Bug Bounty

ExpressVPN’s bug bounty program

ExpressVPN operates thousands of VPN servers and develops cross-platform apps for all major desktop and mobile systems, as well as routers and browser extensions.

Security is central to how we build and maintain our products. We welcome the work of independent security researchers who help us keep our protections strong through responsible testing and disclosure.

ExpressVPN has run a public bug bounty program for years and has awarded thousands of dollars in rewards to researchers worldwide. We take pride in strong engineering and continuously look for ways to strengthen the security and privacy of our users.

Report a Bug

Get rewards with our bug bounty program.

Why this program matters
How we review reports
Target information
Safe harbor
Expectations
Ground rules
Safe harbor agreement
One-time 100,000 USD bonus award
How to submit a report

Why this program matters
How we review reports
Target information
Safe harbor
Expectations
Ground rules
Safe harbor agreement
One-time 100,000 USD bonus award
How to submit a report

Why this program matters

Independent testing is a core part of how ExpressVPN maintains trust. Our bug bounty program gives researchers a direct path to highlight behaviors that deserve attention, and it helps us strengthen protections in real conditions. Every credible report teaches us something about how our systems behave under stress and contributes to a more resilient privacy service for our users.

How we review reports

Every submission goes through a structured process of replication, impact assessment, and engineering review. We recreate the reported conditions, verify the behavior, evaluate the potential risk, and coordinate ownership of the fix. This process keeps the loop fast and ensures that improvements ship reliably and safely.

Target information

Scope

The following ExpressVPN products and services are included in this bug bounty program. If you are unsure whether a specific target qualifies, please confirm with YesWeHack before testing.

Applications and platforms

ExpressVPN desktop and mobile apps
ExpressVPN router (Aircove and firmware)
ExpressVPN browser extensions
Any applications available at expressvpn.com/latest
Public beta versions of our applications

Web domains and APIs

*. expressvpn.com, expressvpn.jobs, and related subdomains
ExpressVPN APIs, including:
Internal testing and staging domains such as *.xvtest.net, *. xvservice.net, and *. polymoon.it
NetworkGuard and related properties ( networkguard.com)
Mail and service gateways (e.g., gh-mail.expressvpn.com)

Infrastructure

VPN servers using ExpressVPN’s TrustedServer technology
Backend and control systems directly operated by ExpressVPN

Note: Admin panels or services hosted by third-party data centers used by ExpressVPN are not in scope, as they are not owned or operated by us.

Focus

We’re especially interested in reports that strengthen the security of our core systems and infrastructure. In particular:

Vulnerabilities in our desktop, mobile, or router apps that could lead to privilege escalation.
Any form of unauthorized access to ExpressVPN’s servers or internal systems.
Vulnerabilities that could expose customer data to unauthorized parties.

Weaknesses that could compromise or subvert VPN communications, including those that could reveal traffic or real IP addresses. Public beta versions of our applications are also included in scope.

Additionally, any publicly accessible host that is owned or operated by ExpressVPN that is not included in the Scope section may be considered on a case-by-case basis.

Note: Certain testing methods are excluded. Specifically, activities that degrade the quality of service, e.g., Denial of Service (DoS) attacks, spamming, or traffic flooding, will not be accepted.

Out of scope

All domains, systems, or subdomains not listed in the Scopes section are considered out of scope. Testing on services that ExpressVPN does not own, operate, or control will not be eligible for rewards.

If you’re unsure whether a target is in scope, please confirm with YesWeHack before testing.

Safe harbor

ExpressVPNe provides a full safe harbor underdisclose.io’s core-terms-GLOBAL.

We welcome security research carried out in good faith, and rely on responsible disclosure to maintain a high standard of privacy and protection for our users. This policy explains what we consider good-faith activity and outlines what researchers can expect from us when they report a vulnerability responsibly.

Expectations

When you follow this policy, you can expect ExpressVPN to:

Extend full safe harbor for your security research conducted within the scope of this policy.
Acknowledge and validate your report, including a timely initial response.
Address confirmed vulnerabilities promptly based on impact and severity.
Credit your contribution when you are the first to report a unique issue that results in a code or configuration change.

Ground rules

To support good-faith research and avoid confusion between legitimate testing and harmful activity, we ask researchers to:

Follow this policy and any other relevant agreements. If terms conflict, this policy takes precedence.
Report vulnerabilities promptly through the official channels.
Avoid disrupting systems, violating user privacy, destroying data, or harming the user experience.
Discuss findings only through approved channels, and keep details confidential until a fix is released.
Test only in-scope systems and respect any systems or activities marked out of scope.

If your testing unintentionally provides access to data:

Access only the minimum data needed to demonstrate the issue.
Stop immediately and report the finding if you encounter any user information during testing (including personally identifiable information (PII), personal healthcare information (PHI), payment details, or proprietary data.

You should interact only with accounts you own or accounts where you have explicit permission. ExpressVPN does not tolerate extortion in any form.

Safe harbor agreement

Vulnerability research carried out in line with this policy is considered: t

Authorized under applicable anti-hacking laws. ExpressVPN will not initiate or support legal action for accidental, good-faith violations of this policy.
Authorized under relevant anti-circumvention laws. We will not bring a claim for bypassing technical controls during good-faith testing.
Exempt from the parts of our Acceptable Usage Policy that would otherwise limit security research, and those restrictions are waived for this purpose.
Lawful and beneficial to the security of our systems and the wider internet when conducted in good faith.

Researchers must continue to comply with all applicable laws. If a third party initiates legal action against you and your activity followed this policy, ExpressVPN will make it clear that your actions were within the bounds of authorized security research.

If you are ever unsure whether your testing aligns with this policy, please contact us through an official reporting channel before proceeding.

One-time 100,000 USD bonus award

ExpressVPN’s VPN servers run on TrustedServer, our purpose-built platform designed to strengthen resilience and reduce the risks that come with traditional server architectures. We continuously test this system and invite researchers to focus on the areas where a breakthrough would have the greatest impact on user privacy.

We are especially interested in:

Unauthorized access to a VPN server or remote code execution
Vulnerabilities that could reveal a user’s real IP address
Weaknesses that could allow monitoring of unencrypted traffic on a VPN server

To qualify for the bonus award, a submission must include clear evidence of impact. This means demonstrating one of the following on an ExpressVPN VPN server: unauthorized access, remote code execution, IP address leakage, or the ability to observe unencrypted user traffic.

A one-time bonus of 100,000 USD will be granted to the first researcher who submits a valid finding that meets these criteria. The bonus will remain available until it is claimed.

Scope for the one-time bonus

TrustedServer is the platform that underpins all VPN protocols we offer, which means all ExpressVPN VPN servers are in scope for this bonus award.

Researchers must ensure that all testing takes place only on systems owned and operated by ExpressVPN. Infrastructure or admin panels provided by third-party data center partners are out of scope, as they fall outside our control.

If you are unsure whether a target is in scope, please confirm with YesWeHack before continuing. Findings that involve out-of-scope systems will not qualify for rewards, and researchers may be removed from the program if out-of-scope testing is detected.

Exclusions

We strive to ensure that our challenges are on a level playing field. Therefore, the following individuals are not eligible for the one-time bonus:

Full-time or part-time employees of ExpressVPN or any subsidiary of Kape Technologies, as well as their friends and family.
Contractors, consultants, suppliers, vendors, representatives, or any other individuals affiliated with ExpressVPN.

How to submit a report

Researchers should submit all findings through YesWeHack, which manages ExpressVPN’s bug bounty programs. Reports can also be sent by email to security@expressvpn.com.

Please note that reports submitted by email will be shared with YesWeHack for triage, including the email address used to send the submission, even if the researcher is not a member of the YesWeHack platform.

You can also view recent rewards from our bug bounty program on YesWeHack.

Anonymous reporting

Researchers who prefer not to disclose their identity and who do not wish to receive a reward may submit a report anonymously through our vulnerability disclosure program submission form.