We invite vulnerability researchers and anyone else who discovers a vulnerability in our service to join the Bug Bounty program.
The Bug Bounty program provides financial rewards from $100 to $5,000 or more, depending on the criticality of the vulnerability found.
You can submit a security vulnerability report to contact@redshieldvpn.com. It must comply with the rules below.
The following conditions must be met when applying for participation in the Bug Bounty program.
1. The message must contain a detailed step-by-step description of one or more of these vulnerabilities:
- unauthorized access to user accounts.
- unauthorized access to information about user accounts and information contained in user accounts.
- obtaining control over any part of the Red Shield VPN infrastructure or accessing its information.
- other vulnerabilities that result in unauthorized access to third-party accounts or the service infrastructure.
2. The vulnerability should be reproducible by following the described steps.
3. The vulnerability is not related to physical access to any Red Shield VPN equipment, offices, or employee workstations.
4. The identification and investigation of the vulnerability did not disrupt the operation of Red Shield VPN or affect its availability to users in any way.
5. Components covered by the program:
- Websites redshieldvpn.com, my.redshieldvpn.com, pay.redshieldvpn.com.
- Red Shield VPN apps and browser extensions, which you can get from redshieldvpn.com.
- Red Shield VPN nodes and servers, including databases, backup servers, etc.
6. Information about the vulnerability was not transferred to third parties and was not published until it was fixed.
7. The report must not contain:
- Clickjacking.
- Missing cookie flags (HttpOnly, Secure, etc.).
- Irrelevant reports from scanners or automated tools.
- Presence of banner or version information, SSL/TLS best practices, etc.
- Account hijacking associated with external malware on the user’s device.
- DoS and DDoS attacks.
- SPF and DKIM issues.
- Self-XSS and issues exploitable only through Self-XSS
- Problems associated with old versions of applications and browser extensions that are no longer available on the redshieldvpn.com.
- Attacks requiring physical access to the user's device.
- Attacks requiring root access to the user's device.
- Vulnerabilities that rely on social engineering to either obtain sensitive credentials or have the user perform an unlikely sequence of actions.
- Vulnerabilities associated with VPN protocols and their libraries such as OpenVPN and others.
- Account hijacking using brute force, including using leaked databases from other resources.