ExpressVPN Offering $100,000 To First Person Who Hacks Its Servers

ExpressVPN has updated its bug bounty program to make it more inviting to ethical hackers, now offering a one-time $100,000 bug bounty to whoever can compromise its systems. Bleeping Computer reports:

Today, ExpressVPN announced that they are now offering a $100,000 bug bounty for critical vulnerabilities in their in-house technology, TrustedServer. “This is the highest single bounty offered on the Bugcrowd platform and 10 times higher than the top reward previously offered by ExpressVPN,” the company shared in an email to BleepingComputer. The new $100,000 one-time bounty is offered with the following conditions:

  • The first person to submit a valid vulnerability, granting unauthorized access or exposing customer data, will receive the $100,000 bounty. This one-time bonus is valid until the prize has been claimed.
  • The one-time $100,000 bounty is only eligible for vulnerabilities in ExpressVPN’s VPN Server.
  • Activities should remain in scope to the TrustedServer platform. If unsure that your testing is considered in-scope, please reach out to [email protected] to confirm first.

ExpressVPN also invites security researchers to uncover possible ways to leak the actual IP address of clients and monitor user traffic. The bug bounty program is run through BugCrowd, which offers a safe harbor for researchers who attempt to breach ExpressVPN’s servers as part of the program.

4 Likes