ExpressVPN Dangles One-Time $100K Bug Bounty For The First Successful Server Hack
ExpressVPN’s bounty program has a wide scope, giving ethical hackers free range to target the company’s many applications, servers, APIs, websites, and app store listings. However, ExpressVPN is now offering a one-time bonus bounty of $100,000 for the first person who submits a report of a valid vulnerability in the company’s servers. ExpressVPN is looking specifically for security vulnerabilities in its servers that can be leveraged to achieve unauthorized access or remote code execution, to view the real IP addresses of clients, or to monitor user traffic.
The winner of this one-time bonus award must stay within the scope of ExpressVPN’s bounty program, so services that are not owned, hosted, and operated by ExpressVPN, such as data center services, are off limits. ExpressVPN also intends to ensure that the challenge is presented on a level playing field, so employees, contractors, consultants, and all others affiliated with ExpressVPN or another subsidiary of Kape Technologies are excluded from collecting the award.
The first of these techniques is running the servers strictly on RAM only. This technique ensures that user data and potential intruders don’t persist across server reboots. The company’s VPN server hard drives contain only cryptographically signed read-only images with the software required for boot.
These read-only images enable the second technique, which is a matter of freshly loading the the latest up-to-date image of the entire software stack, including the operating system, each time a server boots up. The technique ensures that ExpressVPN’s servers are always running software with the latest updates and security patches.
You can find out more about how to win the $100,000 bonus award by visiting ExpressVPN’s bug bounty page.