VULNERABILITY DISCLOSURE POLICY
PureVPN cares about your online security, privacy, and the data entrusted to us. We are committed to safeguard and protect your data and to ensure that PUREVPN takes one step ahead to introduce this Vulnerability Disclosure Policy. PureVPN’s VDP commits to protect the data and assets from any cyber risk and leads to a heightened level of protection throughout the organization.
Pure B2B is a data controller in respect of your personal data for the purposes of the Virgin Islands Data Protection Act, 2021 (the Act). Pure B2B is responsible for ensuring that it uses your personal data in compliance with the Act.
The information collected by Pure B2B is limited to that which is necessary for the provision of the Services, including your name, email address and payment information. Our system is designed so that no sensitive data is collected about you.
PureVPN’s VDPs are intended to give security researchers explicit and transparent communication guidelines about the procedure for the desired results:
The researcher community needs to notify at the provided email hereunder as soon as a new vulnerability is detected.
The researcher must ensure that the safety of the assets or any data is not affected in any way as a result of testing.
Use proof of concept to demonstrate the presence of a vulnerability.
Once a vulnerability is identified, the researcher must not use exploits unnecessarily further.
The researcher must not disclose the vulnerability publicly.
The use of automated scanners while conducting security testing is strictly forbidden.
Do not adopt or carry out any destructive actions whilst testing.
No data should be exfiltered whilst testing.
The Scope of PureVPN’s VDPs includes the following:
Cross Instance Data Leakage/Access
Server-side Remote Code Execution (RCE)
Client-Side Remote Code Execution (RCE)
Server-Side Request Forgery (SSRF)
Stored/Reflected Cross-site Scripting (XSS)
Cross-site Request Forgery (CSRF)
SQL Injection (SQLi)
XML External Entity Attacks (XXE)
Access Control Vulnerabilities (Insecure Direct Object Reference issues, etc.)
Path/Directory Traversal Issues
Remote Code Execution
Denial of Service
Make sure to review the out-of-scope list for further details.
Out of Scope
Anything that is not included in the list of scope should be considered out of scope for the purposes of this VPD. However, below are some examples of what is considered out of scope.
Descriptive error messages (e.g. Stack Traces, application or server errors).
HTTP 404 codes/pages or other HTTP non-200 codes/pages.
Fingerprinting/banner disclosure on common/public services.
Disclosure of known public files or directories, (e.g. robots.txt).
Clickjacking and issues are only exploitable through clickjacking.
Logout Cross-Site Request Forgery (logout CSRF).
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
Weak Captcha / Captcha Bypass.
Login or Forgot Password page brute force and account lockout not enforced.
OPTIONS HTTP method enabled.
No Load testing (DoS/DDoS etc) is allowed on the instances/assets.
This includes application DoS as well as network DoS.
Username / email enumeration.
Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP.
Cache-Control and Pragma
HTTP/DNS cache poisoning.
SSL/TLS Issues, e.g.
SSL Attacks such as BEAST, BREACH, and Renegotiation attacks.
SSL Forward secrecy not enabled.
SSL weak/insecure cipher suites.
Point of Contact
Reports need to be submitted in plain text (associated pictures/videos are accepted as long as they’re in standard formats). Non-plain text reports (e.g. PDF, DOCX) will be asked to be resubmitted in plain text. Make use of [email protected] as a point of contact.
Once the vulnerabilities have been reported, PureVPN commits to take a series of steps to ensure authenticity.
All of the reported vulnerabilities will be required validation that will be taken care of within the first and second week of submission by the PUREVPN team.
The researcher community will be held for information sharing regarding the validated vulnerabilities.
Reported vulnerabilities will not be disclosed until the decision has been made and agreed upon between PUREVPN and the researcher.
PUREVPN team will review the bug if it qualifies for a bounty. In case it fails to qualify, researcher will be updated and bug submission loop will be closed. If it qualifies, PUREVPN team will update the researcher for the approved bounty.
Bounty reward will be decided solely by PUREVPN.
Fixed Vulnerabilities will be required to get validated by the researcher before closure of bug reporting loop.
Impacted users will be updated with the found vulnerability through a private newsletter.
Reward Money Remittance
Payment will not be processed to any sanctioned country.
Payments will be allowed via paypal, stirpe, main stream banks etc.
An amount of upto $1500 will be rewarded depending on the severity of the reported vulnerability.
Basic information like the researcher’s first and last name, photo identity of account holder and account details will be required to process payment.
The efforts and sincerity of all the security researchers are appreciated for sharing information on security issues with PUREVPN. The VDP program gives us an opportunity to help us move towards improved products and services for our customers. Much thanks to you for working with us through the process.