Return to protonvpn.com Facebook   Twitter   Reddit   ProtonMail

Keeping ProtonVPN Secure

Posted on July 24th, 2017 by in Security.

protonvpn bug bounty

 

As with ProtonMail, we have built ProtonVPN with an emphasis on security. Today, we are launching a Bug Bounty Program to further enhance ProtonVPN’s security.

In operating a VPN service, security is required not only for the VPN connections and protocols themselves. Security is also needed for the underlying server infrastructure, the web pages and dashboards, the VPN applications themselves, the payment system, and also the user databases. To properly protect user privacy, we need to protect all aspects of the service from compromise.

In building ProtonVPN, we drew upon the security expertise we have gained from running the world’s largest secure email service. We have also been working together with ProtonMail security contributors and the broader community on strengthening all aspects of ProtonVPN. Recently, we worked together with long time ProtonMail security contributor Mazin Ahmed to complete a comprehensive security audit of ProtonVPN and add additional hardening.

Our bug bounty program allows us to extend the work that we already do on a daily basis to protect ProtonVPN users. For this reason, now that ProtonVPN has officially launched, one of the first things we are doing is launching the ProtonVPN Bug Bounty Program. With this program, we are inviting security experts from around the world to try to find weaknesses within ProtonVPN, and we will be paying rewards (bounties) for security issues which are reported to us through this program. If you are a security researcher, you can also participate in the ProtonMail Bug Bounty Program.

ProtonVPN Bug Bounty Program

Rules

Scope: The program is limited to the servers and the web, desktop and mobile applications run by ProtonVPN. Our profiles on Facebook, Twitter, Linkedin, Eventbrite, etc, do not qualify. Qualifying sites include:

  • protonvpn.com
  • account.protonvpn.com
  • api.protonvpn.ch [Note: .ch and not .com]

The ProtonVPN applications on Windows, MacOS, Linux, iOS and Android are also included in this program.

Judging: The judging panel to determine awards consists of ProtonVPN and ProtonMail developers assisted by one or more outside experts who are part of our security group. Program participants agree to respect the final decision made by the judges.

Responsible Disclosure: We request that all vulnerabilities be reported to us at security@protonvpn.com. We believe it is against the spirit of this program to disclose the flaw to third parties for purposes other than actually fixing the bug. Participants agree to not disclose bugs found until after they have been fixed and to coordinate disclosure with our team through our release notes to avoid confusion.

Responsible Testing:  Please do not hack user accounts, corrupt databases, or leak data that might be sensitive. We also discourage vulnerability testing that degrades the quality of service for our users. If in doubt, feel free to contact our Security Team at security@protonvpn.com.

Adherence to Rules: By participating in this program, you agree to adhere to the above rules and conditions. All rules must be followed to be eligible for awards.

Qualifying vulnerabilities

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. This includes, but is not limited to:

Web Applications

  • Cross-site scripting
  • Cross-site request forgery
  • Mixed-content scripts
  • Authentication or authorization flaws
  • Server-side code execution bugs
  • REST API vulnerabilities

Server

  • Un-authorised shell access
  • Privilege escalation
  • Remote code execution

Applications

  • Authentication or authorization flaws
  • Local data security breach (without rooting)

We believe in working closely with security researchers and are willing to share technical details such as API specifications, source code, or infrastructure details with selected researchers with the aim of improving security for all ProtonMail users. Please contact security@protonvpn.com for more details.

Qualifying Improvements

Sometimes, bounties are awarded for suggestions for improvement which don’t fall into any of the above categories. This is determined on a case by case basis by our team. These include things such as:

  • Server configuration improvements
  • Firewall configurations
  • Improved DoS/DDoS safeguards
  • Path/information disclosure

Non-Qualifying vulnerabilities

  • Flaws impacting out of date browsers (sorry, IE6 security issues don’t qualify)
  • Security issues outside the scope of ProtonVPN’s threat model
  • Phishing or social engineering attacks
  • Bugs requiring exceedingly unlikely user interactions
  • WordPress bugs (but please report those to WordPress)
  • Out of date software – For a variety of reasons, we do not always run the most recent software versions, but we do run software that is fully patched
  • Software bugs in OpenVPN or IKEv2 (but please report them to their authors)

Reward Amounts

The size of the bounty we pay is determined on a case by case basis and largely depends on the severity of the issue. To be awarded a bounty, you usually need to be the first person to report an issue, although sometimes exceptions are made. Rough bounty guidelines are provided below:

Minor server and app vulnerabilities that do not compromise user data or privacy: $50

Vulnerabilities that can lead to data corruption: $100

Vulnerabilities that can lead to the disclosure of user data or jeopardize user privacy: $250

Maximum bounty: $500

Reporting Guidelines

Please report issues to security@protonvpn.com. Issues should be reported with clear instructions on how to reproduce the issue and/or proof of concept.

Best Regards,
The Proton Technologies Team

We are the scientists, engineers, and developers who build ProtonMail, the world's largest encrypted email service. We're now building ProtonVPN also to ensure that everybody can have access to free and secure internet.

Post Comment

13 comments

  1. User

    Hello,
    Still no working proton vpn and no working DNS Server 10.8.8.1 by useing proton VPN.
    Depend on this, user need for useing proton VPN connection to use other, usually LOGGED DNS Server like the follow:
    208.67.222.222
    208.67.220.220
    8.8.4.4
    8.8.8.8

    VBR

  2. Augustinas

    Hello, 10.8.8.1 will not resolve if you are not connected to our VPN server. OpenDNS/Google DNS is an alternative if for any reason DNS is not pushed from the server side. This might happen if you are using a manual connection method, for example an OpenVPN client with our configuration files. This however should not happen while using ProtonVPN applications.

  3. PlusUserdayonw

    Who cares about a reward it’s for the greater good. I don’t profess to know much about the technology but I can certainly recognize when it’s acting in a way that is clearly being influenced by malware and report the logs to professional for the improvement of a valuable service like this one.

  4. eric

    I have used the IVPN plan for the last two years. I am thinking of switching to proton because of the email service that i really like.
    i have two questions:
    1)Is there any possibilty to configure my router with the proton settings for automatic vpn inside my network? IVPN has this and hence you install it on a router and all the computers in the house get connected automatically to the vpn.

    2) can you give me some speed numbers for a plus plan for instance? 15 20 30 MBIT?

  5. ProtonVPN Admin

    Plus plan can typically reach the max speed of your internet connection, up to around 200 Mbps. And yes, ProtonVPN does support routers.

  6. Anna Davidson

    Hi ProtonVpn Team,
    Thank you for advancing the very important topic of consumer privacy, and allowing users across the world to protect their data. I’ve attempted to sign up on your protonvpn site tonight, and wasn’t able to sign up due to experiencing numerous usability issues, and bugs resulting from bad flow, hitting dead ends, UI components that should be active showing as inactive, etc.

    I’m on an iPhone 6 and haven’t updated my OS, but am guessing that’s not highly unusual, as the iOS software update process is super clunky on the devices with less space.

    Also have numerous screen grabs of this, but don’t know that I’ll have time to annotate these and would much rather walk you through the flows than typing them.
    A few side notes that are important:
    -The UX color conventions for signing up at Protonvpn do not match the proton mail app
    -The existing account sign up process is where I kept looping (no UI action as you scroll), cleared cache and found one at top of page but still hit a dead end
    -Your UI is designed as one single page but does not indicate that there are interactions below. There are numerous scrolling options/established mobile UI conventions for this. And also some kind of nice old school ways that still work on mobile like stepped accordions that walk you through a process
    -Where am I? Walking someone through this process is pretty important, as I’m a technologist. Not a developer but someone who works in agile sprints, writes requirements, understands how to speak with both back end and front end developers, and translate back to the business. And this process is super-confusing for me. Honestly, I’m a lazy technologist. That’s my persona. Someone who has worked in online for close to 20 years, has lived her life openly, and now realizes that she has to make some behavioral changes, and shore things up. And has to think about this for her family. That is really overwhelming, as well as time intensive. Hoping your vision and a them on your roadmap is to make this easy for everyone.
    -ProtonMail has done a fantastic job with content, so maybe you can take some of the mystery out of this via that channel.
    At any rate, could blather on but these words won’t provide your developers with much info. Thank you for what you do. Am a huge supporter of your efforts. Have a full time job but am also happy to provide you with a small amount of weekly pro-bono time dedicated to support your efforts. My advice would be to hire a UX specialist who understands UI conventions like flat design, as well as conceptually understand zero UI and voice, as well as security for all of the aforementioned.
    Please feel free to reach out and schedule an hour for me to explain the issues I experienced whilst trying to sign up. And good luck. New products are never boring.
    Kind regards,
    Ad

  7. ProtonVPN Admin

    Hi Anna, Thanks for this helpful feedback, we will be looking into this.

  8. Max

    Hey!
    What about adding PGP encryption to your security email adress? That would put a extra layer of security to the bug reporting process

  9. Harold

    wow great news a bug bounty program, but i hope they are cheaper like FrootVPN , i’ve been using it since last year for downloading torrent files #tunnelvpn

  10. MONKiVPN

    It’s great to have the bug bounty but by the looks of the rewards those participating will do it only out of good will. In that case maybe a combination of a T-shirt and a free subscription could do the trick as well.

  11. Anon

    I like that idea. Wouldn’t mind some gear

  12. Jeff

    These bounties aren’t worth a white hats effort and for anyone else they’ll be worth more on the black market.

  13. ProtonPlus user

    Indeed Jeff, the “prize” seems way too little. Some people won’t even bother with this

Leave a Reply

Your email address will not be published. Required fields are marked *

Knowledge base

 

Secure Your Internet Today

Get ProtonVPN