Vulnerability Disclosure

policy

PureVPN Privacy Policy

Introduction

At PureVPN, we care about your online security, privacy, and the information you have entrusted us with. We are committed to safeguarding and protecting your data, which is why we’re introducing the Vulnerability Disclosure Policy (VDP). PureVPN’s VDP vows to protect user data and assets from any cyber risk and leads to a heightened level of protection throughout the organization.

PureVPN processes your data in compliance with the Privacy Policy of PureVPN which is accessible on PureVPN’s official policy page.

By availing/using this VDP program of PureVPN, the researcher is bound by the terms and conditions of this VDP.

Guidelines

PureVPN’s VDPs are intended to give security researchers explicit and transparent communication guidelines about the procedure for the desired results:

Do’s:
  • The researcher community needs to notify at the provided email hereunder as soon as a new vulnerability is detected.
  • The researcher must ensure that the safety of the assets or any data is not affected in any way as a result of testing.
  • Use proof of concept to demonstrate the presence of a vulnerability.
Dont’s:
  • Once a vulnerability is identified, the researcher must not use exploits unnecessarily further.
  • The researcher must not disclose the vulnerability publicly.
  • The use of automated scanners while conducting security testing is strictly forbidden.
  • Do not adopt or carry out any destructive actions whilst testing.
  • No data should be exfiltrated whilst testing.
Scope:

The Scope of PureVPN’s VDPs includes the following:

  • Cross Instance Data Leakage/Access
  • Server-side Remote Code Execution (RCE)
  • Client-side Remote Code Execution (RCE)
  • Server-side Request Forgery (SSRF)
  • Stored/Reflected Cross-site Scripting (XSS)
  • Cross-site Request Forgery (CSRF)
  • SQL Injection (SQLi)
  • XML External Entity Attacks (XXE)
  • Access Control Vulnerabilities (Insecure Direct Object Reference issues, etc.)
  • Path/Directory Traversal Issues
  • Buffer/Heap Overflows
    • Privilege Escalation
    • Remote Code Execution
    • Denial of Service

Make sure to review the out-of-scope list for further details

Out of Scope

Anything that is not included in the list of scope should be considered out of scope for the purposes of this VPD. However, below are some examples of what is considered out of scope.

  • Descriptive error messages (e.g. Stack Traces, application or server errors)
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Fingerprinting/banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues are only exploitable through clickjacking.
  • Logout Cross-Site Request Forgery (logout CSRF)
  • Content Spoofing
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
  • Weak Captcha / Captcha Bypass.
  • Login or Forgot Password page brute force and account lockout not enforced.
  • OPTIONS HTTP method enabled.
  • No Load testing (DoS/DDoS etc) is allowed on the instances/assets.
    • This includes application DoS as well as network DoS.
  • Username / email enumeration.
  • Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
    • Strict-Transport-Security.
    • X-Frame-Options
    • X-XSS-Protection
    • X-Content-Type-Options.
    • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
    • Content-Security-Policy-Report-Only.
    • Cache-Control and Pragma
  • HTTP/DNS cache poisoning.
  • SSL/TLS Issues, e.g.
    • SSL Attacks such as BEAST, BREACH, and Renegotiation attacks.
    • SSL Forward secrecy not enabled.
    • SSL weak/insecure cipher suites.

Point of Contact

Bounty hunters and researchers can submit their reports in plain text files. We also accept pictures, videos and other media as long as they are in standard formats. For security reasons, we will not be accepting reports in PDF and DOCX formats. Reports submitted using vulnerable formats will not be reviewed unless resubmitted in plain text. To submit your reports, email it to security@purevpn.com.

Confidentiality

The researcher shall treat validated vulnerability as confidential information of PureVPN and therefore shall not disclose it to anyone including, but not limited to, any agency, public forum, competitor, freelancers, regulatory bodies, government bodies, end users of PureVPN. PureVPN may seek any legal remedy available as per the law against the researcher who leaks the confidential information of PureVPN.

Process Steps

In an event where PureVPN may get notified about a vulnerability though a submitted report, PureVPN will take some or all of the following measures depending upon the situation.

  • All of the reported vulnerabilities will be required validation that will be taken care of within the first and second week of submission by the PureVPN team.
  • The researcher community will be held responsible for information sharing regarding the validated vulnerabilities.
  • Reported vulnerabilities will not be disclosed until the decision has been made and agreed upon between PureVPN and the researcher.
  • PureVPN team will review the bug if it qualifies for a bounty. In case it fails to qualify, researcher will be updated and bug submission loop will be closed. If it qualifies, PureVPN team will update the researcher for the approved bounty.
  • Bounty reward will be decided solely by PureVPN.
  • Fixed Vulnerabilities will be required to get validated by the researcher before closure of bug reporting loop.
  • Impacted users will be updated with the found vulnerability through a private newsletter.

Reward Money Remittance

  • Payment will not be processed to any sanctioned country.
  • Payments will be allowed via paypal, stripe, main stream banks etc.
  • An amount of upto $1500/- will be rewarded, at PureVPN’s sole and absolute discretion, resonating with the severity of the reported vulnerability.
  • Basic information like the researcher’s first and last name, photo identity of account holder and account details will be required to process payment.

Closing Note

The efforts and sincerity of all the security researchers are appreciated for sharing information on security issues with PureVPN. The VDP program gives us an opportunity to improve our products and services for our customers. Much thanks to you for working with us through the process.