ExpressVPN just majorly upped its bug bounty reward

Graphic of a laptop with cloud protection and a VPN server
(Image credit: Shutterstock)

ExpressVPN has revealed it is now offering ten times more money to anyone able to uncover security bugs.

The VPN company announced, via Bugcrowd’s Bug Bounty program, that it will reward anyone who is able to find and demonstrate a “critical security bug” on ExpressVPN’s in-house technology, TrustedServer, with $100,000.

The company’s previous top reward was $10,000.

Monitoring user traffic

A “critical security bug” would be either something that would allow unauthorized access to a VPN server endpoint, or allow remote code execution (such as malware). 

It would also mean any vulnerabilities in the VPN server that result in the leaking of the clients’ real IP addresses, or which would allow third parties to monitor user traffic.

TrustedServer’s goal, as ExpressVPN explains, is to “significantly minimize” problems inherent to traditional server management. 

At its core, it’s an operating system, with “multiple layers of protection”, such as a custom Linux distribution built on Debian Linux and developed in-house, a reproducible build and verification system ensuring the authenticity of the source code and the build system, or the ability for ExpressVPN to know exactly what’s running on each and every server.

“Traditionally, VPN infrastructure may be vulnerable to several privacy and security risks,” commented Shaun Smith, Software Engineering Fellow at ExpressVPN and the architect behind TrustedServer.

“This is because most traditional approaches to managing server infrastructure cannot account for various security and privacy risks that are important for VPN service providers to mitigate. We built TrustedServer to address those risks, and make the same solution scalable, consistent, and secure across all our servers.”

Virtual Private Networks were once a staple of network security. However, in recent times, especially with the emergence of remote and hybrid working, and with cybercrime growing as dangerous as never before, organizations have been increasingly turning towards zero-trust network access (ZTNA).

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.