A cybersecurity firm is offering a $100k bounty to hackers who can find a bug on its own platform TrustedServer. The purse is ten times the highest previous offering from ExpressVPN for a zero-day exploit, suggesting the company is increasingly concerned about the integrity of its defenses.
The bounty offer was posted on BugCrowd, and ExpressVPN – which courted controversy when its chief information officer was fined $335k last year for helping the United Arab Emirates spy on its political enemies – claims it is the single largest offering of its kind on the security forum.
“The first person to submit a valid vulnerability, granting unauthorized access or exposing customer data, will receive the bounty,” said the company, stressing that it is a one-time offer only.
Given exploit trader Zerodium’s recent declaration that it would pay top dollar for any zero-day exploits associated with Express VPN, the cybersecurity firm’s desire to get its hands on such precious data first is understandable – Zerodium is notorious for selling vulnerabilities on to third parties who can afford its high prices.
“ExpressVPN built TrustedServer technology to minimize the problem that traditional server management poses,” said the cybersecurity firm. “On top of having an independent audit by PwC to confirm TrustedServer’s security-enhancing claims, ExpressVPN is taking a further step by rewarding people who help us improve our security.”
ExpressVPN wants hackers on Bugcrowd to test for unauthorized VPN server access, remote code execution, and vulnerabilities that could result in clients’ IP addresses being leaked or monitored.
Shaun Smith, ExpressVPN software engineer and TrustedServer creator, said: “The ingenuity of Bugcrowd’s security researchers [can] help us further improve security. We are excited to see what the community comes back with.”
He added that VPN infrastructure could be particularly vulnerable to privacy and security risks because most conventional approaches to protecting server infrastructure were not originally designed for the technology. “We built TrustedServer to address those risks, and make the same solution scalable, consistent, and secure across all our servers,” he said.
TrustedServer provides multiple security features that include a verification system to prevent source codes and build systems being tampered with, and weekly software updates that wipe servers and reinstall operating systems.
More from CyberNews:
Subscribe to our newsletter