[{"id":3767824,"new_policy":"At Nord Security, we strive to maximize the security of our infrastructure and customers' data. We believe that in order to reach our goal community participation is essential. Please note that your submission of potential security vulnerability finding (“Vulnerability Finding”) is voluntary and subject to the terms and conditions set forth in this Policy. By submitting a vulnerability to us you acknowledge that you have read and agreed to this Policy.\n---\n\n# Program Rules\n# Our main rules are as follows:\n\n---\n*  Automated testing is not permitted.\n*  Follow [HackerOne’s Disclosure Guidelines](https://hackerone.com/guidelines).\n*  You must be the first person to notify us of a finding that alerts us to a previously unknown issue and that issue triggers a code or configuration change. If different attack vectors result in the same mitigation, Nord Security reserves the right to reward only the first report that is validated for that fix. All subsequent reports that are addressed by that mitigation will be considered as duplicates, regardless of the attack vector. In most instances, you will not be notified of a duplicate report condition until after the vulnerability has been fully remediated.\n* We award bounties once the vulnerability is fixed, and will keep you posted as we work to resolve them.\n* We reserve the sole right to determine the size of the reward if any. We determine this on a case-by-case basis, depending on overall severity (including the business impact, creativity of the issue, etc.). You shall respect our final decision.\n* We may pay even higher rewards for, especially clever or severe vulnerabilities. We recommend for you to use [Common Vulnerability Scoring System Version 3.0 Calculator](https://www.first.org/cvss/calculator/3.0) as a general guide on vulnerability severity levels. However, please note that this serves only as a rough guide and does NOT guarantee that we will give the same evaluation to your Vulnerability Finding. The final and actual severity level is determined by us in our sole discretion.\n* To receive a reward, you must disclose the vulnerability report directly and exclusively to us.\n* Previous reward amounts are not considered a precedent for future reward amounts.\n* Reward may be denied if there is reason to believe that there has been a violation of this Policy.\n* You may need to provide additional information, which would be necessary to receive the reward.  \n* Taxes on rewards given to you are your sole responsibility. \n* Reward will be forfeited, if it remains unclaimed or undeliverable for a period of six (6) months counting from the date you are notified of the determined reward amount\n*  Contacting our team regarding the status of a report through any other channel than Hackerone will result in an immediate disqualification for a bounty for that report.\n*  Please recognize that Nord Security operates complex infrastructure and the amount of time required to address a reported issue can vary from a few hours to several months. You will receive notification of the final outcome of our remediation efforts once the report has been passed to the internal security team. Nord Security cannot provide updates on remediation efforts that are in progress.\n\nReports related to **third-party or open-source dependencies** are **out of scope** unless **all** of the following apply:\n- The vulnerability affects our product/infrastructure\n- The impact is caused by our implementation, configuration, or failure to update\n- The report includes clear, reproducible evidence of exploitability in our product\n- The report does **not** rely solely on:\n  - an upstream CVE or security advisory\n  - a blog post or public proof-of-concept\n  - automated dependency scan output\n  - dependency version enumeration\n\nFor vulnerabilities that have already been fixed upstream:\n- Reports must demonstrate exploitability in our product\n- Reports based only on using a vulnerable dependency version are not eligible\n- Simply noting that an upstream fix exists but has not yet been adopted is insufficient\n\nFor vulnerabilities in third-party or open-source dependencies where a fix has been publicly available upstream for **30 days or more**, reports may be considered **on a case-by-case basis**. Eligibility and bounty decisions will depend on factors such as:\n- demonstrated exploitability in our product\n- severity and real-world impact\n- ease of exploitation and likelihood of abuse\n- whether the issue represents a meaningful security risk to users\n\nThe existence of an upstream fix alone, or the passage of time since its release, does not guarantee eligibility for a bounty.\n\n\nThis Policy supplements the terms of any other agreement (collectively – “Agreements”) in which you have entered with us. If any inconsistency exists between the terms of the Agreements and this Policy, this Policy will prevail, but only with regard to the potential security vulnerability reporting, unless otherwise agreed by us in writing.\n\n#Public Disclosure\n\n---\nNord Security follows HackerOne’s Coordinated Vulnerability Disclosure guidelines.\n- Researchers must comply with HackerOne’s Disclosure Guidelines at all times.\n- Any public disclosure requires prior approval from Nord Security.\n- Submission of a disclosure request does not guarantee approval.\n\nNord Security reserves full discretion to:\n- approve or decline disclosure requests,\n- determine the timing of any approved disclosure,\n- limit the level of technical detail disclosed.\n\nThese rules apply to all reports, including valid, invalid, duplicate, informational, and out-of-scope findings, regardless of reward eligibility.\n\n# Scope of Accepted Reports\n\n---\nAccepted, in-scope findings, include, but are not limited to:\n1. NordVPN, NordPass and NordLocker consumer applications on all platforms:\n      *  Windows\n      *  Mac\n      *  iOS\n      *  Android\n      *  Linux\n      *  Browser extensions and official apps on third-party devices.\n2. Nord Security VPN servers.\n3. Nord Security backend services and website.\n\n# Out-Of-Scope Reports (not eligible for a reward)\n\n---\n1. Findings from physical testing such as office access (e.g. open doors, tailgating).\n2. Denial of service (DOS) attacks.\n3. Unofficial third-party applications, scripts, and integrations.\n4. End-of-life application versions.\n5. Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.\n6. Any other submissions determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction or resulting in minimal impact.\n7. WordPress bugs (please report those to WordPress directly).\n8. OpenVPN bugs (please report those to OpenVPN directly).\n9. StrongSwan bugs (please report those to StrongSwan directly).\n10. Out of date software – we do not always run the most recent software versions (patched).\n11. Subdomains, including but not limited to:\n      *  affiliates.nordvpn.com\n      *  go.nordvpn.com\n      *  zendesk.nordvpn.com\n      *  prevention.nordvpn.com\n      *  595468.nordvpn.com\n      *  c.nordvpn.com\n      *  bounces.nordvpn.com\n      *  links*.nordvpn.com\n      *  mltrack.nordvpn.com\n      *  mltracksgrd.nordvpn.com\n      *  support.nordvpn.com\n      * nordaccount.com\n      * nordcheckout.com\n      * nordsecurity.com\n      * sailysupport.zendesk.com\n12. Anything related to credential stuffing and account takeover.\n13. Brute force testing, Cloudflare bypass to determine whether rate limiting is in place for particular APIs or pieces of functionality **(unless it constitutes a significant risk)**\n14. User account verification/enumeration attacks\n15. User account deletion process\n16. Findings derived from social engineering (e.g. phishing, vishing, spam) techniques, including:\n      *  SPF and DKIM issues\n      *  Content injection\n      *  Hyperlink injection in emails\n      *  IDN homograph attacks\n      *  RTL Ambiguity\n22. Content Spoofing\n23. Issues related to Password Policy\n24. Missing best practices, information disclosures, use of known-vulnerable libraries or descriptive / verbose / unique error pages (without substantive information indicating exploitability)\n25. HTTP TRACE or OPTIONS methods enabled\n26. Self-XSS and issues exploitable only through Self-XSS\n27. Exploits that require physical access to a user's machine\n28. Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n29. Bugs that do not represent any security risk\n30. Submissions from former NordVPN employees within one year of their departure from NordVPN\n31. Issues found through automated testing\n32. \"Scanner output\" or scanner-generated reports\n33. SSL or ssh issues (weak ciphers/key-size/BEAST/CRIME)\n34. CSRF without proof of security impact\n36. Application or server error messages, stack traces\n37. Hardcoded Firebase API keys in applications **(unless it constitutes a significant risk)**\n38. Attacks using the IP Rotate method \n37. All reports related to **NordLayer** services and infrastructure.\n38. Antimalware detections bypass or undetected malware samples\n39.  OpenVPN Configuration files (they are intended to be public)\n40. Feature bypasses are acceptable unless they pose a security risk to other users, the product, or the service; simply accessing, abusing, or bypassing premium features is not sufficient.\n41. Any attacks on our applications that require the use of a rooted or jailbroken device.\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-12-29T13:11:44.012Z"},{"id":3767419,"new_policy":"At Nord Security, we strive to maximize the security of our infrastructure and customers' data. We believe that in order to reach our goal community participation is essential. Please note that your submission of potential security vulnerability finding (“Vulnerability Finding”) is voluntary and subject to the terms and conditions set forth in this Policy. By submitting a vulnerability to us you acknowledge that you have read and agreed to this Policy.\n---\n\n# Program Rules\n# Our main rules are as follows:\n\n---\n*  Automated testing is not permitted.\n*  Follow [HackerOne’s Disclosure Guidelines](https://hackerone.com/guidelines).\n*  You must be the first person to notify us of a finding that alerts us to a previously unknown issue and that issue triggers a code or configuration change. If different attack vectors result in the same mitigation, Nord Security reserves the right to reward only the first report that is validated for that fix. All subsequent reports that are addressed by that mitigation will be considered as duplicates, regardless of the attack vector. In most instances, you will not be notified of a duplicate report condition until after the vulnerability has been fully remediated.\n* We award bounties once the vulnerability is fixed, and will keep you posted as we work to resolve them.\n* We reserve the sole right to determine the size of the reward if any. We determine this on a case-by-case basis, depending on overall severity (including the business impact, creativity of the issue, etc.). You shall respect our final decision.\n* We may pay even higher rewards for, especially clever or severe vulnerabilities. We recommend for you to use [Common Vulnerability Scoring System Version 3.0 Calculator](https://www.first.org/cvss/calculator/3.0) as a general guide on vulnerability severity levels. However, please note that this serves only as a rough guide and does NOT guarantee that we will give the same evaluation to your Vulnerability Finding. The final and actual severity level is determined by us in our sole discretion.\n* To receive a reward, you must disclose the vulnerability report directly and exclusively to us.\n* Previous reward amounts are not considered a precedent for future reward amounts.\n* Reward may be denied if there is reason to believe that there has been a violation of this Policy.\n* You may need to provide additional information, which would be necessary to receive the reward.  \n* Taxes on rewards given to you are your sole responsibility. \n* Reward will be forfeited, if it remains unclaimed or undeliverable for a period of six (6) months counting from the date you are notified of the determined reward amount\n*  Contacting our team regarding the status of a report through any other channel than Hackerone will result in an immediate disqualification for a bounty for that report.\n*  Please recognize that Nord Security operates complex infrastructure and the amount of time required to address a reported issue can vary from a few hours to several months. You will receive notification of the final outcome of our remediation efforts once the report has been passed to the internal security team. Nord Security cannot provide updates on remediation efforts that are in progress.\n\nReports related to **third-party or open-source dependencies** are **out of scope** unless **all** of the following apply:\n- The vulnerability affects our product/infrastructure\n- The impact is caused by our implementation, configuration, or failure to update\n- The report includes clear, reproducible evidence of exploitability in our product\n- The report does **not** rely solely on:\n  - an upstream CVE or security advisory\n  - a blog post or public proof-of-concept\n  - automated dependency scan output\n  - dependency version enumeration\n\nFor vulnerabilities that have already been fixed upstream:\n- Reports must demonstrate exploitability in our product\n- Reports based only on using a vulnerable dependency version are not eligible\n- Simply noting that an upstream fix exists but has not yet been adopted is insufficient\n\nFor vulnerabilities in third-party or open-source dependencies where a fix has been publicly available upstream for **30 days or more**, reports may be considered **on a case-by-case basis**. Eligibility and bounty decisions will depend on factors such as:\n- demonstrated exploitability in our product\n- severity and real-world impact\n- ease of exploitation and likelihood of abuse\n- whether the issue represents a meaningful security risk to users\n\nThe existence of an upstream fix alone, or the passage of time since its release, does not guarantee eligibility for a bounty.\n\n\nThis Policy supplements the terms of any other agreement (collectively – “Agreements”) in which you have entered with us. If any inconsistency exists between the terms of the Agreements and this Policy, this Policy will prevail, but only with regard to the potential security vulnerability reporting, unless otherwise agreed by us in writing.\n\n\n# Scope of Accepted Reports\n\n---\nAccepted, in-scope findings, include, but are not limited to:\n1. NordVPN, NordPass and NordLocker consumer applications on all platforms:\n      *  Windows\n      *  Mac\n      *  iOS\n      *  Android\n      *  Linux\n      *  Browser extensions and official apps on third-party devices.\n2. Nord Security VPN servers.\n3. Nord Security backend services and website.\n\n# Out-Of-Scope Reports (not eligible for a reward)\n\n---\n1. Findings from physical testing such as office access (e.g. open doors, tailgating).\n2. Denial of service (DOS) attacks.\n3. Unofficial third-party applications, scripts, and integrations.\n4. End-of-life application versions.\n5. Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.\n6. Any other submissions determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction or resulting in minimal impact.\n7. WordPress bugs (please report those to WordPress directly).\n8. OpenVPN bugs (please report those to OpenVPN directly).\n9. StrongSwan bugs (please report those to StrongSwan directly).\n10. Out of date software – we do not always run the most recent software versions (patched).\n11. Subdomains, including but not limited to:\n      *  affiliates.nordvpn.com\n      *  go.nordvpn.com\n      *  zendesk.nordvpn.com\n      *  prevention.nordvpn.com\n      *  595468.nordvpn.com\n      *  c.nordvpn.com\n      *  bounces.nordvpn.com\n      *  links*.nordvpn.com\n      *  mltrack.nordvpn.com\n      *  mltracksgrd.nordvpn.com\n      *  support.nordvpn.com\n      * nordaccount.com\n      * nordcheckout.com\n      * nordsecurity.com\n      * sailysupport.zendesk.com\n12. Anything related to credential stuffing and account takeover.\n13. Brute force testing, Cloudflare bypass to determine whether rate limiting is in place for particular APIs or pieces of functionality **(unless it constitutes a significant risk)**\n14. User account verification/enumeration attacks\n15. User account deletion process\n16. Findings derived from social engineering (e.g. phishing, vishing, spam) techniques, including:\n      *  SPF and DKIM issues\n      *  Content injection\n      *  Hyperlink injection in emails\n      *  IDN homograph attacks\n      *  RTL Ambiguity\n22. Content Spoofing\n23. Issues related to Password Policy\n24. Missing best practices, information disclosures, use of known-vulnerable libraries or descriptive / verbose / unique error pages (without substantive information indicating exploitability)\n25. HTTP TRACE or OPTIONS methods enabled\n26. Self-XSS and issues exploitable only through Self-XSS\n27. Exploits that require physical access to a user's machine\n28. Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n29. Bugs that do not represent any security risk\n30. Submissions from former NordVPN employees within one year of their departure from NordVPN\n31. Issues found through automated testing\n32. \"Scanner output\" or scanner-generated reports\n33. SSL or ssh issues (weak ciphers/key-size/BEAST/CRIME)\n34. CSRF without proof of security impact\n36. Application or server error messages, stack traces\n37. Hardcoded Firebase API keys in applications **(unless it constitutes a significant risk)**\n38. Attacks using the IP Rotate method \n37. All reports related to **NordLayer** services and infrastructure.\n38. Antimalware detections bypass or undetected malware samples\n39.  OpenVPN Configuration files (they are intended to be public)\n40. Feature bypasses are acceptable unless they pose a security risk to other users, the product, or the service; simply accessing, abusing, or bypassing premium features is not sufficient..\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-12-16T08:53:33.361Z"},{"id":3763566,"new_policy":"At Nord Security, we strive to maximize the security of our infrastructure and customers' data. We believe that in order to reach our goal community participation is essential. Please note that your submission of potential security vulnerability finding (“Vulnerability Finding”) is voluntary and subject to the terms and conditions set forth in this Policy. By submitting a vulnerability to us you acknowledge that you have read and agreed to this Policy.\n---\n\n# Program Rules\n# Our main rules are as follows:\n\n---\n*  Automated testing is not permitted.\n*  Follow [HackerOne’s Disclosure Guidelines](https://hackerone.com/guidelines).\n*  You must be the first person to notify us of a finding that alerts us to a previously unknown issue and that issue triggers a code or configuration change. If different attack vectors result in the same mitigation, Nord Security reserves the right to reward only the first report that is validated for that fix. All subsequent reports that are addressed by that mitigation will be considered as duplicates, regardless of the attack vector. In most instances, you will not be notified of a duplicate report condition until after the vulnerability has been fully remediated.\n* We award bounties once the vulnerability is fixed, and will keep you posted as we work to resolve them.\n* We reserve the sole right to determine the size of the reward if any. We determine this on a case-by-case basis, depending on overall severity (including the business impact, creativity of the issue, etc.). You shall respect our final decision.\n* We may pay even higher rewards for, especially clever or severe vulnerabilities. We recommend for you to use [Common Vulnerability Scoring System Version 3.0 Calculator](https://www.first.org/cvss/calculator/3.0) as a general guide on vulnerability severity levels. However, please note that this serves only as a rough guide and does NOT guarantee that we will give the same evaluation to your Vulnerability Finding. The final and actual severity level is determined by us in our sole discretion.\n* To receive a reward, you must disclose the vulnerability report directly and exclusively to us.\n* Previous reward amounts are not considered a precedent for future reward amounts.\n* Reward may be denied if there is reason to believe that there has been a violation of this Policy.\n* You may need to provide additional information, which would be necessary to receive the reward.  \n* Taxes on rewards given to you are your sole responsibility. \n* Reward will be forfeited, if it remains unclaimed or undeliverable for a period of six (6) months counting from the date you are notified of the determined reward amount\n*  Contacting our team regarding the status of a report through any other channel than Hackerone will result in an immediate disqualification for a bounty for that report.\n*  Please recognize that Nord Security operates complex infrastructure and the amount of time required to address a reported issue can vary from a few hours to several months. You will receive notification of the final outcome of our remediation efforts once the report has been passed to the internal security team. Nord Security cannot provide updates on remediation efforts that are in progress.\n\nThis Policy supplements the terms of any other agreement (collectively – “Agreements”) in which you have entered with us. If any inconsistency exists between the terms of the Agreements and this Policy, this Policy will prevail, but only with regard to the potential security vulnerability reporting, unless otherwise agreed by us in writing.\n\n\n# Scope of Accepted Reports\n\n---\nAccepted, in-scope findings, include, but are not limited to:\n1. NordVPN, NordPass and NordLocker consumer applications on all platforms:\n      *  Windows\n      *  Mac\n      *  iOS\n      *  Android\n      *  Linux\n      *  Browser extensions and official apps on third-party devices.\n2. Nord Security VPN servers.\n3. Nord Security backend services and website.\n\n# Out-Of-Scope Reports (not eligible for a reward)\n\n---\n1. Findings from physical testing such as office access (e.g. open doors, tailgating).\n2. Denial of service (DOS) attacks.\n3. Unofficial third-party applications, scripts, and integrations.\n4. End-of-life application versions.\n5. Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.\n6. Any other submissions determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction or resulting in minimal impact.\n7. WordPress bugs (please report those to WordPress directly).\n8. OpenVPN bugs (please report those to OpenVPN directly).\n9. StrongSwan bugs (please report those to StrongSwan directly).\n10. Out of date software – we do not always run the most recent software versions (patched).\n11. Subdomains, including but not limited to:\n      *  affiliates.nordvpn.com\n      *  go.nordvpn.com\n      *  zendesk.nordvpn.com\n      *  prevention.nordvpn.com\n      *  595468.nordvpn.com\n      *  c.nordvpn.com\n      *  bounces.nordvpn.com\n      *  links*.nordvpn.com\n      *  mltrack.nordvpn.com\n      *  mltracksgrd.nordvpn.com\n      *  support.nordvpn.com\n      * nordaccount.com\n      * nordcheckout.com\n      * nordsecurity.com\n      * sailysupport.zendesk.com\n12. Anything related to credential stuffing and account takeover.\n13. Brute force testing, Cloudflare bypass to determine whether rate limiting is in place for particular APIs or pieces of functionality **(unless it constitutes a significant risk)**\n14. User account verification/enumeration attacks\n15. User account deletion process\n16. Findings derived from social engineering (e.g. phishing, vishing, spam) techniques, including:\n      *  SPF and DKIM issues\n      *  Content injection\n      *  Hyperlink injection in emails\n      *  IDN homograph attacks\n      *  RTL Ambiguity\n22. Content Spoofing\n23. Issues related to Password Policy\n24. Missing best practices, information disclosures, use of known-vulnerable libraries or descriptive / verbose / unique error pages (without substantive information indicating exploitability)\n25. HTTP TRACE or OPTIONS methods enabled\n26. Self-XSS and issues exploitable only through Self-XSS\n27. Exploits that require physical access to a user's machine\n28. Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n29. Bugs that do not represent any security risk\n30. Submissions from former NordVPN employees within one year of their departure from NordVPN\n31. Issues found through automated testing\n32. \"Scanner output\" or scanner-generated reports\n33. SSL or ssh issues (weak ciphers/key-size/BEAST/CRIME)\n34. CSRF without proof of security impact\n36. Application or server error messages, stack traces\n37. Hardcoded Firebase API keys in applications **(unless it constitutes a significant risk)**\n38. Attacks using the IP Rotate method \n37. All reports related to **NordLayer** services and infrastructure.\n38. Antimalware detections bypass or undetected malware samples\n39.  OpenVPN Configuration files (they are intended to be public)\n40. Feature bypasses are acceptable unless they pose a security risk to other users, the product, or the service; simply accessing, abusing, or bypassing premium features is not sufficient..\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-09-25T09:43:31.821Z"},{"id":3749495,"new_policy":"At Nord Security, we strive to maximize the security of our infrastructure and customers' data. We believe that in order to reach our goal community participation is essential. Please note that your submission of potential security vulnerability finding (“Vulnerability Finding”) is voluntary and subject to the terms and conditions set forth in this Policy. By submitting a vulnerability to us you acknowledge that you have read and agreed to this Policy.\n---\n\n# Program Rules\n# Our main rules are as follows:\n\n---\n*  Automated testing is not permitted.\n*  Follow [HackerOne’s Disclosure Guidelines](https://hackerone.com/guidelines).\n*  You must be the first person to notify us of a finding that alerts us to a previously unknown issue and that issue triggers a code or configuration change. If different attack vectors result in the same mitigation, Nord Security reserves the right to reward only the first report that is validated for that fix. All subsequent reports that are addressed by that mitigation will be considered as duplicates, regardless of the attack vector. In most instances, you will not be notified of a duplicate report condition until after the vulnerability has been fully remediated.\n* We award bounties once the vulnerability is fixed, and will keep you posted as we work to resolve them.\n* We reserve the sole right to determine the size of the reward if any. We determine this on a case-by-case basis, depending on overall severity (including the business impact, creativity of the issue, etc.). You shall respect our final decision.\n* We may pay even higher rewards for, especially clever or severe vulnerabilities. We recommend for you to use [Common Vulnerability Scoring System Version 3.0 Calculator](https://www.first.org/cvss/calculator/3.0) as a general guide on vulnerability severity levels. However, please note that this serves only as a rough guide and does NOT guarantee that we will give the same evaluation to your Vulnerability Finding. The final and actual severity level is determined by us in our sole discretion.\n* To receive a reward, you must disclose the vulnerability report directly and exclusively to us.\n* Previous reward amounts are not considered a precedent for future reward amounts.\n* Reward may be denied if there is reason to believe that there has been a violation of this Policy.\n* You may need to provide additional information, which would be necessary to receive the reward.  \n* Taxes on rewards given to you are your sole responsibility. \n* Reward will be forfeited, if it remains unclaimed or undeliverable for a period of six (6) months counting from the date you are notified of the determined reward amount\n*  Contacting our team regarding the status of a report through any other channel than Hackerone will result in an immediate disqualification for a bounty for that report.\n*  Please recognize that Nord Security operates complex infrastructure and the amount of time required to address a reported issue can vary from a few hours to several months. You will receive notification of the final outcome of our remediation efforts once the report has been passed to the internal security team. Nord Security cannot provide updates on remediation efforts that are in progress.\n\nThis Policy supplements the terms of any other agreement (collectively – “Agreements”) in which you have entered with us. If any inconsistency exists between the terms of the Agreements and this Policy, this Policy will prevail, but only with regard to the potential security vulnerability reporting, unless otherwise agreed by us in writing.\n\n\n# Scope of Accepted Reports\n\n---\nAccepted, in-scope findings, include, but are not limited to:\n1. NordVPN, NordPass and NordLocker consumer applications on all platforms:\n      *  Windows\n      *  Mac\n      *  iOS\n      *  Android\n      *  Linux\n      *  Browser extensions and official apps on third-party devices.\n2. Nord Security VPN servers.\n3. Nord Security backend services and website.\n\n# Out-Of-Scope Reports (not eligible for a reward)\n\n---\n1. Findings from physical testing such as office access (e.g. open doors, tailgating).\n2. Denial of service (DOS) attacks.\n3. Unofficial third-party applications, scripts, and integrations.\n4. End-of-life application versions.\n5. Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.\n6. Any other submissions determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction or resulting in minimal impact.\n7. WordPress bugs (please report those to WordPress directly).\n8. OpenVPN bugs (please report those to OpenVPN directly).\n9. StrongSwan bugs (please report those to StrongSwan directly).\n10. Out of date software – we do not always run the most recent software versions (patched).\n11. Subdomains, including but not limited to:\n      *  affiliates.nordvpn.com\n      *  go.nordvpn.com\n      *  zendesk.nordvpn.com\n      *  prevention.nordvpn.com\n      *  595468.nordvpn.com\n      *  c.nordvpn.com\n      *  bounces.nordvpn.com\n      *  links*.nordvpn.com\n      *  mltrack.nordvpn.com\n      *  mltracksgrd.nordvpn.com\n      *  support.nordvpn.com\n      * nordaccount.com\n      * nordcheckout.com\n      * nordsecurity.com\n12. Anything related to credential stuffing and account takeover.\n13. Brute force testing, Cloudflare bypass to determine whether rate limiting is in place for particular APIs or pieces of functionality **(unless it constitutes a significant risk)**\n14. User account verification/enumeration attacks\n15. User account deletion process\n16. Findings derived from social engineering (e.g. phishing, vishing, spam) techniques, including:\n      *  SPF and DKIM issues\n      *  Content injection\n      *  Hyperlink injection in emails\n      *  IDN homograph attacks\n      *  RTL Ambiguity\n22. Content Spoofing\n23. Issues related to Password Policy\n24. Missing best practices, information disclosures, use of known-vulnerable libraries or descriptive / verbose / unique error pages (without substantive information indicating exploitability)\n25. HTTP TRACE or OPTIONS methods enabled\n26. Self-XSS and issues exploitable only through Self-XSS\n27. Exploits that require physical access to a user's machine\n28. Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n29. Bugs that do not represent any security risk\n30. Submissions from former NordVPN employees within one year of their departure from NordVPN\n31. Issues found through automated testing\n32. \"Scanner output\" or scanner-generated reports\n33. SSL or ssh issues (weak ciphers/key-size/BEAST/CRIME)\n34. CSRF without proof of security impact\n36. Application or server error messages, stack traces\n37. Hardcoded Firebase API keys in applications **(unless it constitutes a significant risk)**\n38. Attacks using the IP Rotate method \n37. All reports related to **NordLayer** services and infrastructure.\n38. Antimalware detections bypass or undetected malware samples\n39.  OpenVPN Configuration files (they are intended to be public)\n40. Feature bypasses are acceptable unless they pose a security risk to other users, the product, or the service; simply accessing, abusing, or bypassing premium features is not sufficient..\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-02-05T09:57:05.782Z"},{"id":3748079,"new_policy":"At Nord Security, we strive to maximize the security of our infrastructure and customers' data. We believe that in order to reach our goal community participation is essential. Please note that your submission of potential security vulnerability finding (“Vulnerability Finding”) is voluntary and subject to the terms and conditions set forth in this Policy. By submitting a vulnerability to us you acknowledge that you have read and agreed to this Policy.\n---\n\n# Program Rules\n# Our main rules are as follows:\n\n---\n*  Automated testing is not permitted.\n*  Follow [HackerOne’s Disclosure Guidelines](https://hackerone.com/guidelines).\n*  You must be the first person to notify us of a finding that alerts us to a previously unknown issue and that issue triggers a code or configuration change. If different attack vectors result in the same mitigation, Nord Security reserves the right to reward only the first report that is validated for that fix. All subsequent reports that are addressed by that mitigation will be considered as duplicates, regardless of the attack vector. In most instances, you will not be notified of a duplicate report condition until after the vulnerability has been fully remediated.\n* We award bounties once the vulnerability is fixed, and will keep you posted as we work to resolve them.\n* We reserve the sole right to determine the size of the reward if any. We determine this on a case-by-case basis, depending on overall severity (including the business impact, creativity of the issue, etc.). You shall respect our final decision.\n* We may pay even higher rewards for, especially clever or severe vulnerabilities. We recommend for you to use [Common Vulnerability Scoring System Version 3.0 Calculator](https://www.first.org/cvss/calculator/3.0) as a general guide on vulnerability severity levels. However, please note that this serves only as a rough guide and does NOT guarantee that we will give the same evaluation to your Vulnerability Finding. The final and actual severity level is determined by us in our sole discretion.\n* To receive a reward, you must disclose the vulnerability report directly and exclusively to us.\n* Previous reward amounts are not considered a precedent for future reward amounts.\n* Reward may be denied if there is reason to believe that there has been a violation of this Policy.\n* You may need to provide additional information, which would be necessary to receive the reward.  \n* Taxes on rewards given to you are your sole responsibility. \n* Reward will be forfeited, if it remains unclaimed or undeliverable for a period of six (6) months counting from the date you are notified of the determined reward amount\n*  Contacting our team regarding the status of a report through any other channel than Hackerone will result in an immediate disqualification for a bounty for that report.\n*  Please recognize that Nord Security operates complex infrastructure and the amount of time required to address a reported issue can vary from a few hours to several months. You will receive notification of the final outcome of our remediation efforts once the report has been passed to the internal security team. Nord Security cannot provide updates on remediation efforts that are in progress.\n\nThis Policy supplements the terms of any other agreement (collectively – “Agreements”) in which you have entered with us. If any inconsistency exists between the terms of the Agreements and this Policy, this Policy will prevail, but only with regard to the potential security vulnerability reporting, unless otherwise agreed by us in writing.\n\n\n# Scope of Accepted Reports\n\n---\nAccepted, in-scope findings, include, but are not limited to:\n1. NordVPN, NordPass and NordLocker consumer applications on all platforms:\n      *  Windows\n      *  Mac\n      *  iOS\n      *  Android\n      *  Linux\n      *  Browser extensions and official apps on third-party devices.\n2. Nord Security VPN servers.\n3. Nord Security backend services and website.\n\n# Out-Of-Scope Reports (not eligible for a reward)\n\n---\n1. Findings from physical testing such as office access (e.g. open doors, tailgating).\n2. Denial of service (DOS) attacks.\n3. Unofficial third-party applications, scripts, and integrations.\n4. End-of-life application versions.\n5. Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.\n6. Any other submissions determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction or resulting in minimal impact.\n7. WordPress bugs (please report those to WordPress directly).\n8. OpenVPN bugs (please report those to OpenVPN directly).\n9. StrongSwan bugs (please report those to StrongSwan directly).\n10. Out of date software – we do not always run the most recent software versions (patched).\n11. Subdomains, including but not limited to:\n      *  affiliates.nordvpn.com\n      *  go.nordvpn.com\n      *  zendesk.nordvpn.com\n      *  prevention.nordvpn.com\n      *  595468.nordvpn.com\n      *  c.nordvpn.com\n      *  bounces.nordvpn.com\n      *  links*.nordvpn.com\n      *  mltrack.nordvpn.com\n      *  mltracksgrd.nordvpn.com\n      *  support.nordvpn.com\n      * nordaccount.com\n      * nordcheckout.com\n      * nordsecurity.com\n12. Anything related to credential stuffing and account takeover.\n13. Brute force testing, Cloudflare bypass to determine whether rate limiting is in place for particular APIs or pieces of functionality **(unless it constitutes a significant risk)**\n14. User account verification/enumeration attacks\n15. User account deletion process\n16. Findings derived from social engineering (e.g. phishing, vishing, spam) techniques, including:\n      *  SPF and DKIM issues\n      *  Content injection\n      *  Hyperlink injection in emails\n      *  IDN homograph attacks\n      *  RTL Ambiguity\n22. Content Spoofing\n23. Issues related to Password Policy\n24. Missing best practices, information disclosures, use of known-vulnerable libraries or descriptive / verbose / unique error pages (without substantive information indicating exploitability)\n25. HTTP TRACE or OPTIONS methods enabled\n26. Self-XSS and issues exploitable only through Self-XSS\n27. Exploits that require physical access to a user's machine\n28. Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n29. Bugs that do not represent any security risk\n30. Submissions from former NordVPN employees within one year of their departure from NordVPN\n31. Issues found through automated testing\n32. \"Scanner output\" or scanner-generated reports\n33. SSL or ssh issues (weak ciphers/key-size/BEAST/CRIME)\n34. CSRF without proof of security impact\n36. Application or server error messages, stack traces\n37. Hardcoded Firebase API keys in applications **(unless it constitutes a significant risk)**\n38. Attacks using the IP Rotate method \n37. All reports related to **NordLayer** services and infrastructure.\n38. Antimalware detections bypass or undetected malware samples\n39.  OpenVPN Configuration files (they are intended to be public)\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-01-15T10:25:21.608Z"},{"id":3707372,"new_policy":"At Nord Security, we strive to maximize the security of our infrastructure and customers' data. We believe that in order to reach our goal community participation is essential. Please note that your submission of potential security vulnerability finding (“Vulnerability Finding”) is voluntary and subject to the terms and conditions set forth in this Policy. By submitting a vulnerability to us you acknowledge that you have read and agreed to this Policy.\n---\n\n# Program Rules\n# Our main rules are as follows:\n\n---\n*  Automated testing is not permitted.\n*  Follow [HackerOne’s Disclosure Guidelines](https://hackerone.com/guidelines).\n*  You must be the first person to notify us of a finding that alerts us to a previously unknown issue and that issue triggers a code or configuration change. If different attack vectors result in the same mitigation, Nord Security reserves the right to reward only the first report that is validated for that fix. All subsequent reports that are addressed by that mitigation will be considered as duplicates, regardless of the attack vector. In most instances, you will not be notified of a duplicate report condition until after the vulnerability has been fully remediated.\n* We award bounties once the vulnerability is fixed, and will keep you posted as we work to resolve them.\n* We reserve the sole right to determine the size of the reward if any. We determine this on a case-by-case basis, depending on overall severity (including the business impact, creativity of the issue, etc.). You shall respect our final decision.\n* We may pay even higher rewards for, especially clever or severe vulnerabilities. We recommend for you to use [Common Vulnerability Scoring System Version 3.0 Calculator](https://www.first.org/cvss/calculator/3.0) as a general guide on vulnerability severity levels. However, please note that this serves only as a rough guide and does NOT guarantee that we will give the same evaluation to your Vulnerability Finding. The final and actual severity level is determined by us in our sole discretion.\n* To receive a reward, you must disclose the vulnerability report directly and exclusively to us.\n* Previous reward amounts are not considered a precedent for future reward amounts.\n* Reward may be denied if there is reason to believe that there has been a violation of this Policy.\n* You may need to provide additional information, which would be necessary to receive the reward.  \n* Taxes on rewards given to you are your sole responsibility. \n* Reward will be forfeited, if it remains unclaimed or undeliverable for a period of six (6) months counting from the date you are notified of the determined reward amount\n*  Contacting our team regarding the status of a report through any other channel than Hackerone will result in an immediate disqualification for a bounty for that report.\n*  Please recognize that Nord Security operates complex infrastructure and the amount of time required to address a reported issue can vary from a few hours to several months. You will receive notification of the final outcome of our remediation efforts once the report has been passed to the internal security team. Nord Security cannot provide updates on remediation efforts that are in progress.\n\nThis Policy supplements the terms of any other agreement (collectively – “Agreements”) in which you have entered with us. If any inconsistency exists between the terms of the Agreements and this Policy, this Policy will prevail, but only with regard to the potential security vulnerability reporting, unless otherwise agreed by us in writing.\n\n\n# Scope of Accepted Reports\n\n---\nAccepted, in-scope findings, include, but are not limited to:\n1. NordVPN, NordPass and NordLocker consumer applications on all platforms:\n      *  Windows\n      *  Mac\n      *  iOS\n      *  Android\n      *  Linux\n      *  Browser extensions and official apps on third-party devices.\n2. Nord Security VPN servers.\n3. Nord Security backend services and website.\n\n# Out-Of-Scope Reports (not eligible for a reward)\n\n---\n1. Findings from physical testing such as office access (e.g. open doors, tailgating).\n2. Denial of service (DOS) attacks.\n3. Unofficial third-party applications, scripts, and integrations.\n4. End-of-life application versions.\n5. Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.\n6. Any other submissions determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction or resulting in minimal impact.\n7. WordPress bugs (please report those to WordPress directly).\n8. OpenVPN bugs (please report those to OpenVPN directly).\n9. StrongSwan bugs (please report those to StrongSwan directly).\n10. Out of date software – we do not always run the most recent software versions (patched).\n11. Subdomains, including but not limited to:\n      *  affiliates.nordvpn.com\n      *  go.nordvpn.com\n      *  zendesk.nordvpn.com\n      *  prevention.nordvpn.com\n      *  595468.nordvpn.com\n      *  c.nordvpn.com\n      *  bounces.nordvpn.com\n      *  links*.nordvpn.com\n      *  mltrack.nordvpn.com\n      *  mltracksgrd.nordvpn.com\n      *  support.nordvpn.com\n      * nordaccount.com\n      * nordcheckout.com\n      * nordsecurity.com\n12. Anything related to credential stuffing and account takeover.\n13. Brute force testing, Cloudflare bypass to determine whether rate limiting is in place for particular APIs or pieces of functionality **(unless it constitutes a significant risk)**\n14. User account verification/enumeration attacks\n15. User account deletion process\n16. Findings derived from social engineering (e.g. phishing, vishing, spam) techniques, including:\n      *  SPF and DKIM issues\n      *  Content injection\n      *  Hyperlink injection in emails\n      *  IDN homograph attacks\n      *  RTL Ambiguity\n22. Content Spoofing\n23. Issues related to Password Policy\n24. Missing best practices, information disclosures, use of known-vulnerable libraries or descriptive / verbose / unique error pages (without substantive information indicating exploitability)\n25. HTTP TRACE or OPTIONS methods enabled\n26. Self-XSS and issues exploitable only through Self-XSS\n27. Exploits that require physical access to a user's machine\n28. Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n29. Bugs that do not represent any security risk\n30. Submissions from former NordVPN employees within one year of their departure from NordVPN\n31. Issues found through automated testing\n32. \"Scanner output\" or scanner-generated reports\n33. SSL or ssh issues (weak ciphers/key-size/BEAST/CRIME)\n34. CSRF without proof of security impact\n36. Application or server error messages, stack traces\n37. Hardcoded Firebase API keys in applications **(unless it constitutes a significant risk)**\n38. Attacks using the IP Rotate method \n37. All reports related to **NordLayer** services and infrastructure.\n38. Antimalware detections bypass or undetected malware samples\n39.  OpenVPN Configuration files (they are intended to be public)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-11-22T08:14:15.409Z"},{"id":3704544,"new_policy":"At Nord Security, we strive to maximize the security of our infrastructure and customers' data. We believe that in order to reach our goal community participation is essential. Please note that your submission of potential security vulnerability finding (“Vulnerability Finding”) is voluntary and subject to the terms and conditions set forth in this Policy. By submitting a vulnerability to us you acknowledge that you have read and agreed to this Policy.\n---\n\n# Program Rules\n# Our main rules are as follows:\n\n---\n*  Automated testing is not permitted.\n*  Follow [HackerOne’s Disclosure Guidelines](https://hackerone.com/guidelines).\n*  You must be the first person to notify us of a finding that alerts us to a previously unknown issue and that issue triggers a code or configuration change. If different attack vectors result in the same mitigation, Nord Security reserves the right to reward only the first report that is validated for that fix. All subsequent reports that are addressed by that mitigation will be considered as duplicates, regardless of the attack vector. In most instances, you will not be notified of a duplicate report condition until after the vulnerability has been fully remediated.\n* We award bounties once the vulnerability is fixed, and will keep you posted as we work to resolve them.\n* We reserve the sole right to determine the size of the reward if any. We determine this on a case-by-case basis, depending on overall severity (including the business impact, creativity of the issue, etc.). You shall respect our final decision.\n* We may pay even higher rewards for, especially clever or severe vulnerabilities. We recommend for you to use [Common Vulnerability Scoring System Version 3.0 Calculator](https://www.first.org/cvss/calculator/3.0) as a general guide on vulnerability severity levels. However, please note that this serves only as a rough guide and does NOT guarantee that we will give the same evaluation to your Vulnerability Finding. The final and actual severity level is determined by us in our sole discretion.\n* To receive a reward, you must disclose the vulnerability report directly and exclusively to us.\n* Previous reward amounts are not considered a precedent for future reward amounts.\n* Reward may be denied if there is reason to believe that there has been a violation of this Policy.\n* You may need to provide additional information, which would be necessary to receive the reward.  \n* Taxes on rewards given to you are your sole responsibility. \n* Reward will be forfeited, if it remains unclaimed or undeliverable for a period of six (6) months counting from the date you are notified of the determined reward amount\n*  Contacting our team regarding the status of a report through any other channel than Hackerone will result in an immediate disqualification for a bounty for that report.\n*  Please recognize that Nord Security operates complex infrastructure and the amount of time required to address a reported issue can vary from a few hours to several months. You will receive notification of the final outcome of our remediation efforts once the report has been passed to the internal security team. Nord Security cannot provide updates on remediation efforts that are in progress.\n\nThis Policy supplements the terms of any other agreement (collectively – “Agreements”) in which you have entered with us. If any inconsistency exists between the terms of the Agreements and this Policy, this Policy will prevail, but only with regard to the potential security vulnerability reporting, unless otherwise agreed by us in writing.\n\n\n# Scope of Accepted Reports\n\n---\nAccepted, in-scope findings, include, but are not limited to:\n1. NordVPN, NordPass and NordLocker consumer applications on all platforms:\n      *  Windows\n      *  Mac\n      *  iOS\n      *  Android\n      *  Linux\n      *  Browser extensions and official apps on third-party devices.\n2. Nord Security VPN servers.\n3. Nord Security backend services and website.\n\n# Out-Of-Scope Reports (not eligible for a reward)\n\n---\n1. Findings from physical testing such as office access (e.g. open doors, tailgating).\n2. Denial of service (DOS) attacks.\n3. Unofficial third-party applications, scripts, and integrations.\n4. End-of-life application versions.\n5. Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.\n6. Any other submissions determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction or resulting in minimal impact.\n7. WordPress bugs (please report those to WordPress directly).\n8. OpenVPN bugs (please report those to OpenVPN directly).\n9. StrongSwan bugs (please report those to StrongSwan directly).\n10. Out of date software – we do not always run the most recent software versions (patched).\n11. Subdomains, including but not limited to:\n      *  affiliates.nordvpn.com\n      *  go.nordvpn.com\n      *  zendesk.nordvpn.com\n      *  prevention.nordvpn.com\n      *  595468.nordvpn.com\n      *  c.nordvpn.com\n      *  bounces.nordvpn.com\n      *  links*.nordvpn.com\n      *  mltrack.nordvpn.com\n      *  mltracksgrd.nordvpn.com\n      *  support.nordvpn.com\n      * nordaccount.com\n      * nordcheckout.com\n      * nordsecurity.com\n12. Anything related to credential stuffing and account takeover.\n13. Brute force testing, Cloudflare bypass to determine whether rate limiting is in place for particular APIs or pieces of functionality **(unless it constitutes a significant risk)**\n14. User account verification/enumeration attacks\n15. User account deletion process\n16. Findings derived from social engineering (e.g. phishing, vishing, spam) techniques, including:\n      *  SPF and DKIM issues\n      *  Content injection\n      *  Hyperlink injection in emails\n      *  IDN homograph attacks\n      *  RTL Ambiguity\n22. Content Spoofing\n23. Issues related to Password Policy\n24. Missing best practices, information disclosures, use of known-vulnerable libraries or descriptive / verbose / unique error pages (without substantive information indicating exploitability)\n25. HTTP TRACE or OPTIONS methods enabled\n26. Self-XSS and issues exploitable only through Self-XSS\n27. Exploits that require physical access to a user's machine\n28. Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n29. Bugs that do not represent any security risk\n30. Submissions from former NordVPN employees within one year of their departure from NordVPN\n31. Issues found through automated testing\n32. \"Scanner output\" or scanner-generated reports\n33. SSL or ssh issues (weak ciphers/key-size/BEAST/CRIME)\n34. CSRF without proof of security impact\n36. Application or server error messages, stack traces\n37. Hardcoded Firebase API keys in applications **(unless it constitutes a significant risk)**\n38. Attacks using the IP Rotate method \n37. All reports related to **NordLayer** services and infrastructure.\n38. Antimalware detections bypass or undetected malware samples\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-10-05T07:36:09.621Z"},{"id":3651777,"new_policy":"At Nord Security, we strive to maximize the security of our infrastructure and customers' data. We believe that in order to reach our goal community participation is essential. Please note that your submission of potential security vulnerability finding (“Vulnerability Finding”) is voluntary and subject to the terms and conditions set forth in this Policy. By submitting a vulnerability to us you acknowledge that you have read and agreed to this Policy.\n---\n\n# Program Rules\n# Our main rules are as follows:\n\n---\n*  Automated testing is not permitted.\n*  Follow [HackerOne’s Disclosure Guidelines](https://hackerone.com/guidelines).\n*  You must be the first person to notify us of a finding that alerts us to a previously unknown issue and that issue triggers a code or configuration change. If different attack vectors result in the same mitigation, Nord Security reserves the right to reward only the first report that is validated for that fix. All subsequent reports that are addressed by that mitigation will be considered as duplicates, regardless of the attack vector. In most instances, you will not be notified of a duplicate report condition until after the vulnerability has been fully remediated.\n* We award bounties once the vulnerability is fixed, and will keep you posted as we work to resolve them.\n* We reserve the sole right to determine the size of the reward if any. We determine this on a case-by-case basis, depending on overall severity (including the business impact, creativity of the issue, etc.). You shall respect our final decision.\n* We may pay even higher rewards for, especially clever or severe vulnerabilities. We recommend for you to use [Common Vulnerability Scoring System Version 3.0 Calculator](https://www.first.org/cvss/calculator/3.0) as a general guide on vulnerability severity levels. However, please note that this serves only as a rough guide and does NOT guarantee that we will give the same evaluation to your Vulnerability Finding. The final and actual severity level is determined by us in our sole discretion.\n* To receive a reward, you must disclose the vulnerability report directly and exclusively to us.\n* Previous reward amounts are not considered a precedent for future reward amounts.\n* Reward may be denied if there is reason to believe that there has been a violation of this Policy.\n* You may need to provide additional information, which would be necessary to receive the reward.  \n* Taxes on rewards given to you are your sole responsibility. \n* Reward will be forfeited, if it remains unclaimed or undeliverable for a period of six (6) months counting from the date you are notified of the determined reward amount\n*  Contacting our team regarding the status of a report through any other channel than Hackerone will result in an immediate disqualification for a bounty for that report.\n*  Please recognize that Nord Security operates complex infrastructure and the amount of time required to address a reported issue can vary from a few hours to several months. You will receive notification of the final outcome of our remediation efforts once the report has been passed to the internal security team. Nord Security cannot provide updates on remediation efforts that are in progress.\n\nThis Policy supplements the terms of any other agreement (collectively – “Agreements”) in which you have entered with us. If any inconsistency exists between the terms of the Agreements and this Policy, this Policy will prevail, but only with regard to the potential security vulnerability reporting, unless otherwise agreed by us in writing.\n\n\n# Scope of Accepted Reports\n\n---\nAccepted, in-scope findings, include, but are not limited to:\n1. NordVPN, NordPass and NordLocker consumer applications on all platforms:\n      *  Windows\n      *  Mac\n      *  iOS\n      *  Android\n      *  Linux\n      *  Browser extensions and official apps on third-party devices.\n2. Nord Security VPN servers.\n3. Nord Security backend services and website.\n\n# Out-Of-Scope Reports (not eligible for a reward)\n\n---\n1. Findings from physical testing such as office access (e.g. open doors, tailgating).\n2. Denial of service (DOS) attacks.\n3. Unofficial third-party applications, scripts, and integrations.\n4. End-of-life application versions.\n5. Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.\n6. Any other submissions determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction or resulting in minimal impact.\n7. WordPress bugs (please report those to WordPress directly).\n8. OpenVPN bugs (please report those to OpenVPN directly).\n9. StrongSwan bugs (please report those to StrongSwan directly).\n10. Out of date software – we do not always run the most recent software versions (patched).\n11. Subdomains, including but not limited to:\n      *  affiliates.nordvpn.com\n      *  go.nordvpn.com\n      *  zendesk.nordvpn.com\n      *  prevention.nordvpn.com\n      *  595468.nordvpn.com\n      *  c.nordvpn.com\n      *  bounces.nordvpn.com\n      *  links*.nordvpn.com\n      *  mltrack.nordvpn.com\n      *  mltracksgrd.nordvpn.com\n      *  support.nordvpn.com\n      * nordaccount.com\n      * nordcheckout.com\n      * nordsecurity.com\n12. Anything related to credential stuffing and account takeover.\n13. Brute force testing, Cloudflare bypass to determine whether rate limiting is in place for particular APIs or pieces of functionality **(unless it constitutes a significant risk)**\n14. User account verification/enumeration attacks\n15. User account deletion process\n16. Findings derived from social engineering (e.g. phishing, vishing, spam) techniques, including:\n      *  SPF and DKIM issues\n      *  Content injection\n      *  Hyperlink injection in emails\n      *  IDN homograph attacks\n      *  RTL Ambiguity\n22. Content Spoofing\n23. Issues related to Password Policy\n24. Missing best practices, information disclosures, use of known-vulnerable libraries or descriptive / verbose / unique error pages (without substantive information indicating exploitability)\n25. HTTP TRACE or OPTIONS methods enabled\n26. Self-XSS and issues exploitable only through Self-XSS\n27. Exploits that require physical access to a user's machine\n28. Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n29. Bugs that do not represent any security risk\n30. Submissions from former NordVPN employees within one year of their departure from NordVPN\n31. Issues found through automated testing\n32. \"Scanner output\" or scanner-generated reports\n33. SSL or ssh issues (weak ciphers/key-size/BEAST/CRIME)\n34. CSRF without proof of security impact\n36. Application or server error messages, stack traces\n37. Hardcoded Firebase API keys in applications **(unless it constitutes a significant risk)**\n38. Attacks using the IP Rotate method \n37. All reports related to **NordVPN Teams**, **NordVPN White Label**  services and infrastructure.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-04-30T11:22:13.424Z"},{"id":3651273,"new_policy":"# HackerOne Promotion Testing Guide\n\n---\nWe are excited to announce the addition of our new products in scope; NordPass + NordLocker! To celebrate this release, we are running a Promotion on all of our mobile and desktop applications (web domains are excluded). **We have extended the promotion and it will now continue until April 30th! All Critical severity reports will receive $1000 bonus, and all High severity reports will receive $500 bonus!** \n\nWe're looking forward to receiving some creative findings! \n\nGood Luck! \n-- \nHere are the key aspects to consider when entering HackerOne Challenge:\n* This campaign is active only from 2021/03/31 until 2021/04/14\n*  Only Critical and High severity reports will receive double the amount in bounties\n*  Additional bounty rewards are ONLY applicable to consumer applications (mobile/desktop)\n* In case you need an active subscription or perform a purchase to obtain a subscription we advise you to use your HackerOne email address.\n*  If you would like to cancel a subscription - we offer a money-back guarantee. To cancel your subscription and receive a refund you’d need to reach out to our customers’ support team.\n\n\n# Program Rules\n\n---\n\nAt Nord Security, we strive to maximize the security of our infrastructure and customers' data. We believe that in order to reach our goal community participation is essential. Please note that your submission of potential security vulnerability finding (“Vulnerability Finding”) is voluntary and subject to the terms and conditions set forth in this Policy. By submitting a vulnerability to us you acknowledge that you have read and agreed to this Policy.\n\n# Our main rules are as follows:\n\n---\n*  Automated testing is not permitted.\n*  Follow [HackerOne’s Disclosure Guidelines](https://hackerone.com/guidelines).\n*  You must be the first person to notify us of a finding that alerts us to a previously unknown issue and that issue triggers a code or configuration change. If different attack vectors result in the same mitigation, Nord Security reserves the right to reward only the first report that is validated for that fix. All subsequent reports that are addressed by that mitigation will be considered as duplicates, regardless of the attack vector. In most instances, you will not be notified of a duplicate report condition until after the vulnerability has been fully remediated.\n* We award bounties once the vulnerability is fixed, and will keep you posted as we work to resolve them.\n* We reserve the sole right to determine the size of the reward if any. We determine this on a case-by-case basis, depending on overall severity (including the business impact, creativity of the issue, etc.). You shall respect our final decision.\n* We may pay even higher rewards for, especially clever or severe vulnerabilities. We recommend for you to use [Common Vulnerability Scoring System Version 3.0 Calculator](https://www.first.org/cvss/calculator/3.0) as a general guide on vulnerability severity levels. However, please note that this serves only as a rough guide and does NOT guarantee that we will give the same evaluation to your Vulnerability Finding. The final and actual severity level is determined by us in our sole discretion.\n* To receive a reward, you must disclose the vulnerability report directly and exclusively to us.\n* Previous reward amounts are not considered a precedent for future reward amounts.\n* Reward may be denied if there is reason to believe that there has been a violation of this Policy.\n* You may need to provide additional information, which would be necessary to receive the reward.  \n* Taxes on rewards given to you are your sole responsibility. \n* Reward will be forfeited, if it remains unclaimed or undeliverable for a period of six (6) months counting from the date you are notified of the determined reward amount\n*  Contacting our team regarding the status of a report through any other channel than Hackerone will result in an immediate disqualification for a bounty for that report.\n*  Please recognize that Nord Security operates complex infrastructure and the amount of time required to address a reported issue can vary from a few hours to several months. You will receive notification of the final outcome of our remediation efforts once the report has been passed to the internal security team. Nord Security cannot provide updates on remediation efforts that are in progress.\n\nThis Policy supplements the terms of any other agreement (collectively – “Agreements”) in which you have entered with us. If any inconsistency exists between the terms of the Agreements and this Policy, this Policy will prevail, but only with regard to the potential security vulnerability reporting, unless otherwise agreed by us in writing.\n\n\n# Scope of Accepted Reports\n\n---\nAccepted, in-scope findings, include, but are not limited to:\n1. NordVPN, NordPass and NordLocker consumer applications on all platforms:\n      *  Windows\n      *  Mac\n      *  iOS\n      *  Android\n      *  Linux\n      *  Browser extensions and official apps on third-party devices.\n2. Nord Security VPN servers.\n3. Nord Security backend services and website.\n\n# Out-Of-Scope Reports (not eligible for a reward)\n\n---\n1. Findings from physical testing such as office access (e.g. open doors, tailgating).\n2. Denial of service (DOS) attacks.\n3. Unofficial third-party applications, scripts, and integrations.\n4. End-of-life application versions.\n5. Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.\n6. Any other submissions determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction or resulting in minimal impact.\n7. WordPress bugs (please report those to WordPress directly).\n8. OpenVPN bugs (please report those to OpenVPN directly).\n9. StrongSwan bugs (please report those to StrongSwan directly).\n10. Out of date software – we do not always run the most recent software versions (patched).\n11. Subdomains, including but not limited to:\n      *  affiliates.nordvpn.com\n      *  go.nordvpn.com\n      *  zendesk.nordvpn.com\n      *  prevention.nordvpn.com\n      *  595468.nordvpn.com\n      *  c.nordvpn.com\n      *  bounces.nordvpn.com\n      *  links*.nordvpn.com\n      *  mltrack.nordvpn.com\n      *  mltracksgrd.nordvpn.com\n      *  support.nordvpn.com\n      * nordaccount.com\n      * nordcheckout.com\n      * nordsecurity.com\n12. Anything related to credential stuffing and account takeover.\n13. Brute force testing, Cloudflare bypass to determine whether rate limiting is in place for particular APIs or pieces of functionality **(unless it constitutes a significant risk)**\n14. User account verification/enumeration attacks\n15. User account deletion process\n16. Findings derived from social engineering (e.g. phishing, vishing, spam) techniques, including:\n      *  SPF and DKIM issues\n      *  Content injection\n      *  Hyperlink injection in emails\n      *  IDN homograph attacks\n      *  RTL Ambiguity\n22. Content Spoofing\n23. Issues related to Password Policy\n24. Missing best practices, information disclosures, use of known-vulnerable libraries or descriptive / verbose / unique error pages (without substantive information indicating exploitability)\n25. HTTP TRACE or OPTIONS methods enabled\n26. Self-XSS and issues exploitable only through Self-XSS\n27. Exploits that require physical access to a user's machine\n28. Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n29. Bugs that do not represent any security risk\n30. Submissions from former NordVPN employees within one year of their departure from NordVPN\n31. Issues found through automated testing\n32. \"Scanner output\" or scanner-generated reports\n33. SSL or ssh issues (weak ciphers/key-size/BEAST/CRIME)\n34. CSRF without proof of security impact\n36. Application or server error messages, stack traces\n37. Hardcoded Firebase API keys in applications **(unless it constitutes a significant risk)**\n38. Attacks using the IP Rotate method \n37. All reports related to **NordVPN Teams**, **NordVPN White Label**  services and infrastructure.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-04-19T15:26:38.694Z"},{"id":3650617,"new_policy":"# HackerOne Promotion Testing Guide\n\n---\nWe are excited to announce the addition of our new products in scope; NordPass + NordLocker! To celebrate this release, we are running a Promotion on all of our mobile and desktop applications (web domains are excluded). **From 31st March - 14th April, all Critical severity reports will receive $1000 bonus, and all High severity reports will receive $500 bonus!** \n\nWe're looking forward to receiving some creative findings! \n\nGood Luck! \n-- \nHere are the key aspects to consider when entering HackerOne Challenge:\n* This campaign is active only from 2021/03/31 until 2021/04/14\n*  Only Critical and High severity reports will receive double the amount in bounties\n*  Additional bounty rewards are ONLY applicable to consumer applications (mobile/desktop)\n* In case you need an active subscription or perform a purchase to obtain a subscription we advise you to use your HackerOne email address.\n*  If you would like to cancel a subscription - we offer a money-back guarantee. To cancel your subscription and receive a refund you’d need to reach out to our customers’ support team.\n\n\n# Program Rules\n\n---\n\nAt Nord Security, we strive to maximize the security of our infrastructure and customers' data. We believe that in order to reach our goal community participation is essential. Please note that your submission of potential security vulnerability finding (“Vulnerability Finding”) is voluntary and subject to the terms and conditions set forth in this Policy. By submitting a vulnerability to us you acknowledge that you have read and agreed to this Policy.\n\n# Our main rules are as follows:\n\n---\n*  Automated testing is not permitted.\n*  Follow [HackerOne’s Disclosure Guidelines](https://hackerone.com/guidelines).\n*  You must be the first person to notify us of a finding that alerts us to a previously unknown issue and that issue triggers a code or configuration change. If different attack vectors result in the same mitigation, Nord Security reserves the right to reward only the first report that is validated for that fix. All subsequent reports that are addressed by that mitigation will be considered as duplicates, regardless of the attack vector. In most instances, you will not be notified of a duplicate report condition until after the vulnerability has been fully remediated.\n* We award bounties once the vulnerability is fixed, and will keep you posted as we work to resolve them.\n* We reserve the sole right to determine the size of the reward if any. We determine this on a case-by-case basis, depending on overall severity (including the business impact, creativity of the issue, etc.). You shall respect our final decision.\n* We may pay even higher rewards for, especially clever or severe vulnerabilities. We recommend for you to use [Common Vulnerability Scoring System Version 3.0 Calculator](https://www.first.org/cvss/calculator/3.0) as a general guide on vulnerability severity levels. However, please note that this serves only as a rough guide and does NOT guarantee that we will give the same evaluation to your Vulnerability Finding. The final and actual severity level is determined by us in our sole discretion.\n* To receive a reward, you must disclose the vulnerability report directly and exclusively to us.\n* Previous reward amounts are not considered a precedent for future reward amounts.\n* Reward may be denied if there is reason to believe that there has been a violation of this Policy.\n* You may need to provide additional information, which would be necessary to receive the reward.  \n* Taxes on rewards given to you are your sole responsibility. \n* Reward will be forfeited, if it remains unclaimed or undeliverable for a period of six (6) months counting from the date you are notified of the determined reward amount\n*  Contacting our team regarding the status of a report through any other channel than Hackerone will result in an immediate disqualification for a bounty for that report.\n*  Please recognize that Nord Security operates complex infrastructure and the amount of time required to address a reported issue can vary from a few hours to several months. You will receive notification of the final outcome of our remediation efforts once the report has been passed to the internal security team. Nord Security cannot provide updates on remediation efforts that are in progress.\n\nThis Policy supplements the terms of any other agreement (collectively – “Agreements”) in which you have entered with us. If any inconsistency exists between the terms of the Agreements and this Policy, this Policy will prevail, but only with regard to the potential security vulnerability reporting, unless otherwise agreed by us in writing.\n\n\n# Scope of Accepted Reports\n\n---\nAccepted, in-scope findings, include, but are not limited to:\n1. NordVPN, NordPass and NordLocker consumer applications on all platforms:\n      *  Windows\n      *  Mac\n      *  iOS\n      *  Android\n      *  Linux\n      *  Browser extensions and official apps on third-party devices.\n2. Nord Security VPN servers.\n3. Nord Security backend services and website.\n\n# Out-Of-Scope Reports (not eligible for a reward)\n\n---\n1. Findings from physical testing such as office access (e.g. open doors, tailgating).\n2. Denial of service (DOS) attacks.\n3. Unofficial third-party applications, scripts, and integrations.\n4. End-of-life application versions.\n5. Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.\n6. Any other submissions determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction or resulting in minimal impact.\n7. WordPress bugs (please report those to WordPress directly).\n8. OpenVPN bugs (please report those to OpenVPN directly).\n9. StrongSwan bugs (please report those to StrongSwan directly).\n10. Out of date software – we do not always run the most recent software versions (patched).\n11. Subdomains, including but not limited to:\n      *  affiliates.nordvpn.com\n      *  go.nordvpn.com\n      *  zendesk.nordvpn.com\n      *  prevention.nordvpn.com\n      *  595468.nordvpn.com\n      *  c.nordvpn.com\n      *  bounces.nordvpn.com\n      *  links*.nordvpn.com\n      *  mltrack.nordvpn.com\n      *  mltracksgrd.nordvpn.com\n      *  support.nordvpn.com\n      * nordaccount.com\n      * nordcheckout.com\n      * nordsecurity.com\n12. Anything related to credential stuffing and account takeover.\n13. Brute force testing, Cloudflare bypass to determine whether rate limiting is in place for particular APIs or pieces of functionality **(unless it constitutes a significant risk)**\n14. User account verification/enumeration attacks\n15. User account deletion process\n16. Findings derived from social engineering (e.g. phishing, vishing, spam) techniques, including:\n      *  SPF and DKIM issues\n      *  Content injection\n      *  Hyperlink injection in emails\n      *  IDN homograph attacks\n      *  RTL Ambiguity\n22. Content Spoofing\n23. Issues related to Password Policy\n24. Missing best practices, information disclosures, use of known-vulnerable libraries or descriptive / verbose / unique error pages (without substantive information indicating exploitability)\n25. HTTP TRACE or OPTIONS methods enabled\n26. Self-XSS and issues exploitable only through Self-XSS\n27. Exploits that require physical access to a user's machine\n28. Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n29. Bugs that do not represent any security risk\n30. Submissions from former NordVPN employees within one year of their departure from NordVPN\n31. Issues found through automated testing\n32. \"Scanner output\" or scanner-generated reports\n33. SSL or ssh issues (weak ciphers/key-size/BEAST/CRIME)\n34. CSRF without proof of security impact\n36. Application or server error messages, stack traces\n37. Hardcoded Firebase API keys in applications **(unless it constitutes a significant risk)**\n38. Attacks using the IP Rotate method \n37. All reports related to **NordVPN Teams**, **NordVPN White Label**  services and infrastructure.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-31T12:35:02.051Z"},{"id":3650614,"new_policy":"# HackerOne Promotion Testing Guide\n\n---\nWe are excited to announce the addition of our new products in scope; NordPass + NordLocker! To celebrate this release, we are running a Promotion on all of our mobile and desktop applications (web domains are excluded). **From 31st March - 14th April, all Critical severity reports will receive $1000 bonus, and all High severity reports will receive $500 bonus!** \n\nWe're looking forward to receiving some creative findings! \n\nGood Luck! \n-- \nHere are the key aspects to consider when entering HackerOne Challenge:\n* This campaign is active only from 2021/03/31 until 2021/04/14\n*  Only Critical and High severity reports will receive double the amount in bounties\n*  Additional bounty rewards are ONLY applicable to consumer applications (mobile/desktop)\n* In case you need an active subscription or perform a purchase to obtain a subscription we advise you to use your HackerOne email address.\n*  If you would like to cancel a subscription - we offer a money-back guarantee. To cancel your subscription and receive a refund you’d need to reach out to our customers’ support team.\n\n\n# Program Rules\n\n---\n\nAt Nord Security, we strive to maximize the security of our infrastructure and customers' data. We believe that in order to reach our goal community participation is essential. Please note that your submission of potential security vulnerability finding (“Vulnerability Finding”) is voluntary and subject to the terms and conditions set forth in this Policy. By submitting a vulnerability to us you acknowledge that you have read and agreed to this Policy.\n\n# Our main rules are as follows:\n\n---\n*  Automated testing is not permitted.\n*  Follow [HackerOne’s Disclosure Guidelines](https://hackerone.com/guidelines).\n*  You must be the first person to notify us of a finding that alerts us to a previously unknown issue and that issue triggers a code or configuration change. If different attack vectors result in the same mitigation, Nord Security reserves the right to reward only the first report that is validated for that fix. All subsequent reports that are addressed by that mitigation will be considered as duplicates, regardless of the attack vector. In most instances, you will not be notified of a duplicate report condition until after the vulnerability has been fully remediated.\n* We award bounties once the vulnerability is fixed, and will keep you posted as we work to resolve them.\n* We reserve the sole right to determine the size of the reward if any. We determine this on a case-by-case basis, depending on overall severity (including the business impact, creativity of the issue, etc.). You shall respect our final decision.\n* We may pay even higher rewards for, especially clever or severe vulnerabilities. We recommend for you to use [Common Vulnerability Scoring System Version 3.0 Calculator](https://www.first.org/cvss/calculator/3.0) as a general guide on vulnerability severity levels. However, please note that this serves only as a rough guide and does NOT guarantee that we will give the same evaluation to your Vulnerability Finding. The final and actual severity level is determined by us in our sole discretion.\n* To receive a reward, you must disclose the vulnerability report directly and exclusively to us.\n* Previous reward amounts are not considered a precedent for future reward amounts.\n* Reward may be denied if there is reason to believe that there has been a violation of this Policy.\n* You may need to provide additional information, which would be necessary to receive the reward.  \n* Taxes on rewards given to you are your sole responsibility. \n* Reward will be forfeited, if it remains unclaimed or undeliverable for a period of six (6) months counting from the date you are notified of the determined reward amount\n*  Contacting our team regarding the status of a report through any other channel than Hackerone will result in an immediate disqualification for a bounty for that report.\n*  Please recognize that Nord Security operates complex infrastructure and the amount of time required to address a reported issue can vary from a few hours to several months. You will receive notification of the final outcome of our remediation efforts once the report has been passed to the internal security team. Nord Security cannot provide updates on remediation efforts that are in progress.\n\nThis Policy supplements the terms of any other agreement (collectively – “Agreements”) in which you have entered with us. If any inconsistency exists between the terms of the Agreements and this Policy, this Policy will prevail, but only with regard to the potential security vulnerability reporting, unless otherwise agreed by us in writing.\n\n\n# Scope of Accepted Reports\n\n---\nAccepted, in-scope findings, include, but are not limited to:\n1. NordVPN, NordPass and NordLocker consumer applications on all platforms:\n      *  Windows\n      *  Mac\n      *  iOS\n      *  Android\n      *  Linux\n      *  Browser extensions and official apps on third-party devices.\n2. Nord Security VPN servers.\n3. Nord Security backend services and website.\n\n# Out-Of-Scope Reports (not eligible for a reward)\n\n---\n1. Findings from physical testing such as office access (e.g. open doors, tailgating).\n2. Denial of service (DOS) attacks.\n3. Unofficial third-party applications, scripts, and integrations.\n4. End-of-life application versions.\n5. Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.\n6. Any other submissions determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction or resulting in minimal impact.\n7. WordPress bugs (please report those to WordPress directly).\n8. OpenVPN bugs (please report those to OpenVPN directly).\n9. StrongSwan bugs (please report those to StrongSwan directly).\n10. Out of date software – we do not always run the most recent software versions (patched).\n11. Subdomains, including but not limited to:\n      *  affiliates.nordvpn.com\n      *  go.nordvpn.com\n      *  zendesk.nordvpn.com\n      *  prevention.nordvpn.com\n      *  595468.nordvpn.com\n      *  c.nordvpn.com\n      *  bounces.nordvpn.com\n      *  links*.nordvpn.com\n      *  mltrack.nordvpn.com\n      *  mltracksgrd.nordvpn.com\n      *  support.nordvpn.com\n      * nordaccount.com\n      * nordcheckout.com\n12. Anything related to credential stuffing and account takeover.\n13. Brute force testing, Cloudflare bypass to determine whether rate limiting is in place for particular APIs or pieces of functionality **(unless it constitutes a significant risk)**\n14. User account verification/enumeration attacks\n15. User account deletion process\n16. Findings derived from social engineering (e.g. phishing, vishing, spam) techniques, including:\n      *  SPF and DKIM issues\n      *  Content injection\n      *  Hyperlink injection in emails\n      *  IDN homograph attacks\n      *  RTL Ambiguity\n22. Content Spoofing\n23. Issues related to Password Policy\n24. Missing best practices, information disclosures, use of known-vulnerable libraries or descriptive / verbose / unique error pages (without substantive information indicating exploitability)\n25. HTTP TRACE or OPTIONS methods enabled\n26. Self-XSS and issues exploitable only through Self-XSS\n27. Exploits that require physical access to a user's machine\n28. Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n29. Bugs that do not represent any security risk\n30. Submissions from former NordVPN employees within one year of their departure from NordVPN\n31. Issues found through automated testing\n32. \"Scanner output\" or scanner-generated reports\n33. SSL or ssh issues (weak ciphers/key-size/BEAST/CRIME)\n34. CSRF without proof of security impact\n36. Application or server error messages, stack traces\n37. Hardcoded Firebase API keys in applications **(unless it constitutes a significant risk)**\n38. Attacks using the IP Rotate method \n37. All reports related to **NordVPN Teams**, **NordVPN White Label**  services and infrastructure.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-31T10:56:16.188Z"},{"id":3650610,"new_policy":"# HackerOne Challange Testing Guide\n\n---\nHere are the key aspects to consider when entering HackerOne Challenge:\n* This campaign is active only from 2021/03/31 until 2021/04/14\n*  Only Critical and High severity reports will receive double the amount in bounties\n*  Additional bounty rewards are ONLY applicable to consumer applications (mobile/desktop)\n* In case you need an active subscription or perform a purchase to obtain a subscription we advise you to use your HackerOne email address.\n*  If you would like to cancel a subscription - we offer a money-back guarantee. To cancel your subscription and receive a refund you’d need to reach out to our customers’ support team.\n\n\n# Program Rules\n\n---\n\nAt Nord Security, we strive to maximize the security of our infrastructure and customers' data. We believe that in order to reach our goal community participation is essential. Please note that your submission of potential security vulnerability finding (“Vulnerability Finding”) is voluntary and subject to the terms and conditions set forth in this Policy. By submitting a vulnerability to us you acknowledge that you have read and agreed to this Policy.\n\n# Our main rules are as follows:\n\n---\n*  Automated testing is not permitted.\n*  Follow [HackerOne’s Disclosure Guidelines](https://hackerone.com/guidelines).\n*  You must be the first person to notify us of a finding that alerts us to a previously unknown issue and that issue triggers a code or configuration change. If different attack vectors result in the same mitigation, Nord Security reserves the right to reward only the first report that is validated for that fix. All subsequent reports that are addressed by that mitigation will be considered as duplicates, regardless of the attack vector. In most instances, you will not be notified of a duplicate report condition until after the vulnerability has been fully remediated.\n* We award bounties once the vulnerability is fixed, and will keep you posted as we work to resolve them.\n* We reserve the sole right to determine the size of the reward if any. We determine this on a case-by-case basis, depending on overall severity (including the business impact, creativity of the issue, etc.). You shall respect our final decision.\n* We may pay even higher rewards for, especially clever or severe vulnerabilities. We recommend for you to use [Common Vulnerability Scoring System Version 3.0 Calculator](https://www.first.org/cvss/calculator/3.0) as a general guide on vulnerability severity levels. However, please note that this serves only as a rough guide and does NOT guarantee that we will give the same evaluation to your Vulnerability Finding. The final and actual severity level is determined by us in our sole discretion.\n* To receive a reward, you must disclose the vulnerability report directly and exclusively to us.\n* Previous reward amounts are not considered a precedent for future reward amounts.\n* Reward may be denied if there is reason to believe that there has been a violation of this Policy.\n* You may need to provide additional information, which would be necessary to receive the reward.  \n* Taxes on rewards given to you are your sole responsibility. \n* Reward will be forfeited, if it remains unclaimed or undeliverable for a period of six (6) months counting from the date you are notified of the determined reward amount\n*  Contacting our team regarding the status of a report through any other channel than Hackerone will result in an immediate disqualification for a bounty for that report.\n*  Please recognize that Nord Security operates complex infrastructure and the amount of time required to address a reported issue can vary from a few hours to several months. You will receive notification of the final outcome of our remediation efforts once the report has been passed to the internal security team. Nord Security cannot provide updates on remediation efforts that are in progress.\n\nThis Policy supplements the terms of any other agreement (collectively – “Agreements”) in which you have entered with us. If any inconsistency exists between the terms of the Agreements and this Policy, this Policy will prevail, but only with regard to the potential security vulnerability reporting, unless otherwise agreed by us in writing.\n\n\n# Scope of Accepted Reports\n\n---\nAccepted, in-scope findings, include, but are not limited to:\n1. NordVPN, NordPass and NordLocker consumer applications on all platforms:\n      *  Windows\n      *  Mac\n      *  iOS\n      *  Android\n      *  Linux\n      *  Browser extensions and official apps on third-party devices.\n2. Nord Security VPN servers.\n3. Nord Security backend services and website.\n\n# Out-Of-Scope Reports (not eligible for a reward)\n\n---\n1. Findings from physical testing such as office access (e.g. open doors, tailgating).\n2. Denial of service (DOS) attacks.\n3. Unofficial third-party applications, scripts, and integrations.\n4. End-of-life application versions.\n5. Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.\n6. Any other submissions determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction or resulting in minimal impact.\n7. WordPress bugs (please report those to WordPress directly).\n8. OpenVPN bugs (please report those to OpenVPN directly).\n9. StrongSwan bugs (please report those to StrongSwan directly).\n10. Out of date software – we do not always run the most recent software versions (patched).\n11. Subdomains, including but not limited to:\n      *  affiliates.nordvpn.com\n      *  go.nordvpn.com\n      *  zendesk.nordvpn.com\n      *  prevention.nordvpn.com\n      *  595468.nordvpn.com\n      *  c.nordvpn.com\n      *  bounces.nordvpn.com\n      *  links*.nordvpn.com\n      *  mltrack.nordvpn.com\n      *  mltracksgrd.nordvpn.com\n      *  support.nordvpn.com\n      * nordaccount.com\n      * nordcheckout.com\n12. Anything related to credential stuffing and account takeover.\n13. Brute force testing, Cloudflare bypass to determine whether rate limiting is in place for particular APIs or pieces of functionality **(unless it constitutes a significant risk)**\n14. User account verification/enumeration attacks\n15. User account deletion process\n16. Findings derived from social engineering (e.g. phishing, vishing, spam) techniques, including:\n      *  SPF and DKIM issues\n      *  Content injection\n      *  Hyperlink injection in emails\n      *  IDN homograph attacks\n      *  RTL Ambiguity\n22. Content Spoofing\n23. Issues related to Password Policy\n24. Missing best practices, information disclosures, use of known-vulnerable libraries or descriptive / verbose / unique error pages (without substantive information indicating exploitability)\n25. HTTP TRACE or OPTIONS methods enabled\n26. Self-XSS and issues exploitable only through Self-XSS\n27. Exploits that require physical access to a user's machine\n28. Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n29. Bugs that do not represent any security risk\n30. Submissions from former NordVPN employees within one year of their departure from NordVPN\n31. Issues found through automated testing\n32. \"Scanner output\" or scanner-generated reports\n33. SSL or ssh issues (weak ciphers/key-size/BEAST/CRIME)\n34. CSRF without proof of security impact\n36. Application or server error messages, stack traces\n37. Hardcoded Firebase API keys in applications **(unless it constitutes a significant risk)**\n38. Attacks using the IP Rotate method \n37. All reports related to **NordVPN Teams**, **NordVPN White Label**  services and infrastructure.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-31T09:47:24.145Z"},{"id":3641901,"new_policy":"Program Rules\n=====================\nAt NordVPN we strive to maximize the security of our infrastructure and customers' data. We believe that in order to reach our goal community participation is essential. Please note that your submission of potential security vulnerability finding (“Vulnerability Finding”) is voluntary and subject to the terms and conditions set forth in this Policy. By submitting a vulnerability to us you acknowledge that you have read and agreed to this Policy.\n\nOur main rules are as follows:\n---------------------\n*  Automated testing is not permitted.\n*  Follow [HackerOne’s Disclosure Guidelines](https://hackerone.com/guidelines).\n*  You must be the first person to notify us of a finding that alerts us to a previously unknown issue and that issue triggers a code or configuration change. If different attack vectors result in the same mitigation, NordVPN reserves the right to reward only the first report that is validated for that fix. All subsequent reports that are addressed by that mitigation will be considered as duplicates, regardless of the attack vector. In most instances, you will not be notified of a duplicate report condition until after the vulnerability has been fully remediated.\n* We award bounties once the vulnerability is fixed, and will keep you posted as we work to resolve them.\n* We reserve the sole right to determine the size of the reward, if any. We determine this on a case by case basis, depending on overall severity (including the business impact, creativity of the issue, etc.). You shall respect our final decision.\n* We may pay even higher rewards for, especially clever or severe vulnerabilities. We recommend for you to use [Common Vulnerability Scoring System Version 3.0 Calculator](https://www.first.org/cvss/calculator/3.0) as a general guide on vulnerability severity levels. However, please note that this serves only as a rough guide and does NOT guarantee that we will give the same evaluation to your Vulnerability Finding. The final and actual severity level is determined by us in our sole discretion.\n* To receive a reward, you must disclose the vulnerability report directly and exclusively to us.\n* Previous reward amounts are not considered a precedent for future reward amounts.\n* Reward may be denied if there is reason to believe that there has been a violation of this Policy.\n* You may need to provide additional information, which would be necessary to receive the reward.  \n* Taxes on rewards given to you are your sole responsibility. \n* Reward will be forfeited, if it remains unclaimed or undeliverable for a period of six (6) months counting from the date you are notified of the determined reward amount\n*  Contacting our team regarding the status of a report through any other channel than Hackerone will result in an immediate disqualification for a bounty for that report.\n*  Please recognize that NordVPN operates complex infrastructure and the amount of time required to address a reported issue can vary from a few hours to several months. You will receive notification of the final outcome of our remediation efforts once the report has been passed to the internal security team. NordVPN cannot provide updates on remediation efforts that are in progress.\n\nThis Policy supplements the terms of any other agreement (collectively – “Agreements”) in which you have entered with us. If any inconsistency exists between the terms of the Agreements and this Policy, this Policy will prevail, but only with regard to the potential security vulnerability reporting, unless otherwise agreed by us in writing.\n\n\nScope of Accepted Reports\n=====================\nAccepted, in-scope findings, include, but are not limited to:\n1. NordVPN consumer applications on all platforms:\n      *  Windows\n      *  Mac\n      *  iOS\n      *  Android\n      *  Linux\n      *  Browser extensions and official apps on third-party devices.\n2. NordVPN VPN servers.\n3. NordVPN backend services and website.\n\n\nOut-Of-Scope Reports (not eligible for a reward)\n=====================\n1. Findings from physical testing such as office access (e.g. open doors, tailgating).\n2. Denial of service (DOS) attacks.\n3. Unofficial third-party applications, scripts, and integrations.\n4. End-of-life application versions.\n5. Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.\n6. Any other submissions determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction or resulting in minimal impact.\n7. WordPress bugs (please report those to WordPress directly).\n8. OpenVPN bugs (please report those to OpenVPN directly).\n9. StrongSwan bugs (please report those to StrongSwan directly).\n10. Out of date software – we do not always run the most recent software versions (patched).\n11. Subdomains, including but not limited to:\n      *  affiliates.nordvpn.com\n      *   go.nordvpn.com\n      *  zendesk.nordvpn.com\n      *  prevention.nordvpn.com\n      *  595468.nordvpn.com\n      *  c.nordvpn.com\n      *  bounces.nordvpn.com\n      *  links*.nordvpn.com\n      *  mltrack.nordvpn.com\n      *  mltracksgrd.nordvpn.com\n      *  support.nordvpn.com\n      * nordaccount.com\n      * nordcheckout.com\n12. Anything related to credential stuffing and account takeover.\n13. Brute force testing, Cloudflare bypass to determine whether rate limiting is in place for particular APIs or pieces of functionality **(unless it constitutes a significant risk)**\n14. User account verification/enumeration attacks\n15. User account deletion process\n16. Findings derived from social engineering (e.g. phishing, vishing, spam) techniques, including:\n      *  SPF and DKIM issues\n      *  Content injection\n      *  Hyperlink injection in emails\n      *  IDN homograph attacks\n      *  RTL Ambiguity\n22. Content Spoofing\n23. Issues related to Password Policy\n24. Missing best practices, information disclosures, use of known-vulnerable libraries or descriptive / verbose / unique error pages (without substantive information indicating exploitability)\n25. HTTP TRACE or OPTIONS methods enabled\n26. Self-XSS and issues exploitable only through Self-XSS\n27. Exploits that require physical access to a user's machine\n28. Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n29. Bugs that do not represent any security risk\n30. Submissions from former NordVPN employees within one year of their departure from NordVPN\n31. Issues found through automated testing\n32. \"Scanner output\" or scanner-generated reports\n33. SSL or ssh issues (weak ciphers/key-size/BEAST/CRIME)\n34. CSRF without proof of security impact\n36. Application or server error messages, stack traces\n37. Hardcoded Firebase API keys in applications **(unless it constitutes a significant risk)**\n38. Attacks using the IP Rotate method \n37. All reports related to **NordVPN Teams**, **NordLocker** or **NordPass** services and infrastructure.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-09-01T07:50:40.774Z"},{"id":3641858,"new_policy":"Program Rules\n=====================\nAt NordVPN we strive to maximize the security of our infrastructure and customers' data. We believe that in order to reach our goal community participation is essential. Please note that your submission of potential security vulnerability finding (“Vulnerability Finding”) is voluntary and subject to the terms and conditions set forth in this Policy. By submitting a vulnerability to us you acknowledge that you have read and agreed to this Policy.\n\nOur main rules are as follows:\n---------------------\n*  Automated testing is not permitted.\n*  Follow [HackerOne’s Disclosure Guidelines](https://hackerone.com/guidelines).\n*  You must be the first person to notify us of a finding that alerts us to a previously unknown issue and that issue triggers a code or configuration change. If different attack vectors result in the same mitigation, NordVPN reserves the right to reward only the first report that is validated for that fix. All subsequent reports that are addressed by that mitigation will be considered as duplicates, regardless of the attack vector. In most instances, you will not be notified of a duplicate report condition until after the vulnerability has been fully remediated.\n* We award bounties once the vulnerability is fixed, and will keep you posted as we work to resolve them.\n* We reserve the sole right to determine the size of the reward, if any. We determine this on a case by case basis, depending on overall severity (including the business impact, creativity of the issue, etc.). You shall respect our final decision.\n* We may pay even higher rewards for, especially clever or severe vulnerabilities. We recommend for you to use [Common Vulnerability Scoring System Version 3.0 Calculator](https://www.first.org/cvss/calculator/3.0) as a general guide on vulnerability severity levels. However, please note that this serves only as a rough guide and does NOT guarantee that we will give the same evaluation to your Vulnerability Finding. The final and actual severity level is determined by us in our sole discretion.\n* To receive a reward, you must disclose the vulnerability report directly and exclusively to us.\n* Previous reward amounts are not considered a precedent for future reward amounts.\n* Reward may be denied if there is reason to believe that there has been a violation of this Policy.\n* You may need to provide additional information, which would be necessary to receive the reward.  \n* Taxes on rewards given to you are your sole responsibility. \n* Reward will be forfeited, if it remains unclaimed or undeliverable for a period of six (6) months counting from the date you are notified of the determined reward amount\n*  Contacting our team regarding the status of a report through any other channel than Hackerone will result in an immediate disqualification for a bounty for that report.\n*  Please recognize that NordVPN operates complex infrastructure and the amount of time required to address a reported issue can vary from a few hours to several months. You will receive notification of the final outcome of our remediation efforts once the report has been passed to the internal security team. NordVPN cannot provide updates on remediation efforts that are in progress.\n\nThis Policy supplements the terms of any other agreement (collectively – “Agreements”) in which you have entered with us. If any inconsistency exists between the terms of the Agreements and this Policy, this Policy will prevail, but only with regard to the potential security vulnerability reporting, unless otherwise agreed by us in writing.\n\n\nScope of Accepted Reports\n=====================\nAccepted, in-scope findings, include, but are not limited to:\n1. NordVPN consumer applications on all platforms:\n      *  Windows\n      *  Mac\n      *  iOS\n      *  Android\n      *  Linux\n      *  Browser extensions and official apps on third-party devices.\n2. NordVPN VPN servers.\n3. NordVPN backend services and website.\n\n\nOut-Of-Scope Reports (not eligible for a reward)\n=====================\n1. Findings from physical testing such as office access (e.g. open doors, tailgating).\n2. Denial of service (DOS) attacks.\n3. Unofficial third-party applications, scripts, and integrations.\n4. End-of-life application versions.\n5. Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.\n6. Any other submissions determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction or resulting in minimal impact.\n7. WordPress bugs (please report those to WordPress directly).\n8. OpenVPN bugs (please report those to OpenVPN directly).\n9. StrongSwan bugs (please report those to StrongSwan directly).\n10. Out of date software – we do not always run the most recent software versions (patched).\n11. Third party services, including but not limited to:\n      *  affiliates.nordvpn.com\n      *   go.nordvpn.com\n      *  zendesk.nordvpn.com\n      *  prevention.nordvpn.com\n      *  595468.nordvpn.com\n      *  c.nordvpn.com\n      *  bounces.nordvpn.com\n      *  links*.nordvpn.com\n      *  mltrack.nordvpn.com\n      *  mltracksgrd.nordvpn.com\n      *  support.nordvpn.com\n      * nordaccount.com\n      * nordcheckout.com\n12. Anything related to credential stuffing and account takeover.\n13. Brute force testing, Cloudflare bypass to determine whether rate limiting is in place for particular APIs or pieces of functionality **(unless it constitutes a significant risk)**\n14. User account verification/enumeration attacks\n15. User account deletion process\n16. Findings derived from social engineering (e.g. phishing, vishing, spam) techniques, including:\n      *  SPF and DKIM issues\n      *  Content injection\n      *  Hyperlink injection in emails\n      *  IDN homograph attacks\n      *  RTL Ambiguity\n22. Content Spoofing\n23. Issues related to Password Policy\n24. Missing best practices, information disclosures, use of known-vulnerable libraries or descriptive / verbose / unique error pages (without substantive information indicating exploitability)\n25. HTTP TRACE or OPTIONS methods enabled\n26. Self-XSS and issues exploitable only through Self-XSS\n27. Exploits that require physical access to a user's machine\n28. Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n29. Bugs that do not represent any security risk\n30. Submissions from former NordVPN employees within one year of their departure from NordVPN\n31. Issues found through automated testing\n32. \"Scanner output\" or scanner-generated reports\n33. SSL or ssh issues (weak ciphers/key-size/BEAST/CRIME)\n34. CSRF without proof of security impact\n36. Application or server error messages, stack traces\n37. Hardcoded Firebase API keys in applications **(unless it constitutes a significant risk)**\n38. Attacks using the IP Rotate method \n37. All reports related to **NordVPN Teams**, **NordLocker** or **NordPass** services and infrastructure.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-08-31T07:07:37.227Z"},{"id":3634727,"new_policy":"Program Rules\n=====================\nAt NordVPN we strive to maximize the security of our infrastructure and customers' data. We believe that in order to reach our goal community participation is essential. Please note that your submission of potential security vulnerability finding (“Vulnerability Finding”) is voluntary and subject to the terms and conditions set forth in this Policy. By submitting a vulnerability to us you acknowledge that you have read and agreed to this Policy.\n\nOur main rules are as follows:\n---------------------\n*  Automated testing is not permitted.\n*  Follow [HackerOne’s Disclosure Guidelines](https://hackerone.com/guidelines).\n*  You must be the first person to notify us of a finding that alerts us to a previously unknown issue and that issue triggers a code or configuration change. If different attack vectors result in the same mitigation, NordVPN reserves the right to reward only the first report that is validated for that fix. All subsequent reports that are addressed by that mitigation will be considered as duplicates, regardless of the attack vector. In most instances, you will not be notified of a duplicate report condition until after the vulnerability has been fully remediated.\n* We award bounties once the vulnerability is fixed, and will keep you posted as we work to resolve them.\n* We reserve the sole right to determine the size of the reward, if any. We determine this on a case by case basis, depending on overall severity (including the business impact, creativity of the issue, etc.). You shall respect our final decision.\n* We may pay even higher rewards for, especially clever or severe vulnerabilities. We recommend for you to use [Common Vulnerability Scoring System Version 3.0 Calculator](https://www.first.org/cvss/calculator/3.0) as a general guide on vulnerability severity levels. However, please note that this serves only as a rough guide and does NOT guarantee that we will give the same evaluation to your Vulnerability Finding. The final and actual severity level is determined by us in our sole discretion.\n* To receive a reward, you must disclose the vulnerability report directly and exclusively to us.\n* Previous reward amounts are not considered a precedent for future reward amounts.\n* Reward may be denied if there is reason to believe that there has been a violation of this Policy.\n* You may need to provide additional information, which would be necessary to receive the reward.  \n* Taxes on rewards given to you are your sole responsibility. \n* Reward will be forfeited, if it remains unclaimed or undeliverable for a period of six (6) months counting from the date you are notified of the determined reward amount\n*  Contacting our team regarding the status of a report through any other channel than Hackerone will result in an immediate disqualification for a bounty for that report.\n*  Please recognize that NordVPN operates complex infrastructure and the amount of time required to address a reported issue can vary from a few hours to several months. You will receive notification of the final outcome of our remediation efforts once the report has been passed to the internal security team. NordVPN cannot provide updates on remediation efforts that are in progress.\n\nThis Policy supplements the terms of any other agreement (collectively – “Agreements”) in which you have entered with us. If any inconsistency exists between the terms of the Agreements and this Policy, this Policy will prevail, but only with regard to the potential security vulnerability reporting, unless otherwise agreed by us in writing.\n\n\nScope of Accepted Reports\n=====================\nAccepted, in-scope findings, include, but are not limited to:\n1. NordVPN consumer applications on all platforms:\n      *  Windows\n      *  Mac\n      *  iOS\n      *  Android\n      *  Linux\n      *  Browser extensions and official apps on third party devices.\n2. NordVPN VPN servers.\n3. NordVPN backend services and website.\n\n\nOut-Of-Scope Reports (not eligible for a reward)\n=====================\n1. Findings from physical testing such as office access (e.g. open doors, tailgating).\n2. Denial of service (DOS) attacks.\n3. Unofficial third party applications, scripts and integrations.\n4. End-of-life application versions.\n5. Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.\n6. Any other submissions determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction, or resulting in minimal impact.\n7. WordPress bugs (please report those to WordPress directly).\n8. OpenVPN bugs (please report those to OpenVPN directly).\n9. StrongSwan bugs (please report those to StrongSwan directly).\n10. Out of date software – we do not always run the most recent software versions (patched).\n11. Third party services, including but not limited to:\n      *  affiliates.nordvpn.com\n      *   go.nordvpn.com\n      *  zendesk.nordvpn.com\n      *  prevention.nordvpn.com\n      *  595468.nordvpn.com\n      *  c.nordvpn.com\n      *  bounces.nordvpn.com\n      *  links*.nordvpn.com\n      *  mltrack.nordvpn.com\n      *   mltracksgrd.nordvpn.com\n      *  support.nordvpn.com\n12. Anything related to credential stuffing and account takeover.\n13. Brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality **(unless it constitutes a significant risk)**\n14. User account verification/enumeration attacks\n15. User account deletion process\n16. Findings derived from social engineering (e.g. phishing, vishing, spam) techniques, including:\n      *  SPF and DKIM issues\n      *  Content injection\n      *  Hyperlink injection in emails\n      *  IDN homograph attacks\n      *  RTL Ambiguity\n22. Content Spoofing\n23. Issues related to Password Policy\n24. Missing best practices, information disclosures, use of a known-vulnerable libraries or descriptive / verbose / unique error pages (without substantive information indicating exploitability)\n25. HTTP TRACE or OPTIONS methods enabled\n26. Self-XSS and issues exploitable only through Self-XSS\n27. Exploits that require physical access to a user's machine\n28. Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n29. Bugs that do not represent any security risk\n30. Submissions from former NordVPN employees within one year of their departure from NordVPN\n31. Issues found through automated testing\n32. \"Scanner output\" or scanner-generated reports\n33. SSL or ssh issues (weak ciphers/key-size/BEAST/CRIME)\n34. CSRF without proof of security impact\n36. Application or server error messages, stack traces\n37. All reports related to **NordVPN Teams**, **NordLocker** or **NordPass** services and infrastructure.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-04-07T12:49:25.935Z"},{"id":3628319,"new_policy":"Potential Security Vulnerability Reporting Policy\n=====================\nAt NordVPN we strive to maximize the security of our infrastructure and customers' data. We believe that in order to reach our goal community participation is essential. Therefore, if you have found a potential security vulnerability, we would like to learn more about it to be able to correct the issue as soon as possible.\nPlease note that your submission of potential security vulnerability finding (“Vulnerability Finding”) is voluntary and subject to the terms and conditions set forth in this Policy. By submitting a vulnerability to us you acknowledge that you have read and agreed to this Policy.\nThis Policy supplements the terms of any other agreement (collectively – “Agreements”) in which you have entered with us. If any inconsistency exists between the terms of the Agreements and this Policy, this Policy will prevail, but only with regard to the potential security vulnerability reporting, unless otherwise agreed by us in writing.\nPlease note that in order to submit a Vulnerability Finding to us you must be at least 14 years old. If you are at least 14 years old, but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to making a submission to us.\n\nSafe harbor terms\n---------------------\nTo encourage security researchers and our user community, we commit that, if we conclude, in our sole discretion, that your submission respects and meets the requirements of this Policy and Agreements, we will not pursue civil or criminal action, or send notice to law enforcement, and we may even reward you. \nNeither will we pursue civil or criminal action, or send notice to law enforcement for accidental, good faith violations of this Policy and Agreements. We reserve the sole right to make the determination of whether a violation of this policy is accidental or in good faith, and proactive contact to us before engaging in any action is a significant factor in that decision, meaning, if in doubt, ask us first.\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of a third party (which is not us), we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot and do not authorize security research in the name of other entities, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\nYou are expected, as always, to comply with all laws applicable to you, and not to disrupt or compromise any data beyond what this bug bounty program permits.\n\nScope of accepted findings\n---------------------\nAccepted, in-scope findings, include, but are not limited to:\n1. NordVPN consumer applications (all platforms: Windows, Mac, iOS, Android, Linux, browser extensions and official apps on third party devices).\n2. NordVPN VPN servers.\n3. NordVPN backend services and website.\n\nFindings that we do not accept (out-of-scope findings) include, but are not limited to:\n1. Findings from physical testing such as office access (e.g. open doors, tailgating).\n2. Findings derived from social engineering (e.g. phishing, vishing).\n3. Denial of service (DOS) attacks.\n4. Unofficial third party applications, scripts and integrations.\n5. End-of-life application versions.\n6. Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.\n7. Any other submissions determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction, or resulting in minimal impact.\n8. WordPress bugs (please report those to WordPress directly).\n9. OpenVPN bugs (please report those to OpenVPN directly).\n10. StrongSwan bugs (please report those to StrongSwan directly).\n11. Out of date software – we do not always run the most recent software versions (patched).\n12. Third party services. Including but not limited to affiliates.nordvpn.com, zendesk.nordvpn.com, \\*zendesk\\*.nordvpn.com, prevention.nordvpn.com, 595468.nordvpn.com, c.nordvpn.com, bounces.nordvpn.com, links1.nordvpn.com, mltrack.nordvpn.com, mltracksgrd.nordvpn.com, support.nordvpn.com.\n13. Anything related to credential stuffing.\n14. NordVPN Teams applications, VPN servers, backend services and website.\n15. Any other products or services related to NordVPN.\n\nReporting the findings\n---------------------\nAll the findings must be reported to us using Hackerone platform.\n\nPlease include:\n1. a description of the finding containing such info as URL and/or type of the potential vulnerability;\n2. a step-by-step guide that would allow us to reproduce the finding;\n3. if applicable, accompanying evidence, e.g. screenshots, videos, proof of concept code, dumps, etc.;\n4. if possible, a way to fix the issue;\n5. any other information that you think is relevant.\n\nYou could also add your contact information, including your public PGP key.\nWe will acknowledge the receipt of all the potential vulnerability disclosure finding reports. If you have not received a reply from us within seven days, please send a follow-up message. Should we decide to fix the bug, we will tell you when we expect to resolve it.\n\nCode of conduct\n---------------------\nOnly interact with accounts you own or with explicit permission of the account holder.\nDo not leak any data. \nDo not perform any testing that could degrade the quality of our services. \nDo not modify any files or data, including permissions, nor make copies, and do not intentionally view or access any data beyond what is needed to prove the vulnerability. \nDo not disclose any findings or accessed data to any third parties. \nIf you have information about a potential security vulnerability and/or inadvertently come into possession of private data, please promptly initiate the reporting process as described above. \nClaims for rewards or other compensation as a condition for sending in a potential Vulnerability Finding is not accepted and could be regarded as extortion - a criminal offence under the penal law. \nFor more information, please contact us at security@nordvpn.com.\n\nThe reward\n---------------------\nTo receive a reward, you must disclose the vulnerability report directly and exclusively to us. You also must be the first person to notify us of a finding that alerts us to a previously unknown issue and that issue triggers a code or configuration change.\nWe reserve the sole right to determine the size of reward, if any. We determine this on a case by case basis, depending on overall severity (including the business impact, creativity of the issue, etc.). You shall respect our final decision.\nThis is a reference payout range for vulnerabilities depending on their severity levels:\n\n* Critical: $1000-5000+  USD\n* High: $500-1000 USD\n* Medium: $100-500 USD\n* Low: $100 USD\n* None: $0 USD\n\nWe may pay even higher rewards for especially clever or severe vulnerabilities. \nWe recommend for you to use [Common Vulnerability Scoring System Version 3.0 Calculator](https://www.first.org/cvss/calculator/3.0) as a general guide on vulnerability severity levels. However, please note that this serves only as a rough guide and does NOT guarantee that we will give the same evaluation to your Vulnerability Finding. The final and actual severity level is determined by us in our sole discretion.\nPrevious reward amounts are not considered a precedent for future reward amounts.\nReward may be denied if there is reason to believe that there has been a violation of this Policy.\nYou may need to provide additional information, which would be necessary to receive the reward.  \nTaxes on rewards given to you are your sole responsibility. \nReward will be forfeited, if it remains unclaimed or undeliverable for a period of six (6) months counting from the date you are notified of the determined reward amount\n\nPublic disclosure\n---------------------\nYou must not publicly disclose the bug until after an update that fixes the bug is released. We ask to give us at least 90 day disclosure deadline. Reports that go against this principle will usually not qualify for our program and may even get you a permanent ban. We reserve the right to bring deadlines forward or backward and to deny any request for public disclosure based on extreme circumstances. \n\nOther terms\n---------------------\nBy making a submission, you give us the right to use your Vulnerability Finding for any purpose.\nYou understand that your obligations under this Policy shall survive the termination of any other relationship between us.  \nThis Policy is subject to change or cancellation by us at any time, without notice. As such, we may amend this Policy at any time. By continuing with your submission after such changes are posted, you accept those modifications.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-01-14T19:41:33.102Z"},{"id":3625959,"new_policy":"Potential Security Vulnerability Reporting Policy\n=====================\nAt NordVPN we strive to maximize the security of our infrastructure and customers' data. We believe that in order to reach our goal community participation is essential. Therefore, if you have found a potential security vulnerability, we would like to learn more about it to be able to correct the issue as soon as possible.\nPlease note that your submission of potential security vulnerability finding (“Vulnerability Finding”) is voluntary and subject to the terms and conditions set forth in this Policy. By submitting a vulnerability to us you acknowledge that you have read and agreed to this Policy.\nThis Policy supplements the terms of any other agreement (collectively – “Agreements”) in which you have entered with us. If any inconsistency exists between the terms of the Agreements and this Policy, this Policy will prevail, but only with regard to the potential security vulnerability reporting, unless otherwise agreed by us in writing.\nPlease note that in order to submit a Vulnerability Finding to us you must be at least 14 years old. If you are at least 14 years old, but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to making a submission to us.\n\nSafe harbor terms\n---------------------\nTo encourage security researchers and our user community, we commit that, if we conclude, in our sole discretion, that your submission respects and meets the requirements of this Policy and Agreements, we will not pursue civil or criminal action, or send notice to law enforcement, and we may even reward you. \nNeither will we pursue civil or criminal action, or send notice to law enforcement for accidental, good faith violations of this Policy and Agreements. We reserve the sole right to make the determination of whether a violation of this policy is accidental or in good faith, and proactive contact to us before engaging in any action is a significant factor in that decision, meaning, if in doubt, ask us first.\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of a third party (which is not us), we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot and do not authorize security research in the name of other entities, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\nYou are expected, as always, to comply with all laws applicable to you, and not to disrupt or compromise any data beyond what this bug bounty program permits.\n\nScope of accepted findings\n---------------------\nAccepted, in-scope findings, include, but are not limited to:\n1. NordVPN applications (all platforms: Windows, Mac, iOS, Android, Linux, browser extensions and official apps on third party devices).\n2. NordVPN VPN servers.\n3. NordVPN backend services and website.\n\nFindings that we do not accept (out-of-scope findings) include, but are not limited to:\n1. Findings from physical testing such as office access (e.g. open doors, tailgating).\n2. Findings derived from social engineering (e.g. phishing, vishing).\n3. Denial of service (DOS) attacks.\n4. Unofficial third party applications, scripts and integrations.\n5. End-of-life application versions.\n6. Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.\n7. Any other submissions determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction, or resulting in minimal impact.\n8. WordPress bugs (please report those to WordPress directly).\n9. OpenVPN bugs (please report those to OpenVPN directly).\n10. StrongSwan bugs (please report those to StrongSwan directly).\n11. Out of date software – we do not always run the most recent software versions (patched).\n12. Third party services. Including but not limited to affiliates.nordvpn.com, zendesk.nordvpn.com, \\*zendesk\\*.nordvpn.com, prevention.nordvpn.com, 595468.nordvpn.com, c.nordvpn.com, bounces.nordvpn.com, links1.nordvpn.com, mltrack.nordvpn.com, mltracksgrd.nordvpn.com.\n13. Anything related to credential stuffing.\n\nReporting the findings\n---------------------\nAll the findings must be reported to us using Hackerone platform.\n\nPlease include:\n1. a description of the finding containing such info as URL and/or type of the potential vulnerability;\n2. a step-by-step guide that would allow us to reproduce the finding;\n3. if applicable, accompanying evidence, e.g. screenshots, videos, proof of concept code, dumps, etc.;\n4. if possible, a way to fix the issue;\n5. any other information that you think is relevant.\n\nYou could also add your contact information, including your public PGP key.\nWe will acknowledge the receipt of all the potential vulnerability disclosure finding reports. If you have not received a reply from us within seven days, please send a follow-up message. Should we decide to fix the bug, we will tell you when we expect to resolve it.\n\nCode of conduct\n---------------------\nOnly interact with accounts you own or with explicit permission of the account holder.\nDo not leak any data. \nDo not perform any testing that could degrade the quality of our services. \nDo not modify any files or data, including permissions, nor make copies, and do not intentionally view or access any data beyond what is needed to prove the vulnerability. \nDo not disclose any findings or accessed data to any third parties. \nIf you have information about a potential security vulnerability and/or inadvertently come into possession of private data, please promptly initiate the reporting process as described above. \nClaims for rewards or other compensation as a condition for sending in a potential Vulnerability Finding is not accepted and could be regarded as extortion - a criminal offence under the penal law. \nFor more information, please contact us at security@nordvpn.com.\n\nThe reward\n---------------------\nTo receive a reward, you must disclose the vulnerability report directly and exclusively to us. You also must be the first person to notify us of a finding that alerts us to a previously unknown issue and that issue triggers a code or configuration change.\nWe reserve the sole right to determine the size of reward, if any. We determine this on a case by case basis, depending on overall severity (including the business impact, creativity of the issue, etc.). You shall respect our final decision.\nThis is a reference payout range for vulnerabilities depending on their severity levels:\n\n* Critical: $1000-5000+  USD\n* High: $500-1000 USD\n* Medium: $100-500 USD\n* Low: $100 USD\n* None: $0 USD\n\nWe may pay even higher rewards for especially clever or severe vulnerabilities. \nWe recommend for you to use [Common Vulnerability Scoring System Version 3.0 Calculator](https://www.first.org/cvss/calculator/3.0) as a general guide on vulnerability severity levels. However, please note that this serves only as a rough guide and does NOT guarantee that we will give the same evaluation to your Vulnerability Finding. The final and actual severity level is determined by us in our sole discretion.\nPrevious reward amounts are not considered a precedent for future reward amounts.\nReward may be denied if there is reason to believe that there has been a violation of this Policy.\nYou may need to provide additional information, which would be necessary to receive the reward.  \nTaxes on rewards given to you are your sole responsibility. \nReward will be forfeited, if it remains unclaimed or undeliverable for a period of six (6) months counting from the date you are notified of the determined reward amount\n\nPublic disclosure\n---------------------\nYou must not publicly disclose the bug until after an update that fixes the bug is released. We ask to give us at least 90 day disclosure deadline. Reports that go against this principle will usually not qualify for our program and may even get you a permanent ban. We reserve the right to bring deadlines forward or backward and to deny any request for public disclosure based on extreme circumstances. \n\nOther terms\n---------------------\nBy making a submission, you give us the right to use your Vulnerability Finding for any purpose.\nYou understand that your obligations under this Policy shall survive the termination of any other relationship between us.  \nThis Policy is subject to change or cancellation by us at any time, without notice. As such, we may amend this Policy at any time. By continuing with your submission after such changes are posted, you accept those modifications.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-12-12T16:11:41.426Z"},{"id":3625632,"new_policy":"Potential Security Vulnerability Reporting Policy\n=====================\nAt NordVPN we strive to maximize the security of our infrastructure and customers' data. We believe that in order to reach our goal community participation is essential. Therefore, if you have found a potential security vulnerability, we would like to learn more about it to be able to correct the issue as soon as possible.\nPlease note that your submission of potential security vulnerability finding (“Vulnerability Finding”) is voluntary and subject to the terms and conditions set forth in this Policy. By submitting a vulnerability to us you acknowledge that you have read and agreed to this Policy.\nThis Policy supplements the terms of any other agreement (collectively – “Agreements”) in which you have entered with us. If any inconsistency exists between the terms of the Agreements and this Policy, this Policy will prevail, but only with regard to the potential security vulnerability reporting, unless otherwise agreed by us in writing.\nPlease note that in order to submit a Vulnerability Finding to us you must be at least 14 years old. If you are at least 14 years old, but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to making a submission to us.\n\nSafe harbor terms\n---------------------\nTo encourage security researchers and our user community, we commit that, if we conclude, in our sole discretion, that your submission respects and meets the requirements of this Policy and Agreements, we will not pursue civil or criminal action, or send notice to law enforcement, and we may even reward you. \nNeither will we pursue civil or criminal action, or send notice to law enforcement for accidental, good faith violations of this Policy and Agreements. We reserve the sole right to make the determination of whether a violation of this policy is accidental or in good faith, and proactive contact to us before engaging in any action is a significant factor in that decision, meaning, if in doubt, ask us first.\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of a third party (which is not us), we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot and do not authorize security research in the name of other entities, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\nYou are expected, as always, to comply with all laws applicable to you, and not to disrupt or compromise any data beyond what this bug bounty program permits.\n\nScope of accepted findings\n---------------------\nAccepted, in-scope findings, include, but are not limited to:\n1. NordVPN applications (all platforms: Windows, Mac, iOS, Android, Linux, browser extensions and official apps on third party devices).\n2. NordVPN VPN servers.\n3. NordVPN backend services and website.\n\nFindings that we do not accept (out-of-scope findings) include, but are not limited to:\n1. Findings from physical testing such as office access (e.g. open doors, tailgating).\n2. Findings derived from social engineering (e.g. phishing, vishing).\n3. Denial of service (DOS) attacks.\n4. Unofficial third party applications, scripts and integrations.\n5. End-of-life application versions.\n6. Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.\n7. Any other submissions determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction, or resulting in minimal impact.\n8. WordPress bugs (please report those to WordPress directly).\n9. OpenVPN bugs (please report those to OpenVPN directly).\n10. StrongSwan bugs (please report those to StrongSwan directly).\n11. Out of date software – we do not always run the most recent software versions (patched).\n12. Third party services. Including but not limited to affiliates.nordvpn.com, zendesk.nordvpn.com, *zendesk*.nordvpn.com, prevention.nordvpn.com, 595468.nordvpn.com, c.nordvpn.com, bounces.nordvpn.com, links1.nordvpn.com, mltrack.nordvpn.com, mltracksgrd.nordvpn.com\n\nReporting the findings\n---------------------\nAll the findings must be reported to us using Hackerone platform.\n\nPlease include:\n1. a description of the finding containing such info as URL and/or type of the potential vulnerability;\n2. a step-by-step guide that would allow us to reproduce the finding;\n3. if applicable, accompanying evidence, e.g. screenshots, videos, proof of concept code, dumps, etc.;\n4. if possible, a way to fix the issue;\n5. any other information that you think is relevant.\n\nYou could also add your contact information, including your public PGP key.\nWe will acknowledge the receipt of all the potential vulnerability disclosure finding reports. If you have not received a reply from us within seven days, please send a follow-up message. Should we decide to fix the bug, we will tell you when we expect to resolve it.\n\nCode of conduct\n---------------------\nOnly interact with accounts you own or with explicit permission of the account holder.\nDo not leak any data. \nDo not perform any testing that could degrade the quality of our services. \nDo not modify any files or data, including permissions, nor make copies, and do not intentionally view or access any data beyond what is needed to prove the vulnerability. \nDo not disclose any findings or accessed data to any third parties. \nIf you have information about a potential security vulnerability and/or inadvertently come into possession of private data, please promptly initiate the reporting process as described above. \nClaims for rewards or other compensation as a condition for sending in a potential Vulnerability Finding is not accepted and could be regarded as extortion - a criminal offence under the penal law. \nFor more information, please contact us at security@nordvpn.com.\n\nThe reward\n---------------------\nTo receive a reward, you must disclose the vulnerability report directly and exclusively to us. You also must be the first person to notify us of a finding that alerts us to a previously unknown issue and that issue triggers a code or configuration change.\nWe reserve the sole right to determine the size of reward, if any. We determine this on a case by case basis, depending on overall severity (including the business impact, creativity of the issue, etc.). You shall respect our final decision.\nThis is a reference payout range for vulnerabilities depending on their severity levels:\n\n* Critical: $1000-5000+  USD\n* High: $500-1000 USD\n* Medium: $100-500 USD\n* Low: $100 USD\n* None: $0 USD\n\nWe may pay even higher rewards for especially clever or severe vulnerabilities. \nWe recommend for you to use [Common Vulnerability Scoring System Version 3.0 Calculator](https://www.first.org/cvss/calculator/3.0) as a general guide on vulnerability severity levels. However, please note that this serves only as a rough guide and does NOT guarantee that we will give the same evaluation to your Vulnerability Finding. The final and actual severity level is determined by us in our sole discretion.\nPrevious reward amounts are not considered a precedent for future reward amounts.\nReward may be denied if there is reason to believe that there has been a violation of this Policy.\nYou may need to provide additional information, which would be necessary to receive the reward.  \nTaxes on rewards given to you are your sole responsibility. \nReward will be forfeited, if it remains unclaimed or undeliverable for a period of six (6) months counting from the date you are notified of the determined reward amount\n\nPublic disclosure\n---------------------\nYou must not publicly disclose the bug until after an update that fixes the bug is released. We ask to give us at least 90 day disclosure deadline. Reports that go against this principle will usually not qualify for our program and may even get you a permanent ban. We reserve the right to bring deadlines forward or backward and to deny any request for public disclosure based on extreme circumstances. \n\nOther terms\n---------------------\nBy making a submission, you give us the right to use your Vulnerability Finding for any purpose.\nYou understand that your obligations under this Policy shall survive the termination of any other relationship between us.  \nThis Policy is subject to change or cancellation by us at any time, without notice. As such, we may amend this Policy at any time. By continuing with your submission after such changes are posted, you accept those modifications.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-12-09T11:10:49.560Z"},{"id":3625189,"new_policy":"Potential Security Vulnerability Reporting Policy\n=====================\nAt NordVPN we strive to maximize the security of our infrastructure and customers' data. We believe that in order to reach our goal community participation is essential. Therefore, if you have found a potential security vulnerability, we would like to learn more about it to be able to correct the issue as soon as possible.\nPlease note that your submission of potential security vulnerability finding (“Vulnerability Finding”) is voluntary and subject to the terms and conditions set forth in this Policy. By submitting a vulnerability to us you acknowledge that you have read and agreed to this Policy.\nThis Policy supplements the terms of any other agreement (collectively – “Agreements”) in which you have entered with us. If any inconsistency exists between the terms of the Agreements and this Policy, this Policy will prevail, but only with regard to the potential security vulnerability reporting, unless otherwise agreed by us in writing.\nPlease note that in order to submit a Vulnerability Finding to us you must be at least 14 years old. If you are at least 14 years old, but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to making a submission to us.\n\nSafe harbor terms\n---------------------\nTo encourage security researchers and our user community, we commit that, if we conclude, in our sole discretion, that your submission respects and meets the requirements of this Policy and Agreements, we will not pursue civil or criminal action, or send notice to law enforcement, and we may even reward you. \nNeither will we pursue civil or criminal action, or send notice to law enforcement for accidental, good faith violations of this Policy and Agreements. We reserve the sole right to make the determination of whether a violation of this policy is accidental or in good faith, and proactive contact to us before engaging in any action is a significant factor in that decision, meaning, if in doubt, ask us first.\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of a third party (which is not us), we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot and do not authorize security research in the name of other entities, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\nYou are expected, as always, to comply with all laws applicable to you, and not to disrupt or compromise any data beyond what this bug bounty program permits.\n\nScope of accepted findings\n---------------------\nAccepted, in-scope findings, include, but are not limited to:\n1. NordVPN applications (all platforms: Windows, Mac, iOS, Android, Linux, browser extensions and official apps on third party devices).\n2. NordVPN VPN servers.\n3. NordVPN backend services and website.\n\nFindings that we do not accept (out-of-scope findings) include, but are not limited to:\n1. Findings from physical testing such as office access (e.g. open doors, tailgating).\n2. Findings derived from social engineering (e.g. phishing, vishing).\n3. Denial of service (DOS) attacks.\n4. Unofficial third party applications, scripts and integrations.\n5. End-of-life application versions.\n6. Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.\n7. Any other submissions determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction, or resulting in minimal impact.\n8. WordPress bugs (please report those to WordPress directly).\n9. OpenVPN bugs (please report those to OpenVPN directly).\n10. StrongSwan bugs (please report those to StrongSwan directly).\n11. Out of date software – we do not always run the most recent software versions (patched).\n\nReporting the findings\n---------------------\nAll the findings must be reported to us using Hackerone platform.\n\nPlease include:\n1. a description of the finding containing such info as URL and/or type of the potential vulnerability;\n2. a step-by-step guide that would allow us to reproduce the finding;\n3. if applicable, accompanying evidence, e.g. screenshots, videos, proof of concept code, dumps, etc.;\n4. if possible, a way to fix the issue;\n5. any other information that you think is relevant.\n\nYou could also add your contact information, including your public PGP key.\nWe will acknowledge the receipt of all the potential vulnerability disclosure finding reports. If you have not received a reply from us within seven days, please send a follow-up message. Should we decide to fix the bug, we will tell you when we expect to resolve it.\n\nCode of conduct\n---------------------\nOnly interact with accounts you own or with explicit permission of the account holder.\nDo not leak any data. \nDo not perform any testing that could degrade the quality of our services. \nDo not modify any files or data, including permissions, nor make copies, and do not intentionally view or access any data beyond what is needed to prove the vulnerability. \nDo not disclose any findings or accessed data to any third parties. \nIf you have information about a potential security vulnerability and/or inadvertently come into possession of private data, please promptly initiate the reporting process as described above. \nClaims for rewards or other compensation as a condition for sending in a potential Vulnerability Finding is not accepted and could be regarded as extortion - a criminal offence under the penal law. \nFor more information, please contact us at security@nordvpn.com.\n\nThe reward\n---------------------\nTo receive a reward, you must disclose the vulnerability report directly and exclusively to us. You also must be the first person to notify us of a finding that alerts us to a previously unknown issue and that issue triggers a code or configuration change.\nWe reserve the sole right to determine the size of reward, if any. We determine this on a case by case basis, depending on overall severity (including the business impact, creativity of the issue, etc.). You shall respect our final decision.\nThis is a reference payout range for vulnerabilities depending on their severity levels:\n\n* Critical: $1000-5000+  USD\n* High: $500-1000 USD\n* Medium: $100-500 USD\n* Low: $100 USD\n* None: $0 USD\n\nWe may pay even higher rewards for especially clever or severe vulnerabilities. \nWe recommend for you to use [Common Vulnerability Scoring System Version 3.0 Calculator](https://www.first.org/cvss/calculator/3.0) as a general guide on vulnerability severity levels. However, please note that this serves only as a rough guide and does NOT guarantee that we will give the same evaluation to your Vulnerability Finding. The final and actual severity level is determined by us in our sole discretion.\nPrevious reward amounts are not considered a precedent for future reward amounts.\nReward may be denied if there is reason to believe that there has been a violation of this Policy.\nYou may need to provide additional information, which would be necessary to receive the reward.  \nTaxes on rewards given to you are your sole responsibility. \nReward will be forfeited, if it remains unclaimed or undeliverable for a period of six (6) months counting from the date you are notified of the determined reward amount\n\nPublic disclosure\n---------------------\nYou must not publicly disclose the bug until after an update that fixes the bug is released. We ask to give us at least 90 day disclosure deadline. Reports that go against this principle will usually not qualify for our program and may even get you a permanent ban. We reserve the right to bring deadlines forward or backward and to deny any request for public disclosure based on extreme circumstances. \n\nOther terms\n---------------------\nBy making a submission, you give us the right to use your Vulnerability Finding for any purpose.\nYou understand that your obligations under this Policy shall survive the termination of any other relationship between us.  \nThis Policy is subject to change or cancellation by us at any time, without notice. As such, we may amend this Policy at any time. By continuing with your submission after such changes are posted, you accept those modifications.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-12-04T15:25:27.609Z"}]