|Scope Type||Scope Name|
|android_application||PureVPN Android App|
|ios_application||PureVPN iOS App|
|other||PureVPN Windows App|
|other||PureVPN MAC App|
|other||PureVPN DDwrt Applet|
After almost a decade of being part of the online security industry, PureVPN has grown into one of the market leaders of the VPN industry. With continuously expanding server base, server locations, compatible software, data encryption tools, authentication protocols, customer support options and payment methods, PureVPN has been relentlessly working towards delivering the best value to its users.
PureVPN's network of 2000+ servers is spread across more than 140+ countries, serving over 3 million users from all over the world. PureVPN’s service has proved to be practical solution for travelers or teleworkers looking to encrypt their Internet activity on a hotel/airport or other insecure public Wi-if, businesses who want remote secure access, people who want to avoid being on the radar of marketers, advertisers, and third-party agencies, and internet users that want their privacy to remain intact.
We are not only concerned with vulnerabilities and loopholes encircling enumeration, information gathering but vulnerabilities that leads to infrastructure compromise. We are also interested in conventional web application as well as desktop application vulnerabilities, as well as other vulnerabilities/loopholes that can have direct impact.
For the initial prioritization/rating of findings, this program will use
theBugcrowd Vulnerability Rating
Taxonomy - that is,
excepting issues listed in the "non-rewarded" section near the bottom of this
page; please ensure you review this table! It is also important to note that
in some cases a vulnerability priority will be modified due to its likelihood
or impact. In any instance where an issue is downgraded, a full, detailed
explanation will be provided to the researcher - along with the opportunity to
appeal, and make a case for a higher priority.
We typically reward lower amounts for vulnerabilities that require significant user interaction.
Please be aware that PureVPN may take up to three weeks to accept any given submission and allocate the reward. No rewards should take longer than three weeks to process.
Last updated 29 Aug 2018 22:16:28 UTC
Technical severity | Reward range
p1 Critical | $600 - $1,500
p2 Severe | $300 - $600
p3 Moderate | $100 - $300
p4 Low | $50 - $100
P5 submissions do not receive any rewards for this program.
Target name | Type
ATOM SDK | Other
<https://www.purevpn.com> | Website
<https://my.purevpn.com> | Website
<https://support.purevpn.com> | Website
api.purevpn.com | API
PureVPN Windows App | Other
PureVPN MAC App | Other
PureVPN iOS App | iOS
PureVPN Android App | Android
PureVPN DDwrt Applet | Other
Any domain/property of PureVPN or associated entities which is not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
Credentials are not provided for this program, and researchers are encouraged to create their own as they're able to. To this end, please feel free to create trials, or use any existing accounts you already own. However, please ONLY test against accounts you expressly own, and not against any other users.
(when testing the thick clients, please be sure to only test against the latest version)
PureVPN Windows App
Download URL: https://s3.amazonaws.com/purevpn-dialer- assets/windows/app/purevpn_setup.exe
PureVPN MAC App
Download URL: https://s3.amazonaws.com/purevpn-dialer- assets/mac/app/purevpn_setup.dmg
PureVPN iOS App
Download URL : On Apple App Store
PureVPN Android App
Download URL: On the Google Play Store
PureVPN DDwrt Applet
Download URL: http://routerapplet.purevpn.com/cgi-bin/applet-cgi.py
In addition to the BugCrowd’s VRT, following service related specific issues can also be reported by the researchers that will be rewarded under the P3 category (Reward Range $100 - $300)
No manipulation of services running on client system will be accepted except where manipulation is solely based on network/protocol traffic level and is reproducible at will
For following tests, it is mandatory to attach the screen-shot of trace-route/MTR to bugcrowd.com after establishing VPN Connection
It is mandatory to attach the screen-shot of your assigned IP after successful VPN Connection
All following tests should be performed after establishing VPN/Proxy Connection to PureVPN's Canada Location
Report will be marked incomplete/invalid on violation of above mentioned points
1) DNS Leak (Except Ozone and Gravity services)
A DNS leak refers to a security flaw that allows DNS requests to be revealed to ISP DNS servers, despite the use of a VPN service to attempt to conceal them. Test if developed DNS leak protection mechanism within the client apps is appropriate for purpose.
2) IPv6 Leak
This refers to a scenario where vpn_user’s ISP is providing IPv6 addresses however user’s VPN Server doesn’t support IPv6, the IPv6 traffic goes without any blocking and results into a leak of real IPv6 address of the user to a third party. Test if developed IPv6 blocking mechanism within the client apps is appropriate for purpose.
3) Real IP Leak via Chrome Browser Extension only (VPN service is NOT in scope)
Any misconfiguration/vulnerability on server/client side which results into a leak of real IP address of the user to a third party. Test if developed leak protection mechanism within the browser extension is appropriate for purpose.
4) WebRTC Leak via Chrome Browser Extension only (VPN service is not in scope)
WebRTC leaks basically allow a third party service to detect user’s real IP address when user browses through a misconfigured web browser. Test if developed leak protection mechanism within the browser extension is appropriate for purpose.
5) Session Hijacking
A targeted attack against a user connected over a VPN to hijack its web session. Example cases where it was possible in the past.
1- HeartBleed type of issues.
2- Insecure handling of sessions through the (ISAKMP) Security Associations (SAs).
6) Man in Middle Attack (Network level)
A scenario where an attacker over a local LAN, acts like a proxy in between the vpn_user and the vpn server and is successfully able to manipulate vpn_user’s traffic in plain text. (Attacks generated through social engineering or fake certificate acceptance are not allowed)
7) Incorrect network access rights
A scenario where a misconfigured vpn server/client allows one connected vpn_user to access network shares of other users connected to the same vpn server.
PureVPN is excited to announce additions in their targets. We encourage responsible reporting of vulnerabilities that may be found in newly added targets. PureVPN is committed to work with security researchers to verify and address any potential vulnerabilities that are reported to us.
Documentation & Demo Application:
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
This bounty requires explicit permission to disclose the results of a submission.