Your IP: Unknown · Your Status: ProtectedUnprotectedUnknown

Skip to main content

NordVPN bug bounty report fixed without data exposure

In one of the most significant discoveries from our bug bounty program, a cybersecurity researcher has found a vulnerability that could have revealed a handful of NordVPN users’ email addresses – had it ever been used. We’d like to tell you about the vulnerability and why all of NordVPN’s users are secure.

NordVPN bug bounty report fixed without data exposure

Are NordVPN users currently secure?


What specific user data could have been at risk?

Theoretically, it could have been possible to discover the email addresses of a handful of users who had purchased NordVPN within the last hour of an attempt at abusing the vulnerability.

Was any user data actually exposed in this way?

No. Our monitoring systems have not indicated any abuse of this vulnerability. We only made the disclosure once we were sure that no email addresses could be exposed.

On December 4th, an analyst on HackerOne notified our team of a vulnerability linked to three specific payment providers – Momo, Gocardless, and Coinpayments. This vulnerability could theoretically be used to discover the email address of a random individual who had purchased NordVPN within the last hour. However, existing rate-limiting practices meant that only a handful of random email addresses could have been exposed in this way. No other customer data could have been exposed in this way.

Our tech team resolved the vulnerability immediately. Over the next two days, the fix was tested, deployed, and tested again until we could guarantee that it was fixed. While resolving the vulnerability, it became clear to our tech team that the vulnerability had never been abused. Three months later, the report was disclosed – a by-the-book report and resolution.

Had a malicious actor discovered this vulnerability, abusing it would have been difficult and unrewarding. Here’s what someone would’ve had to do:

  1. A user needs to have paid for NordVPN through Momo, Gocardless, or Coinpayments.
  2. That user needs to have paid for NordVPN within the last hour before someone’s attempt to abuse the vulnerability.
  3. The malicious actor needs to have randomly guessed the user’s ID.

Again, our fix has already been implemented and this is no longer an issue. We also believe that the vulnerability was never used until it was discovered by a diligent security researcher.

The bug bounty program in action

We’re not happy that we had a vulnerability in our system, but we’re very happy that it was found and eliminated so quickly. We have a bug bounty hunter to thank for that – dakitu. They were paid $1,000 USD for finding and confidentially reporting the vulnerability to us so our team could fix it. Dakitu is one of potentially thousands of bounty hunters invited to scour our systems every day in search of vulnerabilities large and small.

Our bug bounty is one of the first completed steps of the comprehensive security plan we unveiled for 2020. This is the first non-trivial vulnerability reported though the bug bounty program, so it’s already delivering results – making NordVPN’s users even more secure.

Will you be the next NordVPN bug bounty hunter? Earn cash by making NordVPN’s users even safer.