DeVpn's architecture makes traffic logging impossible by design. But no system is perfect. If you find a vulnerability, we want to hear about it — and we'll reward you for it.
Bounty Scope & Rewards
Critical500 — 5,000 DVPN
VPN traffic interception or decryption
Unauthorized access to user accounts
Private key exposure
Wallet or payout manipulation
Control plane remote code execution
Database access without authentication
High200 — 500 DVPN
Authentication bypass
Session hijacking
API endpoints leaking sensitive data
Provider impersonation
Staking contract manipulation
Medium50 — 200 DVPN
Cross-site scripting (XSS)
CSRF attacks
Information disclosure (non-sensitive)
Rate limiting bypass
Claim code brute force
Low10 — 50 DVPN
UI bugs exposing data
Broken access controls on non-sensitive pages
Missing security headers
SSL/TLS misconfigurations
Out of Scope
Social engineering or phishing
Physical attacks
DDoS or volumetric attacks
Vulnerabilities in third-party services (Cloudflare, Solana, WireGuard protocol)
Already reported or known issues
Automated scanning without prior approval
Rules of Engagement
Responsible disclosure: 90 days before public disclosure
Do not disrupt the live service or affect real user traffic
Do not access, modify, or delete real user data
Test only against your own account
First valid reporter receives the bounty
DeVpn team has final determination on severity classification
DeVpn