The virtual private network (VPN) service provider NordVPN announced the launch of a public bug bounty program.
White hat hackers will receive payouts between $100 and $5,000 for each reported vulnerability.
Below a reference payout range for the vulnerabilities
The bug bounty program will be operated via the HackerOne platform, it covers NordVPN websites (nordvpn.com and some subdomains), Chrome and Firefox browser extensions, VPN servers, and desktop and mobile applications for all platforms.
“To encourage security researchers and our user community, we commit that, if we conclude, in our sole discretion, that your submission respects and meets the requirements of this Policy and Agreements, we will not pursue civil or criminal action, or send notice to law enforcement, and we may even reward you.” reads the safe harbor terms. “Neither will we pursue civil or criminal action, or send notice to law enforcement for accidental, good faith violations of this Policy and Agreements. We reserve the sole right to make the determination of whether a violation of this policy is accidental or in good faith, and proactive contact
Participants are not allowed to disclose bugs before a patch is released and without the explicit permission of the company, white hat hackers are obliged to give at least 90 days to fix the reported vulnerabilities.
In October, NordVPN and TorGuard VPN firms were hacked and threat actors leaked the private keys used to secure their web servers and VPN configuration files. At the time NordVPN revealed that the incident involved a
(SecurityAffairs – NordVPN, bug bounty)