Reporting a Vulnerability


Are you a security ninja?
If you believe that you found a vulnerability in activpn.com or the ActiVPN infrastructure, let's talk. We are running a bug bounty.

Some rules:
  • Scope: our website and our VPN servers: *.activpn.com
  • OK: Code Execution at server side: BOF, IOF, IUF, UAF, Race Condition in our applications
  • OK: Web Command Injection: Shell Injection, XSS, SQL Injection, PHP injection, XXE, SSRF ...
  • OK: path traversal, LFI, RFI, open redirect (assuming it leaks customer data),
  • OK: authentication or authorization flaw, or significant infoleak of customer data
  • Responsible disclosure only: never publish any user data, do not publish the details of the vulnerability before it has been patched
  • Responsible behavior only: if you gain write access, do not modify or delete other users' data, use accounts you created for this purpose ; similarly, if you gain read access, do not dump the whole dataset, two entries that you created are enough.
  • EXCLUDED: DDOS, Spam, Phishing, logout CSRF, ClickJacking, Directory Listing (unless you get server interpreted source code), CSRF (unless affects the confidentiality or the availability of the user data), Session Fixation, Missing Content-Type header unless you can upload a file, Cookie set without secure flag, no HSTS flag, Cache settings (unless you get code execution or privilege escalation or significant infoleak), Path/Exception disclosure (we voluntarily setup an exception mechanism that indicates you information about the failure for helping pentesting), Password auto-complete in Browser, password policy
  • FIFO: first tester to report a valid vulnerability earns the reward
  • Payment: So far, we are unable to pay residents of the following countries: Egypt, Cuba, Iran, North Korea, Sudan and Syria.

    Two methods for reporting:
  • via email security []A[] activpn.com.

You will get a reply within 5 business days at most.



Security Hall of P0wn

We thanks the individuals who made our services even more secure:

2021

  • Sanath Vyas - Type 1 XSS

2015

2014

Security News

  • TLS HeartBleed