Strona główna Proton VPN
ProtonVPN
Subskrybuj kanał RSS
protonvpn bug bounty

Keeping Proton VPN Secure

Proton Team

Udostępnij tę stronę:

November 2025: This article has been updated to reflect latest bonus payment scheme. The maximum payment has risen from $10,000 to $100,000.

As with Proton Mail, we have built Proton VPN with an emphasis on security. Today, we are launching a Bug Bounty Program to further enhance Proton VPN’s security.

In operating a VPN service, security is required not only for the VPN connections and protocols themselves. Security is also needed for the underlying server infrastructure, the web pages and dashboards, the VPN applications themselves, the payment system, and also the user databases. To properly protect user privacy, we need to protect all aspects of the service from compromise.

In building Proton VPN, we drew upon the security expertise we have gained from running the world’s largest secure email service(nowe okno). We have also been working together with Proton Mail security contributors(nowe okno) and the broader community on strengthening all aspects of Proton VPN. Recently, we worked together with long time Proton Mail security contributor Mazin Ahmed(nowe okno) to complete a comprehensive security audit of Proton VPN and add additional hardening.

Our bug bounty program allows us to extend the work that we already do on a daily basis to protect Proton VPN users. For this reason, now that Proton VPN has officially launched, one of the first things we are doing is launching the Proton VPN Bug Bounty Program. With this program, we are inviting security experts from around the world to try to find weaknesses within Proton VPN, and we will be paying rewards (bounties) for security issues which are reported to us through this program. If you are a security researcher, you can also participate in the Proton Mail Bug Bounty Program(nowe okno).

Proton VPN Bug Bounty Program

Rules

Scope: The program is limited to the servers and the web, desktop and mobile applications run by Proton VPN. Our profiles on Facebook, Twitter, Linkedin, Eventbrite, etc, do not qualify. Qualifying sites include:

  • protonvpn.com
  • account.protonvpn.com
  • api.protonvpn.ch [Note: .ch and not .com]

The Proton VPN applications on Windows, MacOS, Linux, iOS and Android are also included in this program.

Judging: The judging panel to determine awards consists of Proton VPN and Proton Mail developers assisted by one or more outside experts who are part of our security group. Program participants agree to respect the final decision made by the judges.

Responsible Disclosure: We request that all vulnerabilities be reported to us at security@proton.me. We believe it is against the spirit of this program to disclose the flaw to third parties for purposes other than actually fixing the bug. Participants agree to not disclose bugs found until after they have been fixed and to coordinate disclosure with our team through our release notes to avoid confusion.

Responsible Testing:  Please do not hack user accounts, corrupt databases, or leak data that might be sensitive. We also discourage vulnerability testing that degrades the quality of service for our users. If in doubt, feel free to contact our Security Team at security@proton.me.

Adherence to Rules: By participating in this program, you agree to adhere to the above rules and conditions. All rules must be followed to be eligible for awards.

Qualifying vulnerabilities

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. This includes, but is not limited to:

Web Applications

  • Cross-site scripting
  • Cross-site request forgery
  • Mixed-content scripts
  • Authentication or authorization flaws
  • Server-side code execution bugs
  • REST API vulnerabilities

Server

  • Un-authorised shell access
  • Privilege escalation
  • Remote code execution

Applications

  • Authentication or authorization flaws
  • Local data security breach (without rooting)

We believe in working closely with security researchers and are willing to share technical details such as API specifications, source code, or infrastructure details with selected researchers with the aim of improving security for all Proton Mail users. Please contact security@proton.me for more details.

Qualifying Improvements

Sometimes, bounties are awarded for suggestions for improvement which don’t fall into any of the above categories. This is determined on a case by case basis by our team. These include things such as:

  • Server configuration improvements
  • Firewall configurations
  • Improved DoS/DDoS safeguards
  • Path/information disclosure

Non-Qualifying vulnerabilities

  • Flaws impacting out of date browsers (sorry, IE6 security issues don’t qualify)
  • Security issues outside the scope of Proton VPN’s threat model
  • Phishing(nowe okno) or social engineering attacks
  • Bugs requiring exceedingly unlikely user interactions
  • WordPress bugs (but please report those to WordPress)
  • Out of date software – For a variety of reasons, we do not always run the most recent software versions, but we do run software that is fully patched
  • Software bugs in OpenVPN or IKEv2 (but please report them to their authors)

Reward Amounts

The size of the bounty we pay is determined on a case by case basis and largely depends on the severity of the issue. To be awarded a bounty, you usually need to be the first person to report an issue, although sometimes exceptions are made. Rough bounty guidelines are provided below:

  • Maximum reward: USD 100,000.
  • Critical severity: USD 25,000 – USD 50,000 — Discovery of a vulnerability that allows for full sustained unauthorized control of the service environment, or compromises the confidentiality or integrity of all users’ data without requiring special conditions or prior access.
  • High severity: USD 2,500 – USD 25,000—Discovery of a vulnerability that leads to sustained unauthorized control over a large part of the service environment, or a significant breach of data confidentiality or integrity affecting a broad group of users — without requiring special conditions or prior access — but still short of full service compromise.
  • Medium severity: USD 1,000 – USD 2,500 — Discovery of a vulnerability that allows unauthorized control over part of the service environment, or compromises the integrity or confidentiality of user data for a single user or a small group. Alternatively, vulnerabilities with broader impact that require significant user interaction or specific conditions, but still lead to the exposure of sensitive data or controls.
  • Low severity: Case-by-case, no monetary reward by default — Discovery of a vulnerability with a limited impact or with unlikely conditions.

Reporting Guidelines

Please report issues to security@proton.me. Issues should be reported with clear instructions on how to reproduce the issue and/or proof of concept.

Best Regards,
The Proton Team

Chroń swoją prywatność i bezpieczeństwo w Internecie
Otrzymaj dostęp do usługi Proton VPN bezpłatnie

Powiązane artykuły

Upcoming features
en
With the Proton VPN 2025-2026 fall and winter roadmap, we're delivering big-hitter features: Free server locations, our own VPN architecture, and a Linux CLI.
en
To prevent the illegal streaming of La Liga games, Spain blocked Cloudflare on Oct. 18, cutting off Spaniards from a broad swath of the internet.
Image of the flag of Jordan with an X indicating the outage of Discord in the country in October 2025
en
Proton VPN signups spiked alongside reports that Discord was not working in Jordan. Learn how to unblock Discord in Jordan.
en
  • Proton VPN news
Proton VPN spring and summer recap 2025
Earlier this year, we promised new features and products to make your life more convenient, more private, and more productive. How did we do?
Government surveillance boosted by sale of China's surveillance systems
en
China is selling mass surveillance systems based on Great Firewall tech to authoritarian regimes to further its geopolitical goals.
en
Each year, independent security experts verify that Proton VPN doesn't keep logs or engage in practices that might compromise your privacy.