Privacy always has been and always will be the core focus at TorGuard. We pride ourselves on providing the highest possible standards of security for all of our users. We always report the latest security vulnerabilities in the news so you can use that information to help keep yourself safe when other networks or services become compromised. Our focus, from day one, has always been the safety, privacy, anonymity, and security of internet users everywhere.
Many people trust TorGuard to keep them safe while they browse. Among these people are both formal and informal cybersecurity experts. We value hobbyists and newcomers just as much as we value seasoned professionals – we can all learn a little bit from each other and work together to create the most secure VPN experience on the internet.
That’s why we’re calling on our users to hunt for bugs. Your discoveries can help us solidify the walls of our VPN fortress, and we’re more than willing to compensate you for your findings. You’re doing something great for us, and we’d love to do something in return.
What is a Bug Bounty Program?
A bug bounty program is when a company opens itself up to scrutiny, inviting researchers and experts to thoroughly pick through every corner of their website and services in search of major flaws or vulnerabilities. We want you to observe TorGuard from every angle, in search of something we can fix or do better to keep our users safe. We’re constantly performing thorough checks, but that doesn’t mean a few fresh sets of eyes won’t help.
Rules of the TorGuard Bug Bounty Program
The Bug Bounty program is limited to TorGuard servers, the TorGuard website, and the TorGuard mobile apps. Our social media accounts do not apply to the bug bounty program.
How We Decide What Qualifies
The TorGuard team takes bug reports seriously. We will thoroughly review every report in an attempt to locate or duplicate any bugs. The severity and legitimacy of the findings will ultimately determine what constitutes a bug and how much the bounty is. By participating in the bug bounty program, you understand that the decisions made by the TorGuard team are final.
Please Disclose Your Findings Responsibly
We encourage participants to report their findings immediately and responsibly. Findings can be reported directly to TorGuard via an OpenPGP key encrypted email message. We ask that bug finders do not disclose or discuss bugs with anyone else until TorGuard investigates, repairs, and discloses the information. We’re fully transparent with our users and we’ll act quickly.
Do not publicly discuss any expected bugs before you’ve reported them. Doing so may encourage bad actors to jeopardize users of TorGuard.
Do not show up unannounced at any TorGuard representative’s homes to share your findings.
Do not withhold your findings on basis of payment requirement or special request. Doing so does not follow responsible disclosure protocol.
Send your report to TorGuard’s bug bounty program at the following email address:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v4.5.5
Comment: https://openpgpjs.org
xsBNBF4vRVEBCACxKqFP1kKYhmEJbQjWvrjS+YL/4SoBzY8o0HUMnZhix09w
IS+UXh6eySVKqAALV/85x07LhR49lh/dRrs5pvRMepA19d3C8FrsRQicvltC
+5QOyyd/D10/sq6XYjZ3efTz2z1CTtSS6LOGrsOP3uzbc4vIE4lJ0QHVwG5I
EJNyTiDbGair3at8l+mfiRN6E/RCyCxcVz4ugC3e9IrwmlMSBksv2UnI1QmT
xnaOvIQ6eOwtk2mDoLx1MxCsykU1h75seks0qTEmMDFmH25P5XijddTMWhVZ
ss732oVzH6jA1xntgka16X77Y29mDIa+peeh8YD/VYrr/5Mx0FkAnBofABEB
AAHNGzxidWdib3VudHlAcHJpdmF0ZW1haWwuY29tPsLAdQQQAQgAHwUCXi9F
UQYLCQcIAwIEFQgKAgMWAgECGQECGwMCHgEACgkQ1D3WAlg1BB1bGwf+Ls/C
n/bfsRfJdp/CgHqVD0HuOBCx4Zz8CfF9l8HnJ2iM84hHcziZIqTbmKk+npGL
iS/BMoKTdk+Zs8J4yQU+VK6YIznAA4OI3AmgJq02owhVf0TBmwAQAwB/yV2i
ItqHf/W0CCUetlzJoUF25CpLDb+Khr5p2zpTD5Kgbkirz9B++UlNUbo8abrj
EBwJj2HJVpULBtthtoGazG67gHFdy1ojoxlQkRerxZiwmKXJ86jhwPKOfv5g
7cxtSTciTuCXNvKxozQG0EDJFJ9OjKkc15I+0SngXnuQP2Y3J09i5m3pDhHu
Vo8qy3Fxx34zi0EstXIU2tf2atgRe5vYzNqOtc7ATQReL0VRAQgA5i9BbVGn
9Ycyswvx973J9NwMIzgBHY6XEi/5Q22fTJW8NvyTIxaz5eYK/LnLXt0a1fR3
JS0sMj58Mb7TDdjlbemL0dlotjU5qQqiDGSMCI8PYwCNs40HMBnjWX3dSFLe
8bUm3f5Wk+9Z/q1nZCVqa+Zv8gDyylg1KiBiaz5El5OWQbDTkYE/E66ydXEv
tTMaaD675FMc1qf3vblLv9rpSqZr+GPk4f0ISgG9+9P6A81MfkjcGf5tZdsv
PDFhAm6xmfLcqn9izZHzjd+ElzY9YIVUf6W6z/TsKzXcZspFSvCw2FLkR8ao
zpufsSZEYXW7QnzyfUI5mIWM3W+HPXYDnQARAQABwsBfBBgBCAAJBQJeL0VR
AhsMAAoJENQ91gJYNQQdEO8H/joO2e+BKWrx3xnlfcGdPjnJOThpaQsehrr2
Z/0LqZMXX9lRdoYLcoysF2YEDsQgbL2HWVxAy4GtmpIrgusNq6ei9bM9bVZP
o3bZnNVPWZ6/RiAkhb+cvsC7pTQmpY7s6O9WW5RxXh6KLx6z4cIDJ5CiVyMY
P8MQ8UuuFY/913nrTkp14u0l0dObiKcjFegQ424a4xheqPMezzikZ6ruq49+
IQte8Jk29udkiqsQjmQwxSuah+z2MvA5gHxw3Ap+uVUeWJlwLOmBa6msHICu
XmcY8tqqu7Zaa9z9Da0wHSTjkrbIma+xPqzSs47PKN6uf65rG+dh4x7f+ysE
x/NQEos=
=x8F1
-----END PGP PUBLIC KEY BLOCK-----
Always Test Responsibly
Hacking accounts or leaking sensitive data does not count as bug testing. In fact, it makes you a malicious entity. Please do not conduct any tests that can degrade TorGuard’s services or interfere with our ability to serve our customers. We invite you to contact us before running tests – if you’re not sure, it never hurts to ask first.
Be Sure to Follow the Rules
Participants who do not follow the rules will be disqualified and therefore ineligible to receive a reward for their findings. If you’re unsure if you’re acting above board, just ask. A member of our team will let you know.
What Qualifies as a Bug Discovery?
Anything on TorGuard’s website, apps, or servers that can compromise user data or security qualifies as a bug. We do not consider vulnerabilities due to out of date browsers, security issues outside of TorGuard’s threat model, phishing or social engineering, or bugs that would require unlikely user interaction to be legitimate bugs.
How Much is the Reward?
The reward amount will differ depending on the finding. The bigger the finding, the better the reward will be. The only person eligible for the reward is the first person to discover the bug – any subsequent reports of the same bug are ineligible to receive a bounty. The faster you search, the better your chances will be. Follow the rules and you will be rewarded generously.