Bug Bounty Policy

VPNArea would like to invite white hat hackers and security researchers to help us improve the security of our service with our Bug Bounty program.

You can find our PGP key below, please submit any vulnerability details and PoC to support [at] vpnarea . com encrypted with our PGP key.

We're considering outsourcing our Bug Bounty program to another independent platform, until that is done please adhere to rules and program as described below.

Target:

- VPNArea Web site and Network infrastructure.

- VPNArea Apps.


Scope:

Any issues considered P1-P3 in Bugcrowd's taxonomy are considered in-scope.


Rewards:

- P1: $300-$500

- P2: $150-$300

- P3: $50-$150



Out of Scope:


The following is considered out of the scope:

Any issues that are not rated P1-P3 in Bugcrowd's taxonomy are considered out of scope. Some issue examples that are considered out of scope can be seen below:

- Misconfigured or lack of SPF records

- Out of date software versions

- Content Spoofing

- Vulnerabilities that are limited to unsupported browsers will not be accepted. Exploit must work at least on > IE 8.

- .htaccess downloadable file without a real security misconfiguration that can have a demonstrable security impact

- Login page or one of our websites served over HTTP.

- Password not enforced on user accounts

- Clickjacking or any issue exploitable through clickjacking

- Lack of Secure and HTTPOnly cookie flags.

- Username / email enumeration

- Self XSS

- CORS issues without a working PoC

- Brute Force attacks

- URL redirection

- DDoS attacks

- CRIME/BEAST attacks

- Non-technical attacks (ie. social engineering, phishing or unauthorized access to infrastructure).

- Banner/version disclosure

- Brute Force attacks

- DDOS attacks

- CRIME/BEAST attacks

- Issues that cannot be reproduced

- Issues found through use of automated tools must not be a simple copy/paste of the result. A PoC and detailed description on how it can affect a user's data or PureVPN's data/infrastructure need to be included

- URL redirection




Program rules:


- Public vulnerability disclosure is NOT allowed, regardless if issue is resolved.

- A point of concept must be allowed.

- Reports can only be submitted in .txt format (plain-text).

- VPNArea's decision about rewards and downgrade of possible issues must be respected.

- All vulnerabilities must be reporducible directly by us.

- Please make sure our network, infrastructure and assets are not destructed or damaged with your testing.

- We will not respond to threats of disclosure and blackmail.

- We will make best effort to process any submitted vulnerability and rewards within 2 weeks.

- Payments are strictly by Paypal, sometimes if possible Bitcoin could also be offered as payment.

- You must buy your own VPN account to test if you'd like to test internal infrastructure. You could get a refund within first 7 days.

- If you've discovered multiple vulnerabilities please let us know in advance so that we could discuss a total reward we could offer you.


Our PGP Key can be found here.