OpenVPN

OpenVPN is a full-featured open source SSL VPN solution that accommodates a wide range of configurations, including remote access, site-to-site VPNs, Wi- Fi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls. If you've found a security bug that could potentially impact the security of these networks, you have our thanks and might be eligible for a cash reward.

Reporting a bug in OpenVPN (community edition)

To report a security issue in OpenVPN (community edition), please e-mail security@openvpn.net.

PGP Public Key for contact.

See previous security announcements here .

Reporting a bug in OpenVPN Access Server

To report a security issue in the Access Server, please submit a ticket at Support Center .

Disclosure Policy

Let us know of any potential vulnerabilities as soon as possible, and we will make every effort to resolve the issue quickly.
Share with us the full details of any vulnerability, including steps to reproduce, if applicable.
Provide us a reasonable amount of time to fix the issue before disclosure to the public or a third-party.
Try to avoid degradation of systems, destruction of data, or privacy violations.

We will make every effort to abide by HackerOne's disclosure guidelines.

Internet Bug Bounty Qualification

Only critical vulnerabilities that demonstrate complete compromise of the system's integrity or confidentiality are eligible for a bounty - typically Arbitrary Code Execution or equivalent impact. While we encourage you to submit all potential issues, lower severity issues are not in scope at this time.

Impact	Amount
Critical _Demonstrate that remote exploitation of this bug can be easily,
actively, and reliably achieved._	$2,500+
High _Demonstrate that remote exploitation of this bug is very likely
(e.g. good control of a register)._	$1,250
Minimum _Demonstrate the presence of a security bug with probable remote
exploitation potential._	$500

Awards are increased for fixes that include giving the developers any custom tools that you developed to locate the bugs, as it provides a longevity boost to your work and eliminates the chances for regressions or reintroducing similar bugs of the same class. Make sure your tools have documentation and proper commenting in the code so that the developers can utilize / enhance / improve upon your work in the future to receive increased awards.

The project maintainers have final decision on which issues constitute security vulnerabilities. The Internet Bug Bounty Panel will respect their decision, and we ask that you do as well.

Only versions currently supported by the upstream project are eligible. Please verify your issue is present in a current release before submission.

It's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.

In Scope

Scope Type	Scope Name
android_application	de.blinkt.openvpn
web_application	https://github.com/OpenVPN/openvpn
web_application	https://github.com/OpenVPN/easy-rsa
web_application	https://github.com/OpenVPN/tap-windows6
web_application	https://github.com/OpenVPN/openvpn-build
web_application	https://github.com/OpenVPN/openvpn-gui
web_application	https://github.com/schwabe/ics-openvpn
web_application	https://github.com/OpenVPN/openvpn3-linux
web_application	https://github.com/OpenVPN/openvpn3

Out of Scope

Scope Type	Scope Name
application	OpenVPN Access Server
web_application	https://github.com/OpenVPN/openvpn-windows-test
web_application	https://github.com/OpenVPN/tap-windows
web_application	*.privatetunnel.com
web_application	*.openvpn.com
web_application	*.openvpn.org
web_application	*.openvpn.net

The public program OpenVPN on the platform Hackerone has been updated on 2019-08-22, The lowest reward is 100 $.