ExpressVPN claims that its TrustedServer technology raises the bar for online privacy and security and to put this to the test it is offering a one-time $100,000 bug bounty bonus to the first person to hack it - ethically of course.
ExpressVPN's servers are designed to be secure and resilient through a system called TrustedServer, which, as explained in the video has two features intended to deliver a more secure internet experience. The first is that they run only on volatile memory - this ensures that no data can persist on the hard drive, even by accident since the servers run strictly on RAM only. Secondly, all software, even the operating system, is freshly run from the latest readonly image each and every time the server is restarted. This provides consistency and means that every one of its thousands of servers around the world has the same, most up-to-date software when powered on.
In the current climate of privacy concerns and confident of the benefits conferred by TrustedServer, ExpressVPN is inviting security researchers in its Bug Bounty program operated through Bugcrowd to focus testing on the following types of security issues within our VPN servers:
unauthorized access to a VPN server or remote code execution
vulnerabilities in our VPN server that result in leaking the real IP addresses of clients or the ability to monitor user traffic
To encourage more hackers to participate there's a bounty of $100,000 USD on offer in addition to the normal reward as long as there is proof of impact to user’s privacy. This will require demonstration of unauthorized access, remote code execution, IP address leakage, or the ability to monitor unencrypted (non-VPN encrypted) user traffic. This bonus will be valid until the prize has been claimed.
Offering a large bug bounty bonus raises awareness of ExpressVPN's ongoing Bug Bounty program which covers:
vulnerabilities in its client applications, especially vulnerabilities that lead to privilege escalation
any kind of unauthorized access on its VPN servers
vulnerabilities that expose customer data to unauthorized persons
vulnerabilities that weaken, break, or otherwise subvert VPN communications in a way that exposes the traffic of anyone using its VPN products.
While ExpressVPN properties can be considered included, certain testing methodologies are excluded. Specifically, tests that degrade the quality of service, e.g., DoS or spam, will not be considered for inclusion.
Cybersecuity has become ever more important and with all major players operating bug bounty schemes there is plenty of cash on offer to those who are skilled security researchers. If ExpressVPNs TrustedServer is as resilient as the company hopes it is the $100,000 may be on the table for a while but as the company has paid out bounties in the past there may be some pickings to be had even if this prize is never awarded.
Edera has released Am I Isolated, an open source container security benchmark that probes users runtime environments and tests for container isolation.
