Bug Bounty program
Thousands of users around the world trust us with their data. It's our duty to carefully protect users' security and privacy.
Help us make BlancVPN safer: report vulnerabilities and get rewarded.
Found a vulnerability? Send your report to [email protected]
Program rules
Submission requirements, assessment criteria and reward process.
Before submitting a vulnerability report, please read the following documents:
Vulnerability disclosure policy explains accepted testing methods and what to include in your report.
Safe harbor policy describes what actions are permitted and protected from legal risk when participating in the BlancVPN Bug Bounty program.
Rewards are decided on a case-by-case basis by our security team. The primary factor is how much the issue could affect our users’ data.
Payouts can vary based on factors such as:
Prerequisites: whether exploitation requires additional, non-standard conditions, for example:
- unusual user settings
- custom builds or non-standard configurations of BlancVPN software
- unreliable exploitation success (depends on environment conditions)
- requires elevated privileges, a rooted/jailbroken device, and/or physical access.
- Scope of impact: how widely confidentiality, integrity or availability of our services may be affected.
- Value of an exploit chain: whether the issue can lead to a broader chain of vulnerabilities and larger impact.
- Exploitability: the likelihood that the issue can be used in a real-world attack.
- Novelty: whether the issue is new or already known/public; priority is given to the first valid report.
- Report quality: a good report includes reproducible proof-of-concept or a clear path demonstrating impact. Providing code or pseudocode is preferred.
Types of vulnerabilities
We accept reports of any vulnerabilities that could affect users' privacy or the integrity of their data. Here are some common examples:
Accepted reports
Real IP/DNS/WebRTC leaks when using the BlancVPN application.
Authentication bypass or session theft — allowing attackers to access other users’ accounts or make purchases.
Sensitive data exposure — private keys, tokens, backups, or logs containing personally identifiable information (PII).
Remote code execution (RCE)/ command injection in servers or applications.
Access to databases, cloud resources, or internal services.
Payment issues — e.g. free subscription activation, infinite renewals, or price manipulation.
Not eligible
DDoS, flooding tests, brute-force and any testing that disrupts availability.
Social engineering or phishing, targeting employees or users, and physical access attacks.
Self-XSS, clickjacking, or missing security headers on pages that do not expose sensitive data.
Reports of outdated libraries without a demonstrable exploit or impact.
Issues in third-party VPN clients (for example, WireGuard, OpenVPN or Outline apps).
404/5xx errors, typos, broken links and cosmetic bugs.
How much we pay
The reward amount depends on the severity of the vulnerability.
| threat level | payout range | description |
|---|---|---|
| Critical | $15 000 – $50 000 | Allows full control of the service environment, mass access to users’ data and payment operations. Does not require special conditions or prior access to exploit. |
| High | $2 000 – $15 000 | Can provide partial control of the service environment and access to many users’ data. Does not require special conditions or prior access to exploit. |
| Medium | $500 – $2 000 | Allows control over a small part of the service environment and access to data of many users. Reproduction may require multiple steps. |
| Low | up to $500 | Difficult to reproduce, limited impact. |
threat level
payout range
description
threat level
payout range
description
threat level
payout range
description
threat level
payout range
description
Have questions? Contact [email protected]