Responsible Disclosure

Send your report by email to [email protected]. Please include:

• A clear description of the vulnerability and its potential impact
• Steps to reproduce or a proof-of-concept (if possible)
• The affected component (website, API, Windows client, mobile app, VPN server, etc.)
• Any suggested mitigations you have identified

We will acknowledge your report within 48 hours and aim to provide a resolution timeline within 5 business days.

• We will not pursue legal action against researchers who act in good faith under this policy.
• We will keep you informed of our progress throughout the remediation process.
• We will credit you in our security acknowledgements (unless you prefer to remain anonymous).
• We will treat your report with strict confidentiality and not share your personal details without your consent.

• Give us a reasonable amount of time to fix the issue before any public disclosure.
• Do not access, modify, or delete user data beyond what is necessary to demonstrate the vulnerability.
• Do not perform denial-of-service attacks or any action that degrades service availability.
• Do not use social engineering, phishing, or physical attacks against VPNBee staff or infrastructure.
• Only test against your own accounts and devices, or use a dedicated test environment.

• vpnbee.org and api.vpnbee.org (website and REST API)
• VPNBee Windows, Android, and iOS clients
• VPN server infrastructure and WireGuard configuration
• Authentication, authorisation, and session management
• Payment flow and Stripe integration
• Data exposure or leakage affecting user privacy

• Denial-of-service or volumetric attacks
• Social engineering of VPNBee employees or contractors
• Physical attacks against servers or offices
• Vulnerabilities in third-party services we use (report these directly to the vendor)
• Missing security headers with no demonstrated impact
• Rate-limiting issues with no realistic attack path
• Automated scanner output without a proof of exploitability

We follow a coordinated disclosure model:

• 0–48 hours — We acknowledge receipt of your report.
• 5 business days — We provide an initial severity assessment and remediation timeline.
• 90 days — Our target to have critical and high-severity issues resolved. We will keep you updated if more time is needed.
• After resolution — We will publish a summary in our security advisories below, crediting the reporter (unless anonymity is requested). If a CVE is warranted we will request one.

If we cannot resolve an issue within 90 days, we will agree a coordinated disclosure date with you. We will never ask you to withhold a disclosure indefinitely.

We maintain a hall of fame for researchers who have helped make VPNBee more secure. If you would like to be recognised, let us know your preferred name or handle when you submit your report.

At this time we do not offer monetary rewards, but we are grateful for every good-faith report and aim to make recognition meaningful.

No acknowledgements yet — be the first.

When a reported vulnerability has been resolved we publish a brief advisory here. This record is our commitment to transparency — users and researchers can see that issues are taken seriously, investigated, and fixed.

No advisories published yet.

For all security-related reports: [email protected]

For general privacy questions, see our Privacy Policy.