VPN service provider NordVPN has launched a public bug bounty program. The aim of this program is to reward ethical hackers and security experts for discovering potential vulnerabilities and reporting them. Thus allowing service provider to fix bugs before any harm is done.
The payout range depends on the severity of the uncovered vulnerability. NordVPN offers rewards of up to $5,000+ USD and even more for “especially clever or severe weaknesses”.
The Big Bounty program is part of a range of promises VPN service provide NordVPN made in October, following a series of high-profile attacks on servers belonging to different service providers. Back then, NordVPN said: “We’ve learned our lesson and we want to prove it with actions, not just words. We can’t promise 100% immunity – no one can. But we can promise that we have taken this incident to heart and will do everything we can to improve and to win back your trust.”
Rewarding ethical hackers and security experts for uncovering vulnerabilities and reporting them is a win-win situation. Researchers receive cash and service providers know that their services and systems have been thoroughly tested. Furthermore, users can rest assured that their VPN service has been scoured for bugs and their privacy continues to be protected.
NordVPN’s Head of communications, Ruby Gonzalez, explains: “At NordVPN, we seek to make our infrastructure as well as customers’ data as secure as possible. Community participation is essential for reaching this goal. If you have found a potential security vulnerability, we would like to learn more about it to be able to correct the issue as soon as possible.”
The Bug Bounty Program
The details, scope, a code of conduct and reward amounts of NordVPN’s bug bounty program were made public a few days ago on HackerOne. NordVPN currently is the only VPN service provider on the 2019 bounty list.
In scope are all NordVPN websites (nordvpn.com and some subdomains), Chrome and Firefox browser extensions, VPN servers, and desktop and mobile applications for all platforms. Researchers, however, are not allowed to publicly disclose a bug until after an update is released. Moreover, researchers must give NordVPN at least 90 days to fix a vulnerability they have discovered.
No legal action will be taken against anyone trying to hack NordVPN’s systems, as long as their penetration efforts are ethical and within the outlined scope.