VPN provider seeks to restore trust in the wake of previously disclosed server breach

NordVPN has launched a public bug bounty program through HackerOne, with rewards potentially exceeding $5,000.

The virtual private network (VPN) provider, which claims more than 12 million users worldwide, first announced plans to set up a paid vulnerability disclosure program in late October after it emerged that private encryption keys had been stolen from NordVPN and disseminated online.

Security researchers who find in-scope vulnerabilities in NordVPN’s servers, applications, website, and backend services can win bounties ranging from $100 for minor bugs to $5,000 for critical flaws.

On its HackerOne bug bounty page, NordVPN says rewards could go higher still for “especially clever or severe vulnerabilities”.

“At NordVPN, we seek to make our infrastructure – and customers’ data – as secure as possible,” said Ruby Gonzalez, head of communications at NordVPN. “And community participation is essential for reaching this goal.”


Read more of the latest bug bounty news from The Daily Swig


The bug bounty program is part of a raft of security measures announced by NordVPN in the wake of the encryption key theft, which also affected fellow VPN provider TorGuard.

Other measures include switching to diskless RAM servers, conducting an exhaustive infrastructure security audit, and appointing a cybersecurity consultancy.

NordVPN, which has 5,000 servers in 60 countries worldwide, was implicated in the aforementioned certificate breach only days after being accused of making misleading marketing claims about its security capabilities.

The Daily Swig has reached out to NordVPN for further comment.


RECOMMENDED HackerOne awards $20,000 bug bounty after leaking session cookie to hacker