NordVPN has launched its own bug bounty programme as part of a series of measures to boost security in the wake of some damaging revelations earlier this year.
Regular readers may recall that we reported back in October how a careless faux pas on social media led to a series of tweets from hackers which appeared to show that NordVPN’s encryption key had been exposed.
After some rather panicked investigations, NordVPN admitted that one of the data centres it used in Finland had a security vulnerability it had not been aware of. NordVPN insisted that it had stopped using this particular data centre and any risks users might have been exposed to had been swiftly and firmly dealt with.
It was a pretty convincing response and while some cynicism remained among a few cyber-security experts, our advice was that NordVPN remained safe to use but that we would keep a close eye on their future security and privacy arrangements.
We have done exactly that over the past three months and we have been pretty impressed with what we have seen.
NordVPN is clearly aware that, despite tackling this vulnerability swiftly and decisively, its reputation has taken a hit and it has to go the extra mile to put things right.
It has done exactly that with a five-point plan to improve security and rebuild the trust of their users and the wider cyber-security community.
The NordVPN bug bounty programme
The latest of these five steps to be announced is the NordVPN bug bounty programme.
Bug bounty’s are programmes which encourage pro-security hackers to test NordVPN’s software and infrastructure for bugs and vulnerabilities and then report this to NordVPN.
It is an ongoing scheme which means that NordVPN could be alerted to a vulnerability at any time and will be able to patch the issue before it becomes public knowledge. It is accepting reports about issues with their applications, servers, backend services, websites, and just about anything else.
Hackers who spot vulnerabilities will be paid for their efforts, with NordVPN announcing that rewards will range from US$100 for minor issues up to US$5,000 for major flaws. It guarantees that hackers will never face criminal action as long as they act ethically and report all their findings on the HackerOne platform.
Bug bounty programmes are a great way to get skilled amateur hackers to test your infrastructure. They often spot things that professionals miss and guarantee a rolling security test is always being carried out.
As Ruby Gonzalez, Head of Communications at NordVPN, explained, “At NordVPN, we seek to make our infrastructure — and customers' data — as secure as possible. And community participation is essential for reaching this goal.”
NordVPN’s other security advances
Besides the bug bounty programme, there are four other landmark steps that NordVPN have taken to tighten up their security.
It has partnered with VerSprite, a highly regarded US-based cyber-security consultancy. Together, they are gathering a committee of thought-leaders in the sector to help steer NordVPN’s future security policies and ensure it sticks to its principals and promises.
VerSprite will also operate a team of penetration testers who will undertake a similar role to the amateurs who take advantage of the bug bounty programme and constantly probe NordVPN’s infrastructure and code for vulnerabilities.
NordVPN have also set the wheels in motion for a full-scale third-party independent security audit. This will happen next year and full details are yet to be released but it will include audits of NordVPN’s infrastructure hardware, VPN software, backend architecture, backend source code, and internal procedures.
It is also increasing the security standards required of vendors that work with NordVPN to try and ensure a similar problem to the one it encountered in Finland cannot happen again.
The best way to avoid this issue is by owning their own servers. Some VPNs have already gone down this path and NordVPN plan to follow their lead and begin to create a network of collocated servers it owns itself.
Finally, NordVPN is also in the process of upgrading their entire infrastructure to RAM servers. With more than 5,200 servers this is a big job and will take time. But when it is complete, NordVPN will have a centrally controlled network where no data whatsoever is stored locally.
This will mean that if a server is ever compromised, there is no data or configuration files there for hackers to plunder.
What this all means
When all of these five steps are in place, NordVPN will have one of the most impressive security setups of any VPN. But it is not there yet.
The bug bounty program is an important step along that road and will undoubtedly help NordVPN to patch vulnerabilities it might otherwise not have found. All NordVPN users will benefit from this scheme so we hope it will be a big success.
We remain confident in NordVPN and its security provisions. But the truth is it still has some way to go to convince everyone it is secure as it claims.