NordVPN Launches Bug Bounty
NordVPN stepped up in a big way after a breach and now the company is offering cash rewards to test its efforts.
December 17, 2019
NordVPN reported a breach via a third-party server last October, proving that even companies that typically earn top honors for security are attacked too. The company owned up to the breach, immediately went the extra mile to eradicate vulnerabilities, and now offers cash rewards to any ethical hacker that can find flaws in its defenses.
While there is no such thing as an unbreachable security defense, how a company handles an assault on its product, data, customers and reputation often determines whether it succumbs or survives the event. NordVPN took the high road and owned the breach immediately. After revealing the breach and the timeline of events, the company immediately moved to rectify the vulnerability cited as the cause. Now it’s offering cash rewards – a bug bounty – to ethical hackers to test the seal on the doors the company slammed shut after the breach.
Specifically, NordVPN is encouraging security researchers to analyze the company’s website, applications and services. Opening itself to outside independent scrutiny is the best way to make its efforts to protect its customers both transparent and highly effective.
Ethical hackers who report their findings on the HackerOne platform can collect $100 for discovering minor issues and up to $5000 for uncovering major flaws.
NordVPN’s Ruby Gonzalez
“At NordVPN, we seek to make our infrastructure – and customers’ data – as secure as possible. And community participation is essential for reaching this goal,” said Ruby Gonzalez, head of communications at NordVPN.
In total, the company has taken five major steps to enhance its security and rebuild user trust. Since the breach, NordVPN has switched to diskless RAM servers, voluntarily undergone a full infrastructure audit, raised the bar considerably in its own security standards, launched the bug bounty program, and entered a partnership with VerSprite, a cybersecurity consulting firm.