Bounty program here.