ActiVPN provides an easy-to-use anonymizing VPN service.

Focus areas:

• Code Execution at server side: BOF, UAF in our server applications
• Web Command Injection: Shell Injection, XSS, SQL Injection, PHP injection
• Open redirect
• Authentication or authorization flaw, or significant info leak of customer data

Not eligible

• DDOS
• Spam
• Phishing
• Logout CSRF
• ClickJacking
• Directory Listing (unless you get server interpreted source code)
• CSRF (unless affects the confidentiality or the availability of the user data)
• Session Fixation
• Missing Content-Type header unless you can upload a file
• Cookie set without secure flag
• no HSTS flag
• Cache settings (unless you get code execution or privilege escalation or significant infoleak)
• Path/Exception disclosure (we voluntarily setup an exception mechanism that indicates you information about the failure for helping pentesting)
• Password auto-complete in Browser
• password policy

Read more