$100,000 up for grabs as ExpressVPN boosts bug bounty

Bug bounty

ExpressVPN, our Editor’s choice for the best VPN on the market right now, has gone one step beyond in its quest to make it the most secure and private VPN on the market.

It has announced that it is boosting its bug bounty, the reward it pays out to ethical hackers who identify vulnerabilities in its software, to a huge US$100,000.

The bounty is being offered via BugCrowd’s Bug Bounty solution and is on offer to all researchers who can find and demonstrate a critical security bug in ExpressVPN’s in-house technology, TrustedServer.

As ExpressVPN are keen to point out, this is the highest single bounty that is currently available on BugCrowd and represents a ten-fold increase in the bug bounty that ExpressVPN previously offered.

ExpressVPN was the first VPN provider to introduce a bug bounty programme and even at the lower reward levels, it has already paid out tens of thousands of dollars to independent security researchers.

It decided to join BugCrowd in 2020 to expand the reach of its programme and so positive has been the response that it has now taken this significant step.

As the company’s press release rightly notes, this ten-fold bounty increase is a clear and stark illustration of the company’s ongoing commitment to the privacy and security of its users.

To put the sum into some context, an annual subscription to ExpressVPN (which currently comes with an additional three months free) costs just £76 (US$103).

What is TrustedServer?

TrustedServer, which was launched in 2019, is ExpressVPN’s in-house software designed to take away many of the problems that VPNs can have with external server management.

It is essentially an operating system featuring multiple layers of protection designed to enhance security as much as possible.

It includes a custom Linux distribution built on Debian Linux which was developed in-house at ExpressVPN and a reproducible build and verification system which minimises security risks and ensures that source code and build system have not been tampered with.

It also wipes all servers on a weekly basis and reinstalls the operating system, along with the latest security patches and fixes, to ensure that vulnerabilities are minimised and cannot be exploited and user data cannot possibly be retained on servers.

The software has already been independently audited by PriceWaterhouseCooper, who confirmed the claims made by ExpressVPN that TrustedServer did indeed enhance user security.

But ExpressVPN are not resting on their laurels. Instead, they have ramped up their bounty and invited independent researchers from around the world to take a look at TrustedServer for themselves.

Specifically, they have suggested that researchers should take a look at issues around unauthorised access to VPN servers, remote code execution, and any server vulnerabilities that could result in the leaking of user IP addresses or enable hackers to monitor user traffic.

Explaining the decision to boost the bug bounty by such a significant amount, Shaun Smith, Software Engineering Fellow at ExpressVPN and the man who designed TrustedServer, explained, “TrustedServer is already the world’s first and most advanced VPN server technology, and we want to work with the community to elevate it further.”

“This means using the ingenuity of BugCrowd’s security researchers to help us further improve the security of TrustedServer. It was important for us to demonstrate how seriously we take this contribution and are excited to see what the community comes back with.”

What is BugCrowd?

BugCrowd is a platform frequented by independent security researchers and so-called ethical hackers. Companies like ExpressVPN can host bug bounty programmes on the site and members of the community can choose which companies they want to research.

The ExpressVPN US$100,000 bounty is the biggest on the site. It is a one-off prize and is on offer to the first person who submits a valid vulnerability that either gives unauthorised access to ExpressVPN servers or exposes customer data.

BugCrowd explains that if users are unsure whether their testing is eligible for the bounty, they should check with them directly by emailing support@bugcrowd.com.

Author: David Spencer

Cyber-security & Technology Reporter, David, monitors everything going on in the privacy world. Fighting for a less restricted internet as a member of the VPNCompare team for over 7 years.

Away from writing, he enjoys reading and politics. He is currently learning Mandarin too... slowly.

Leave a Reply

Your email address will not be published. Required fields are marked *