
When Bug Bounties Border on Blackmail
In May of 2018 TorGuard launched our Bug Bounty program which provides researchers clear guidance on how to submit security concerns to TorGuard management using responsible disclosure. We are extremely grateful to the security community for their contributions and professionalism while working with us. Unfortunately, not all in the security community have followed these policies and we recently received a report outside of the appropriate channels.
We were surprised when an unknown individual showed up uninvited at a staff member’s personal residence asking to speak about the VPN industry. This same TorGuard staff member received an email on their personal email account from a competing VPN company asking to discuss the relationship between both VPN providers.
During the conversation the individual demanded a “gentleman’s agreement” asking us to persuade one of our VPN affiliates, Tom Spark Reviews, to remove negative content from YouTube regarding their own VPN brand. The representative then revealed they had damaging information about TorGuard that would be released if we did not comply.
Due to the unprofessionalism during disclosure we are choosing to respond publicly to this report and demand.
The report noted that our 2017 IPsec streaming server install scripts had recently became open in error.
TorGuard’s network team immediately verified this server was left open during upgrades, however the cert and server in question has not been used for installs since January 2018 and is not in production on the TorGuard network. There is no security risk to TorGuard users running streaming IP add-ons, IPsec VPN, or any other VPN server.
Even though no security risk past or present was found, TorGuard has reissued all certs per our security protocol.
After confirming the disclosure was not a vulnerability, our team began to research how a private URL from an old server install script was obtained years later.
We dug deeper and discovered this specific install script was last used at a web hosting company with whom we canceled service with after testing for a few days. The reason for cancellation was due to suspicious activity by the web host that occurred during our initial setup.
At this time TorGuard cannot publicly disclose further details regarding this hosting company due to pending legal action.
As a result of this disclosure, we are now conducting an audit of ownership for all hosting providers that TorGuard works with. We will be terminating relationships with all hosting companies that have any link to the owners, associates, or shareholders of this competing VPN service.
Update 6/28/19:
TorGuard filed the attached complaint against NordVPN in the Middle District of Florida yesterday.https://t.co/gLYUjdjqpQ
— TorGuard (@TorGuard) June 27, 2019
“However much you deny the truth, the truth goes on existing.” – George Orwell pic.twitter.com/tKRvLFtJFE
— TorGuard (@TorGuard) June 27, 2019