NordVPN introduces bug bounty program as part of security overhaul
NordVPN has announced a series of initiatives that it says will significantly improve the security of its infrastructure after an attacker gained access to one of its servers.
The company, known for its widely used virtual private network (VPN) service, confirmed last week that a server it was renting from a data center in Finland was exploited by an attacker via an insecure remote management system left by the data center provider.
According to NordVPN, the server did not contain any user activity logs, usernames or passwords. Nonetheless, the company said that it has enlisted the cybersecurity consulting firm VerSprite to run penetration testing, threat and vulnerability management, compliance management and assessment services on its infrastructure. VerSprite will also work with the company to form an independent cybersecurity advisory committee, which will oversee NordVPN's security practices.
Additionally, NordVPN said it plans to introduce a bug bounty program to catch potential vulnerabilities. Cybersecurity experts who find and report the vulnerabilities will receive a payout.
NordVPN is also planning to a full-scale independent security audit for 2020. The audit will cover the infrastructure hardware, VPN software, backend architecture, backend source code, and internal procedures, the company said. In a move away from third party server providers, NordVPN is planning to build out a network of wholly owned collocated servers and is currently reviewing its infrastructure to ensure there are no other existing, exploitable vulnerabilities.
NordVPN is also planning to upgrade its more than 5,100 servers to RAM servers. The move will create a centrally controlled network where nothing is stored locally, including the operating system, and ensure that if a server is seized by an attacker, they'll find blank hardware with no data or configuration files on it.
"Every part of NordVPN will become faster, stronger, and more secure, from our infrastructure and code to our teams and our partners," said NordVPN's head of PR Laura Tyrell. The VPN market is highly competitive. Here's a collection of ZDNet reviews.
WHO ARE THE KEY PLAYERS?
We've done in-depth reviews of the following VPN services. If you're considering a VPN, you might want to read these articles first:
- NordVPN review: Sincere about security and privacy
- StrongVPN review: A clear and easy-to-use VPN ideal for coffee shop use
- Hotspot Shield review: Here's a VPN that actually lives up to its hype
- CyberGhost VPN review: More than just VPN, an all-in-one security kit
- IPVanish review: VPN delivers a wealth of options and browsing controls
While there are a tremendous number of VPN vendors out there, we think the following are some of the best:
- NordVPN: 30-day refund, lots of simultaneous connections
- ExpressVPN: Detailed FAQ, good refund policy, Bitcoin
- IPVanish VPN: Keeps no log files and has support for Kodi
- PureVPN: Large network, strong technically, good performance
- Surfshark: Unlimited device support, whitelisting feature
- Norton Secure VPN: Company is trustworthy and accountable
- StrongVPN: Excellent infrastructure, decent price performance
- Hotspot Shield: Best money-back guarantee
- Private Internet Access: Lowest yearly price, most servers
- CyberGhost: Supports Kodi, good Linux and router support