ExpressVPN has a self-hosted, public bug bounty program that focuses on vulnerabilities in its client applications and VPN servers, with rewards ranging from $2,100 to $2,500 for P1 submissions. The program is designed to attract researchers with skills in web app security, API security, mobile device app security, browser extension security, router firmware security, and security protocol security. The ExpressVPN team will work with researchers to validate their reports, remediate discovered vulnerabilities, and recognize contributions to improving the company's security. The program has opportunities for researchers of all skill levels, from recon to deep-diving security vulnerabilities, and offers a variety of target assets and skill types.