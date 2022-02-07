ExpressVPN increases bug bounty reward to US$100,000

February 2022 by Marc Jacob

ExpressVPN announced it is offering US$100,000 via Bugcrowd’s Bug Bounty solution to researchers who can find and demonstrate a critical security bug on ExpressVPN’s in-house technology, TrustedServer. It is the highest single bounty offered on the Bugcrowd platform and 10 times higher than the top reward previously offered by ExpressVPN, showcasing the company’s commitment to providing essential privacy protections to its users.

ExpressVPN built TrustedServer technology to significantly minimize problems that traditional server management pose. On top of having an independent audit by PwC to confirm TrustedServer’s security-enhancing claims, ExpressVPN is taking a further step by rewarding the people who help them improve their security.

ExpressVPN is inviting Bugcrowd security researchers to test the following types of security issues within its VPN servers:

• unauthorized access to a VPN server or remote code execution

• vulnerabilities in ExpressVPN’s VPN server that result in leaking the real IP addresses of clients or the ability to monitor user traffic

TrustedServer: More than just RAM-only servers

TrustedServer at its core is an operating system, with multiple layers of protection in place and each element designed for ultimate security. This includes:

• A custom Linux distribution built on top of Debian Linux and developed in-house at ExpressVPN.

• A reproducible build and verification system to minimize security risks and ensure that the source code or build system is not tampered with.

• The latest software updates and patches every single server every week (with no part of the previous week’s build in this week’s release), by wiping all servers and reinstalling the entire operating system at least once a week.

• The ability for ExpressVPN to know exactly what’s running on each and every server—minimizing the risk of vulnerabilities or misconfiguration and dramatically improving VPN security.

• All information on a server is wiped every time it is powered off and on again, thanks to it living in RAM-only, stopping both data and potential intruders from persisting on the machine.

Shaun Smith, Software Engineering Fellow at ExpressVPN and the architect behind TrustedServer, says, “TrustedServer is already the world’s first and most advanced VPN server technology, and we want to work with the community to elevate it further. This means using the ingenuity of Bugcrowd’s security researchers to help us further improve the security of TrustedServer. It was important for us to demonstrate how seriously we take this contribution and are excited to see what the community comes back with.”

Smith continues, “Traditionally, VPN infrastructure may be vulnerable to several privacy and security risks. This is because most traditional approaches to managing server infrastructure cannot account for various security and privacy risks that are important for VPN service providers to mitigate. We built TrustedServer to address those risks, and make the same solution scalable, consistent, and secure across all our servers.”

ExpressVPN has had a Bug Bounty program since 2016, and was one of the first in the industry to implement one. The company has since paid out tens of thousands of dollars to security researchers, joining Bugcrowd in 2020 to increase the reach and effectiveness of its program.

Nick McKenzie, Chief Information & Security Officer, Bugcrowd, says, “We’re uber excited to see a leader in the online privacy and security world stepping up collaborating with our community of cyber researchers, to ultimately work together to ensure a safe online experience for everyone. ExpressVPN’s ongoing partnership with Bugcrowd since 2020 demonstrates its commitment to a strong security posture and a constant drive to improve the security of its products and services. We hope this incentivizes more researchers to join the crowd, and be a part of finding solutions to secure the digitally connected world.”

Bug Bounty Details

• The first person to submit a valid vulnerability, granting unauthorized access or exposing customer data, will receive the US$100,000 bounty. This one-time bonus is valid until the prize has been claimed.

• The one-time US$100,000 bounty is only eligible for vulnerabilities in ExpressVPN’s VPN Server

• Activities should remain in scope to the TrustedServer platform. If unsure that your testing is considered in-scope, please reach out to support@bugcrowd.com to confirm first.