In October 2019, two VPN providers, NordVPN and TorGuard, became aware of security problems at once. Then representatives of NordVPN explained that the blame for the incident did not lie with the company, but at one of the data centers in Finland, where the company rented servers. He turned out to be available without authorization (currently the contract with these service providers has been terminated). As a result, the attacker got access to the NordVPN server “using an insecure remote control system”.
And still then representatives of NordVPN promised soon launch its own bug bounty program, enter into an agreement with the cyber security consulting firm VerSprite, conduct a full audit of the infrastructure and take other measures to strengthen security.
Now it became known that the provider is keeping a promise: the start has been announced bug bounty programs NordVPN, which will be distributed to NordVPN sites (nordvpn.com and some subdomains), official extensions for Chrome and Firefox, VPN servers, desktop and mobile applications for all platforms. The company recommends reporting problems in WordPress, OpenVPN and StrongSwan directly to the appropriate vendor.
Payments for researchers will range from $ 100 to $ 5,000 per vulnerability, but rewards are reported to be higher, especially for complex and serious vulnerabilities.