ExpressVPN Offers $100K Bug Bounty
Written by Sue Gee   
Thursday, 10 February 2022

ExpressVPN claims that its TrustedServer technology raises the bar for online privacy and security and to put this to the test it is offering a one-time $100,000 bug bounty bonus to the first person to hack it - ethically of course. 



ExpressVPN's servers are designed to be secure and resilient through a system called TrustedServer, which, as explained in the video has two features intended to deliver a more secure internet experience. The first is that they run only on volatile memory - this ensures that no data can persist on the hard drive, even by accident since the servers run strictly on RAM only. Secondly, all software, even the operating system, is freshly run from the latest readonly image each and every time the server is restarted. This provides consistency and means that every one of its thousands of servers around the world has the same, most up-to-date software when powered on. 

In the current climate of privacy concerns and confident of the  benefits conferred by TrustedServer, ExpressVPN is inviting security researchers in its Bug Bounty program operated through Bugcrowd to focus testing on the following types of security issues within our VPN servers: 

  • unauthorized access to a VPN server or remote code execution

  • vulnerabilities in our VPN server that result in leaking the real IP addresses of clients or the ability to monitor user traffic

To encourage more hackers to participate there's a bounty of $100,000 USD on offer in addition to the normal reward as long as there is proof of impact to user’s privacy. This will require demonstration of unauthorized access, remote code execution, IP address leakage, or the ability to monitor unencrypted (non-VPN encrypted) user traffic. This bonus will be valid until the prize has been claimed.

Offering a large bug bounty bonus raises awareness of ExpressVPN's ongoing Bug Bounty program which covers: 

  • vulnerabilities in its client applications, especially vulnerabilities that lead to privilege escalation

  • any kind of unauthorized access on its VPN servers

  • vulnerabilities that expose customer data to unauthorized persons

  • vulnerabilities that weaken, break, or otherwise subvert VPN communications in a way that exposes the traffic of anyone using its VPN products. 

While ExpressVPN properties can be considered included, certain testing methodologies are excluded. Specifically, tests that degrade the quality of service, e.g., DoS or spam, will not be considered for inclusion.

Cybersecuity has become ever more important and with all major players operating bug bounty schemes there is plenty of cash on offer to those who are skilled security researchers. If ExpressVPNs TrustedServer is as resilient as the company hopes it is the $100,000 may be on the table for a while but as the company has paid out bounties in the past there may be some pickings to be had even if this prize is never awarded.


More Information

ExpressVPN’s bug bounty program on Bugcrowd

Related Articles

GitHub Security Bug Bounty Milestones

Mozilla Increases Bug Bounty

Who Are The Hackers and Why 

Over $21 Million In Google Bug Bounty

Bug Bounty Bonanza

Intel Extends Bug Bounty Program

Microsoft and Facebook Launch Internet Bug Bounty Scheme

New Android Bug Bounty Scheme

Microsoft Bug Bounty Extends Scope

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.


Apache NiFi Adds Python Processor Support

Apache NiFi 2, a project for processing and distributing data, has been released with support for Python processors in the MiNiFi framework, and a completely rebuilt user interface.

More Jetpack Compose Updates

The July release of Android Jetpack Compose has some improvements and it is faster, but is it what we want?

More News

kotlin book



or email your comment to:

Last Updated ( Friday, 11 February 2022 )