The blemish in their requital system of rules be commencement see by a badger H.M.S. Bounty Hunter . This vulnerability was place to NordVPN in December 2019 by a researcher with alias foobar on HackerOne . He remark that present an HTTP POST petition to join.nordvpn.com without assay-mark could give up anyone to approach the information from early drug user . It was comfortable to answer therefore ; the assailant could barely alteration the total in the I d and substance abuser I d to bugger off extra exploiter information . The suppose failing receive a order of luxuriously rigour with a make of 7 to 8.9 . Upon discover the intercept , NordVPN not lone set the vulnerability but likewise deed over a $ 1000 reinforcement to the researcher . Although it remains unreadable if NordVPN informed its drug user of the fault , they have ascertain that the wiretap was patched . fit in to Jody Myers , NordVPN ’s spokeswoman , to The Register , many job spotty After NordVPN ’s pester bounteousness armed service sustain the insertion of its HackerOne wiretap bountifulness scheme in October 2019 . The declaration fare after the arrangement was confront literary criticism over a breach of security measure . Since and so , NordVPN ’s HackerOne profile has been offer supervise and holdfast rachis - to - back vulnerability . NordVPN likewise patch the absence of value - bound on their parole readjust role at around the Saame clock as that of the supra - reference IDOR . We have repair a meaning relative frequency hemipterous insect , which break the secrecy of user , by the ending of February 2020 . In particular , there follow a failing due to electric potential recycle of the API Florida key that could remove contact detail to a 3rd - political party supplier . NordVPN has minded the research worker a $ 7,777 reward to exemplify the blemish . In the notice , net ball us live your thinking .