Banner object (1)

Hack and Take the Cash !

821 bounties in database
  Back Link to program      
NordVPN logo
Hall of Fame



Potential Security Vulnerability Reporting Policy

At NordVPN we strive to maximize the security of our infrastructure and customers' data. We believe that in order to reach our goal community participation is essential. Therefore, if you have found a potential security vulnerability, we would like to learn more about it to be able to correct the issue as soon as possible.
Please note that your submission of potential security vulnerability finding (“Vulnerability Finding”) is voluntary and subject to the terms and conditions set forth in this Policy. By submitting a vulnerability to us you acknowledge that you have read and agreed to this Policy.
This Policy supplements the terms of any other agreement (collectively – “Agreements”) in which you have entered with us. If any inconsistency exists between the terms of the Agreements and this Policy, this Policy will prevail, but only with regard to the potential security vulnerability reporting, unless otherwise agreed by us in writing.
Please note that in order to submit a Vulnerability Finding to us you must be at least 14 years old. If you are at least 14 years old, but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to making a submission to us.

Safe harbor terms

To encourage security researchers and our user community, we commit that, if we conclude, in our sole discretion, that your submission respects and meets the requirements of this Policy and Agreements, we will not pursue civil or criminal action, or send notice to law enforcement, and we may even reward you.
Neither will we pursue civil or criminal action, or send notice to law enforcement for accidental, good faith violations of this Policy and Agreements. We reserve the sole right to make the determination of whether a violation of this policy is accidental or in good faith, and proactive contact to us before engaging in any action is a significant factor in that decision, meaning, if in doubt, ask us first.
Please understand that if your security research involves the networks, systems, information, applications, products, or services of a third party (which is not us), we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot and do not authorize security research in the name of other entities, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.
You are expected, as always, to comply with all laws applicable to you, and not to disrupt or compromise any data beyond what this bug bounty program permits.

Scope of accepted findings

Accepted, in-scope findings, include, but are not limited to:

  1. NordVPN consumer applications (all platforms: Windows, Mac, iOS, Android, Linux, browser extensions and official apps on third party devices).
  2. NordVPN VPN servers.
  3. NordVPN backend services and website.

Findings that we do not accept (out-of-scope findings) include, but are not limited to:

  1. Findings from physical testing such as office access (e.g. open doors, tailgating).
  2. Findings derived from social engineering (e.g. phishing, vishing).
  3. Denial of service (DOS) attacks.
  4. Unofficial third party applications, scripts and integrations.
  5. End-of-life application versions.
  6. Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.
  7. Any other submissions determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction, or resulting in minimal impact.
  8. WordPress bugs (please report those to WordPress directly).
  9. OpenVPN bugs (please report those to OpenVPN directly).
  10. StrongSwan bugs (please report those to StrongSwan directly).
  11. Out of date software – we do not always run the most recent software versions (patched).
  12. Third party services. Including but not limited to,,,,,,,,,,
  13. Anything related to credential stuffing.
  14. NordVPN Teams applications, VPN servers, backend services and website.
  15. Any other products or services related to NordVPN.

Reporting the findings

All the findings must be reported to us using Hackerone platform.

Please include:

  1. a description of the finding containing such info as URL and/or type of the potential vulnerability;
  2. a step-by-step guide that would allow us to reproduce the finding;
  3. if applicable, accompanying evidence, e.g. screenshots, videos, proof of concept code, dumps, etc.;
  4. if possible, a way to fix the issue;
  5. any other information that you think is relevant.

You could also add your contact information, including your public PGP key.
We will acknowledge the receipt of all the potential vulnerability disclosure finding reports. If you have not received a reply from us within seven days, please send a follow-up message. Should we decide to fix the bug, we will tell you when we expect to resolve it.

Code of conduct

Only interact with accounts you own or with explicit permission of the account holder.
Do not leak any data.
Do not perform any testing that could degrade the quality of our services.
Do not modify any files or data, including permissions, nor make copies, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.
Do not disclose any findings or accessed data to any third parties.
If you have information about a potential security vulnerability and/or inadvertently come into possession of private data, please promptly initiate the reporting process as described above.
Claims for rewards or other compensation as a condition for sending in a potential Vulnerability Finding is not accepted and could be regarded as extortion - a criminal offence under the penal law.
For more information, please contact us at

The reward

To receive a reward, you must disclose the vulnerability report directly and exclusively to us. You also must be the first person to notify us of a finding that alerts us to a previously unknown issue and that issue triggers a code or configuration change.
We reserve the sole right to determine the size of reward, if any. We determine this on a case by case basis, depending on overall severity (including the business impact, creativity of the issue, etc.). You shall respect our final decision.
This is a reference payout range for vulnerabilities depending on their severity levels:

  • Critical: $1000-5000+ USD
  • High: $500-1000 USD
  • Medium: $100-500 USD
  • Low: $100 USD
  • None: $0 USD

We may pay even higher rewards for especially clever or severe vulnerabilities.
We recommend for you to use Common Vulnerability Scoring System Version 3.0 Calculator __as a general guide on vulnerability severity levels. However, please note that this serves only as a rough guide and does NOT guarantee that we will give the same evaluation to your Vulnerability Finding. The final and actual severity level is determined by us in our sole discretion.
Previous reward amounts are not considered a precedent for future reward amounts.
Reward may be denied if there is reason to believe that there has been a violation of this Policy.
You may need to provide additional information, which would be necessary to receive the reward.

Taxes on rewards given to you are your sole responsibility.
Reward will be forfeited, if it remains unclaimed or undeliverable for a period of six (6) months counting from the date you are notified of the determined reward amount

Public disclosure

You must not publicly disclose the bug until after an update that fixes the bug is released. We ask to give us at least 90 day disclosure deadline. Reports that go against this principle will usually not qualify for our program and may even get you a permanent ban. We reserve the right to bring deadlines forward or backward and to deny any request for public disclosure based on extreme circumstances.

Other terms

By making a submission, you give us the right to use your Vulnerability Finding for any purpose.
You understand that your obligations under this Policy shall survive the termination of any other relationship between us.

This Policy is subject to change or cancellation by us at any time, without notice. As such, we may amend this Policy at any time. By continuing with your submission after such changes are posted, you accept those modifications.

In Scope

Scope Type Scope Name






This program have been found on Hackerone on 2019-12-05.

FireBounty © 2015-2020

Legal notices