ExpressVPN Dangles One-Time $100K Bug Bounty For The First Successful Server Hack
ExpressVPN runs a bug bounty program through Bugcrowd for the purpose of improving security across the VPN company’s services and websites. The program has already had 22 successful bounty claimants, but ExpressVPN is now sweetening the pot in order to attract more white hat hackers.
ExpressVPN’s bounty program has a wide scope, giving ethical hackers free range to target the company’s many applications, servers, APIs, websites, and app store listings. However, ExpressVPN is now offering a one-time bonus bounty of $100,000 for the first person who submits a report of a valid vulnerability in the company’s servers. ExpressVPN is looking specifically for security vulnerabilities in its servers that can be leveraged to achieve unauthorized access or remote code execution, to view the real IP addresses of clients, or to monitor user traffic.
The winner of this one-time bonus award must stay within the scope of ExpressVPN’s bounty program, so services that are not owned, hosted, and operated by ExpressVPN, such as data center services, are off limits. ExpressVPN also intends to ensure that the challenge is presented on a level playing field, so employees, contractors, consultants, and all others affiliated with ExpressVPN or another subsidiary of Kape Technologies are excluded from collecting the award.
ExpressVPN’s bounty program has a wide scope, giving ethical hackers free range to target the company’s many applications, servers, APIs, websites, and app store listings. However, ExpressVPN is now offering a one-time bonus bounty of $100,000 for the first person who submits a report of a valid vulnerability in the company’s servers. ExpressVPN is looking specifically for security vulnerabilities in its servers that can be leveraged to achieve unauthorized access or remote code execution, to view the real IP addresses of clients, or to monitor user traffic.
The winner of this one-time bonus award must stay within the scope of ExpressVPN’s bounty program, so services that are not owned, hosted, and operated by ExpressVPN, such as data center services, are off limits. ExpressVPN also intends to ensure that the challenge is presented on a level playing field, so employees, contractors, consultants, and all others affiliated with ExpressVPN or another subsidiary of Kape Technologies are excluded from collecting the award.
The bonus award is being offered for disclosing a vulnerability specifically in ExpressVPN’s VPN servers as a way for the company to put its TrustedServer platform to the test. TrustedServer combines two different techniques to increase server security and protect user data.
The first of these techniques is running the servers strictly on RAM only. This technique ensures that user data and potential intruders don’t persist across server reboots. The company’s VPN server hard drives contain only cryptographically signed read-only images with the software required for boot.
These read-only images enable the second technique, which is a matter of freshly loading the the latest up-to-date image of the entire software stack, including the operating system, each time a server boots up. The technique ensures that ExpressVPN’s servers are always running software with the latest updates and security patches.
You can find out more about how to win the $100,000 bonus award by visiting ExpressVPN’s bug bounty page.
The first of these techniques is running the servers strictly on RAM only. This technique ensures that user data and potential intruders don’t persist across server reboots. The company’s VPN server hard drives contain only cryptographically signed read-only images with the software required for boot.
These read-only images enable the second technique, which is a matter of freshly loading the the latest up-to-date image of the entire software stack, including the operating system, each time a server boots up. The technique ensures that ExpressVPN’s servers are always running software with the latest updates and security patches.
You can find out more about how to win the $100,000 bonus award by visiting ExpressVPN’s bug bounty page.
