Security · Bug Bounty

Find a bug. Get rewarded.

Security is at the core of everything we build. If you discover a vulnerability in LunoVPN, we want to hear about it and we'll reward you for helping us keep millions of users safe.

$1,000
maximum reward per valid report
Report a vulnerability View scope & rules
Up to $1,000 per report
48h first response
Safe harbor
Hall of Fame
Why we run it
Responsible disclosure, rewarded fairly

No software is perfect. The security research community plays a vital role in keeping LunoVPN strong. Our bug bounty program gives ethical researchers a clear, safe and rewarding way to report vulnerabilities — so we can fix them before they can ever be exploited. Report responsibly, give us time to fix, and earn up to $1,000.

Rewards
What's a finding worth?

Rewards scale with the severity and impact of the vulnerability. Select a severity to see the reward range — the most critical findings earn the full $1,000.

$1,000
Critical severity — maximum reward
Vulnerabilities that critically compromise user privacy or security — such as remote code execution, breaking the encryption tunnel, or exposing user traffic or identity.
e.g. RCE on infrastructure · tunnel/crypto bypass · mass user data exposure
Scope
What's in & out of scope

Please focus your research on the assets below. Anything that could harm real users or data is strictly out of scope.

In scope
  • LunoVPN apps — iOS, Android, Windows and macOS
  • Web properties on lunovpn.com (site, account dashboard, payment flow)
  • Public API endpoints
  • LunoGuard client implementation & configuration handling
  • Authentication, session and account-security issues
  • Leaks: DNS, IPv6, WebRTC or kill-switch bypass
Out of scope
  • Denial-of-service (DoS/DDoS) or volumetric attacks
  • Social engineering, phishing or physical attacks on staff
  • Testing against other users' accounts or real traffic
  • Automated scanner output with no demonstrated impact
  • Missing best-practice headers without a real exploit
  • Third-party services not operated by LunoVPN
The rules
Play fair & safe

Follow these guidelines so your report qualifies and everyone stays protected.

Please do

  • Report any vulnerability promptly and privately to our security team
  • Give clear, reproducible steps and proof-of-concept details
  • Use only your own test accounts and data
  • Give us reasonable time to investigate and fix before any disclosure
  • Keep the details confidential until we confirm a fix

Please don't

  • Access, modify or destroy data that isn't yours
  • Degrade service or run disruptive automated attacks
  • Publicly disclose a vulnerability before it's fixed
  • Use the bug to pivot deeper or maintain persistence
  • Demand payment or threaten disclosure for a higher reward
The process
From report to reward

Here's exactly what happens after you submit a valid report.

1
Submit
Email your detailed report with reproduction steps to our security team.
2
Triage
We acknowledge within 48 hours and assess severity and impact.
3
Fix
Our engineers verify, reproduce and deploy a fix as quickly as possible.
4
Reward
You're paid up to $1,000 and, if you wish, credited in our Hall of Fame.

Safe Harbor

We will not pursue legal action against researchers who act in good faith and follow this policy — testing only within scope, respecting user privacy, and disclosing responsibly. If you're unsure whether something is allowed, ask us first at [email protected] before testing. Act in good faith, and we've got your back.

FAQ
Bug bounty questions
How much can I earn?
Rewards scale with severity, up to a maximum of $1,000 for the most critical, high-impact vulnerabilities. The final amount is decided by our security team based on impact, exploitability and report quality.
How do I submit a report?
Email a detailed report — including reproduction steps and a proof of concept — to [email protected]. The clearer your report, the faster we can validate and reward it.
How fast will I hear back?
We aim to acknowledge every valid report within 48 hours and keep you updated through triage, fix and reward.
What makes a report qualify?
It must be an in-scope, original, previously unreported vulnerability with a demonstrated security impact and clear reproduction steps. Duplicate or theoretical issues without impact may not qualify.
Can I disclose the bug publicly?
Please keep findings confidential until we've confirmed a fix. We're happy to coordinate a public disclosure with you afterwards, and to credit you in our Hall of Fame.
How are rewards paid?
After a fix is confirmed, we arrange payment of your reward. Payout details are coordinated directly with you during the process.

Found something? Tell us.

Help us protect millions of users — and earn up to $1,000 for your discovery.

[email protected]
Report a vulnerability
© 2025 LunoVPN — Built with passion. Delivered with precision. | Bug Bounty · Responsible Disclosure · Safe Harbor