Nord Security’s bug bounty program: the results

How does the bug bounty program work?

Since Nord Security’s product portfolio has expanded in recent years and many new features have been introduced, we needed to go the extra mile to mitigate security risks. While our product team does tremendous work by ensuring our app security, we wanted to benefit from an even wider pool of experts.

Penetration testers and cybersecurity researchers can find Nord Security on the HackerOne platform. They can then inspect the code in our applications, search for vulnerabilities, report them, and receive the bounty pay.

HackerOne attracts bounty hunters with different skill sets and their experience is invaluable to our company. Only by working together can we build a safer internet for everyone.

What are the rewards for reporting vulnerabilities?

Not all bugs are equal. We divide vulnerabilities into several categories and pay accordingly. For reporting a low-risk software vulnerability, ethical hackers can expect to receive anything from $50 to $100. However, the bounty pay significantly increases for more severe issues.

Recently, Nord Security has boosted the bounty pay for critical vulnerabilities to $50,000 or more. This applies to all Nord Security products: NordVPN, NordPass, NordLocker, and NordLayer.

Is the program working?

Yes! We started our bug bounty program with NordVPN, before adding more products from the Nord family to HackerOne in 2021.

In 2020, we received 759 reports on HackerOne platform. After evaluating their significance, Nord Security rewarded 85 reports with bounty pay, totaling more than $16,000.

This year, we’ve already received 910 reports (95 rewarded) for all Nord Security products and this number will probably grow in the last weeks of the year. More than $20,000 was paid in bounties.

Think you can find a bug? Head over to our HackerOne page.