NordVPN launches promised bug bounty program

NordVPN was galvanized into action after an attacker compromised one of its servers.
Written by Charlie Osborne, Contributing Writer

NordVPN has launched a bug bounty on HackerOne as part of an initiative to revamp the VPN provider's security posture.

On Monday, the virtual private network (VPN) service, used to mask online activity and IP addresses, said ethical hackers are now invited to probe NordVPN for security holes, weaknesses, and vulnerabilities that may place the firm or its users at risk.

Hosted on HackerOne, the bug bounty program includes the NordVPN website, applications, backend systems, and services. Windows, Mac, iOS, Android, Linux, and official apps on third-party devices are all within scope.

Bounties and financial rewards on offer range from $100 to over $5,000, depending on the severity of the security flaws found.

See also: NordVPN introduces bug bounty program as part of security overhaul

"At NordVPN, we seek to make our infrastructure -- and customer's data -- as secure as possible," said Ruby Gonzalez, Head of Communications at NordVPN. "Community participation is essential for reaching this goal." 

The bug bounty program is one of a series of initiatives planned by the VPN provider following a cyberattack taking place on a NordVPN server. The breach occurred in March last year, in which an attacker was able to exploit a vulnerability in a remote management system to gain access. 

NordVPN said it was unaware of the system's existence and laid the blame at the feet of the data center provider. Its contract with the Finland-based company was then pulled due to the security incident. Eventually, the company hopes to eradicate the need to use third-party servers altogether by creating its own VPN server and network infrastructure.

CNET: Reddit uncovers Russian campaign to spread leaked UK documents

Aside from the bug bounty program, NordVPN has promised to work with VerSprite to run frequent penetration tests and to improve its vulnerability management; to form an independent cybersecurity advisory board, and to run a full cybersecurity audit before 2020 that will cover everything from hardware to source code. 

HackerOne is one of several platforms online that brings third-party bug bounty hunters and security experts together with companies that are willing to pay for their expertise. However, these platforms are not immune to the cybersecurity troubles that other organizations face. 

TechRepublic: Intel expert divulges security trends

Earlier this month, HackerOne awarded $20,000 to a researcher after they submitted a report describing how a private session cookie was accidentally leaked by one of the firm's security analysts, and how this information could be used to hijack their account -- as well as any customer data the analyst had access to.

10 worst hacks and data breaches of 2019 (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards