Request a Demo Contact Us

ExpressVPN Demonstrates Commitment to Security With Crowdsourced Programs

ExpressVPN has been helping people shield their online activity since 2009, and now has customers in more than 180 countries.


Managed Bug Bounty
Vulnerability Disclosure



  • Challenge

    As one of the world's leading VPN providers, ExpressVPN holds itself to high standards of security and wanted to scale its in-house bug bounty program to reach more researchers and achieve greater efficiency

  • Outcomes

    • More Bugs Identified in Shorter Time Frame
    • Faster Bug Remediation Cycle
    • Demonstrates Security Commitment to Customers

About ExpressVPN

“Whether we`re online shopping or streaming video content, we all want to stay safe on the internet and keep our data shielded from prying eyes. ExpressVPN helps its customers achieve this by enabling them to browse with a greater degree of anonymity and hide their IP address with best-in-class encryption, unlimited internet access, and ultra-fast VPN servers.

The company has been helping people shield their online activity since 2009, and now has customers in more than 180 countries. Unsurprisingly, given the nature of its business, ExpressVPN is leading the industry when it comes to privacy and security practices. “As a privacy and security company, we believe in working hard to earn our users trust. That doesn`t just mean leading the way on security practices and technologies, but also doing so in transparent ways” comments Harold Li, Vice President at ExpressVPN.

To help achieve this goal, ExpressVPN had been running its own bug bounty program since 2016, making it one of the first VPN providers to do so, and paid out tens of thousands of dollars to security researchers for their help. But ExpressVPN wanted to engage even more researchers, and its team was also finding it increasingly challenging to manually manage the reports. “Our bug bounty program is an important part of vulnerability management at ExpressVPN,” says Li. “We decided to join a crowdsourced program to get even more eyes on our products and selected Bugcrowd for its strong reach and reputation among researchers.”

A Broader Bug Bounty Program With Complete Control

ExpressVPN now has a public managed bug bounty and vulnerability disclosure program with Bugcrowd, which enables the company to achieve a high level of exposure with a wide range of researchers. ExpressVPN`s commitment to security extends in both breadth and depth: all the company`s products and services are in scope, including even employee systems, internal services, backend systems, and APIs.

With clear guidelines and messaging, ExpressVPN can easily point researchers to investigate specific items in new releases. “We now have more researchers spending more time examining our assets, which means our customers are better protected than ever,” says Li. “And as the Bugcrowd team conducts all the validation, deduplication, and triage, we have more resources to focus on resolving real bugs and can address those with the biggest impact first.”As part of the process, the researcher is asked to verify that the bug no longer exists after ExpressVPN has implemented a fix, giving the company an extra layer of reassurance.

The number of Bugcrowd findings is a true measure of our maturity as a company. I want to get to a point in the not too distant future where I am showing a graph at every board meeting that shows a meager number of Bugcrowd findings and not for lack of attention but due to our focus on enhancing our application security.

Harold Li, Vice President

Maximizing Trust in the Brand

By partnering with Bugcrowd, ExpressVPN can maximize transparency and trust in its brand. “We want to be transparent with existing and potential customers with the lengths we go to in order to protect their privacy and security and are excited to tap on the expertise of thousands of Bugcrowd researchers,” confirms Li.

With direct integration into ExpressVPN`s platform and no manual reports to track, the company is not only uncovering more bugs, but also improving efficiency. “Initial successes have included the revealing of some interesting P1 and P2 bugs,” says Li. “For example, we identified an issue in our release process that could have potentially made our MacOS app vulnerable if we rolled back a feature release that was paired with a security fix, but we were able to resolve it and are now confident it`s no longer a weakness.”

With more bugs revealed in a shorter time frame, the company can remediate them faster and in accordance with its clear SLAs. As a result, it can ensure its products and services are secure and continue to protect privacy for customers around the world.

If you are interested in learning more about ExpressVPN, go to

More About the Interviewee

Harold Li is vice president at ExpressVPN and part of the company`s senior leadership team, working on product, customer experience, business development, and marketing. As a privacy and security expert at the company, he also works closely with advocacy organizations such as the EFF, Center for Democracy & Technology, Fight for the Future, OpenMedia, and the Open Source Technology Improvement Fund. He is a member of Forbes Technology Council, and has also contributed to the San Francisco Chronicle, The Next Web, VentureBeat, Entrepreneur, and more.”

Subscribe for updates

Get Started with Bugcrowd

Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.