NordVPN announced the launch of a bug bounty program

Pierluigi Paganini December 10, 2019

The popular virtual private network (VPN) service provider NordVPN announced the launch of a public bug bounty program.

The virtual private network (VPN) service provider NordVPN announced the launch of a public bug bounty program.

White hat hackers will receive payouts between $100 and $5,000 for each reported vulnerability. NordVPN will also pay much more “for especially clever or severe” vulnerabilities.

Below a reference payout range for the vulnerabilities depending on their severity levels:

  • Critical: $1000-5000+ USD
  • High: $500-1000 USD
  • Medium: $100-500 USD
  • Low: $100 USD
  • None: $0 USD

The bug bounty program will be operated via the HackerOne platform, it covers NordVPN websites (nordvpn.com and some subdomains), Chrome and Firefox browser extensions, VPN servers, and desktop and mobile applications for all platforms.

“To encourage security researchers and our user community, we commit that, if we conclude, in our sole discretion, that your submission respects and meets the requirements of this Policy and Agreements, we will not pursue civil or criminal action, or send notice to law enforcement, and we may even reward you.” reads the safe harbor terms. “Neither will we pursue civil or criminal action, or send notice to law enforcement for accidental, good faith violations of this Policy and Agreements. We reserve the sole right to make the determination of whether a violation of this policy is accidental or in good faith, and proactive contact to us before engaging in any action is a significant factor in that decision, meaning, if in doubt, ask us first.”

Participants are not allowed to disclose bugs before a patch is released and without the explicit permission of the company, white hat hackers are obliged to give at least 90 days to fix the reported vulnerabilities.

In October, NordVPN and TorGuard VPN firms were hacked and threat actors leaked the private keys used to secure their web servers and VPN configuration files. At the time NordVPN revealed that the incident involved a third-party datacenter and announced the launch of a bug bounty program.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – NordVPN, bug bounty)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment