NordVPN Launches Bug Bounty
NordVPN reported a breach via a third-party server last October, proving that even companies that typically earn top honors for security are attacked too. The company owned up to the breach, immediately went the extra mile to eradicate vulnerabilities, and now offers cash rewards to any ethical hacker that can find flaws in its defenses.
While there is no such thing as an unbreachable security defense, how a company handles an assault on its product, data, customers and reputation often determines whether it succumbs or survives the event. NordVPN took the high road and owned the breach immediately. After revealing the breach and the timeline of events, the company immediately moved to rectify the vulnerability cited as the cause. Now it’s offering cash rewards – a bug bounty – to ethical hackers to test the seal on the doors the company slammed shut after the breach.
Specifically, NordVPN is encouraging security researchers to analyze the company’s website, applications and services. Opening itself to outside independent scrutiny is the best way to make its efforts to protect its customers both transparent and highly effective.
Ethical hackers who report their findings on the HackerOne platform can collect $100 for discovering minor issues and up to $5000 for uncovering major flaws.
“At NordVPN, we seek to make our infrastructure – and customers’ data – as secure as possible. And community participation is essential for reaching this goal,” said Ruby Gonzalez, head of communications at NordVPN.
In total, the company has taken five major steps to enhance its security and rebuild user trust. Since the breach, NordVPN has switched to diskless RAM servers, voluntarily undergone a full infrastructure audit, raised the bar considerably in its own security standards, launched the bug bounty program, and entered a partnership with VerSprite, a cybersecurity consulting firm.
“This [VerSprite] audit made our apps even stronger. After the initial test, our developers followed the auditor’s recommendations and implemented a few changes,” said Gonzalez. “We intend to regularly audit our service in the future.”
NordVPN also underwent an extensive VPN test by the AV-TEST GmbH, a German independent research institute for IT security, and ranked among the top 10 VPNs tested there. A year earlier, PricewaterhouseCoopers AG, Switzerland, audited NordVPN’s no-logs policy.
While NordVPN has gone to great lengths to assure its customers that the product is safe, bad actors and nation-states are persistent and may one day succeed again.
“Hackers gained access to the system at NordVPN that contained at least one sensitive encryption key. That’s bad, but history has shown us that given enough time and resources, hackers can often find their way into high-value targets: breaches such as this have happened in 2019 more times than I can count,” said Ted Shorter, CTO at Keyfactor, a provider of secure digital identity management products.