Bug Bounty Policy

BlancVPN Bug Bounty Policy

Security is core to our values, and we value the input of security researchers acting in good faith to help us maintain a high standard for the security and privacy of our users. This includes encouraging responsible vulnerability research and disclosure.

We offer a bug bounty program to recognize and reward security researchers who help us identify vulnerabilities in our products and services. We value excellent engineering and are always looking for ways to improve the security of our systems.

Scope

In Scope

The following products and services are eligible for our bug bounty program:

Web Properties:

  • blancvpn.com

  • BlancVPN APIs

  • BlancVPN account management systems

Infrastructure:

  • VPN servers

  • Server infrastructure and backend systems

Applications:

  • BlancVPN Applications (all platforms: Windows, macOS, iOS, Android).

Focus Areas

We're particularly interested in:

  • VPN Leaks: Vulnerabilities in our official client applications that lead to real IP/DNS/WebRTC leaks when using the BlancVPN application

  • Authentication & Access Control: Bypass of authentication mechanisms, session hijacking, unauthorized account access

  • Sensitive Data Exposure: Leakage of private keys, tokens, backups, PII logs, or other confidential information

  • Server Infrastructure: Remote Code Execution (RCE), command injection, or unauthorized access on VPN servers or application infrastructure

  • Data Access: Unauthorized access to databases, cloud storage, or internal services

  • Payment Systems: Free subscription activation, unlimited renewals, price manipulation

  • Privilege Escalation: Vulnerabilities in client applications that lead to privilege escalation on user devices

Out of Scope

The following are NOT eligible for bug bounty rewards:

Testing Methods:

  • DDoS attacks, flood testing, brute-force attacks, or any research that disrupts service availability

  • Social engineering or phishing

  • Physical security testing

  • Spam or unsolicited communications

Low-Impact Issues:

  • Self-XSS, clickjacking, and missing security headers on pages without sensitive data

  • Reports of "outdated libraries" without demonstrable exploitation

  • Content injection without clear demonstration of significant risk

  • 404/5xx errors, typos, broken links, cosmetic issues

  • Issues requiring exceedingly unlikely user interaction

  • Mobile app crashes not reproducible on recent OS versions or devices

Third-Party Systems:

  • Third-party VPN clients (e.g., WireGuard, OpenVPN, Outline) — Only the official BlancVPN application is in scope

  • Third-party services or applications that integrate with BlancVPN

  • Payment processor, support platform, or other third-party software vulnerabilities

Important: For VPN connection issues (IP/DNS/WebRTC leaks), only issues occurring in the official BlancVPN application are eligible. Problems with third-party VPN clients or browser extensions are explicitly excluded.

Vulnerability Severity and Rewards

Reward amounts are determined by our security engineers based on the severity of the vulnerability and the degree of risk to BlancVPN user data and privacy.

Critical: $15,000 – $50,000
Allows complete control over the service environment, mass access to user data, or payment operations. Does not require special conditions or prior access for exploitation. Examples include RCE on VPN servers, mass user data exposure, or complete authentication bypass.

High: $2,000 – $15,000
Allows partial control over the service environment or access to user data affecting a broad user base. Does not require special conditions or prior access for exploitation. Examples include privilege escalation, significant data leaks, or session hijacking.

Medium: $500 – $2,000
Allows control over a limited portion of the service environment or access to user data affecting a smaller user base. May require multiple user-initiated steps to exploit. Examples include CSRF on sensitive actions or authentication issues requiring user interaction.

Low: Up to $500
Difficult to reproduce with limited impact. Examples include minor information disclosure or issues requiring highly unusual circumstances.

Factors Affecting Reward Amount

Rewards may be adjusted based on several factors:

Prerequisites – Whether exploitation depends on unusual user configurations, non-standard software setups, unreliable exploitation, or requires elevated privileges or physical access.

Impact Scale – The degree to which confidentiality, integrity, or availability of our services and user data may be compromised.

Exploitability – The likelihood that the vulnerability could be exploited in a real-world attack scenario.

Novelty – Whether the vulnerability is newly discovered or already known/publicly disclosed. Only the first valid report of a unique vulnerability is eligible for a reward.

Report Quality – Reports with clear, reproducible proof of concept, comprehensive documentation, step-by-step reproduction instructions, and code examples may receive higher rewards within the severity tier.

Eligibility Requirements

To participate in this program, you must:

  • Be at least 18 years of age or have parental/guardian consent

  • Not be a resident of a country subject to trade sanctions or export controls

  • Not be a current or former employee, contractor, friend, family member, or otherwise affiliated with BlancVPN

  • Comply with all applicable laws and regulations

  • Make a good faith effort to comply with this policy

Test Methods and Ground Rules

Security Researchers Must NOT:

  • Test systems not explicitly listed in the Scope section

  • Disclose vulnerability information publicly until authorized by BlancVPN

  • Engage in physical testing or social engineering

  • Send phishing messages or unsolicited emails

  • Execute denial of service or resource exhaustion attacks

  • Introduce malicious software or degrade system operations

  • Test third-party applications or services

  • Access, modify, delete, or destroy data belonging to other users

  • Use exploits to exfiltrate data or establish persistent access

  • Demand rewards or threaten public disclosure

Security Researchers Must:

  • Report vulnerabilities promptly through official channels

  • Cease testing immediately upon discovery of a vulnerability

  • Cease testing immediately upon discovery of user data (PII, PHI, credit card data, etc.)

  • Purge any stored non-public data upon reporting

  • Limit data access to the minimum necessary for proof of concept

  • Keep vulnerability details confidential until remediation and authorization

  • Use only test accounts you own or have permission to use

  • Respond to communications in a timely manner

Security Researchers May:

  • View or store non-public data only to the minimum extent necessary to document a vulnerability

How to Submit a Report

Submission

Submit reports to: security@blancvpn.com

What to Include

Your report should contain:

  • Detailed technical description of the vulnerability

  • Step-by-step reproduction instructions

  • Proof of concept code or demonstration

  • Affected systems, applications, and versions

  • Potential impact assessment

  • Screenshots or videos with descriptive names

  • Your contact information (or submit anonymously)

Please embed any scripts or exploit code in non-executable file types. We can process common file formats and archives (zip, 7zip, gzip).

Response Timeline

  • Acknowledgment: Within 5 business days

  • Validation: We'll work with you to understand and validate your report

  • Updates: Regular communication on status and remediation progress

  • Resolution: Timely remediation of confirmed vulnerabilities

Reward Payment Process

Validation: All submissions are reviewed by our security team. Complex issues may require additional investigation time beyond initial validation.

Determination: Rewards are based on severity, impact, report quality, and other factors outlined above. For duplicate reports, only the first valid submission is eligible.

Payment: Rewards are paid after validation and successful remediation. Payment methods and timelines will be communicated during validation. Researchers are responsible for applicable taxes and may need to complete tax documentation. We cannot pay individuals or entities on sanctions lists.

Rights: By submitting a report, you grant BlancVPN a non-exclusive, royalty-free, worldwide, perpetual license to use the information to improve security.

Disclosure Policy

We ask that you refrain from sharing information about discovered vulnerabilities for 120 days after receiving our acknowledgment. This allows us to investigate, develop fixes, deploy them across all systems, and notify affected users if necessary.

If you believe others should be informed before our corrective actions are complete, you must coordinate in advance with the BlancVPN Security team. Public disclosure without available fixes increases security risk for our community.

We may share vulnerability reports with affected vendors but will not share your contact information without explicit permission. If you wish to be publicly recognized for your contribution, let us know and we'll credit you appropriately after resolution.

Program Modifications

BlancVPN reserves the right to modify, suspend, or terminate this program at any time. Changes will be communicated through program updates and don't affect reports submitted before the change unless otherwise stated.

Participation does not guarantee a reward. Final determination of eligibility, severity, and reward amount is at BlancVPN's sole discretion, though we strive to be fair and consistent.

Questions and Support

Contact us at security@blancvpn.com for:

  • Clarification on any element of this policy

  • Questions about whether a test method is acceptable before you begin testing

  • Concerns about whether your research is consistent with this policy

  • Suggestions for improving this program

Thank you for helping us keep BlancVPN secure. We value the security research community and appreciate your responsible disclosure efforts.