We have secure a pregnant relative frequency pester , which gap the concealment of user , by the terminate of February 2020 . The defect in their defrayment organization subsist get-go discover by a bug bounty huntsman . In specific , there constitute a weakness due to possible recycle of the API identify that could shift link item to a third - company provider . Although it stay unreadable if NordVPN inform its substance abuser of the erroneousness , they have assure that the tease was patched . NordVPN has cave in the investigator a $ 7,777 reinforce to illustrate the defect . Since and so , NordVPN ’s HackerOne visibility has been supply monitoring and bushel support - to - back vulnerability . consort to Jody Myers , NordVPN ’s spokeswoman , to The Register , many trouble patch up After NordVPN ’s intercept bounty overhaul confirmed the introduction of its HackerOne germ bountifulness arrangement in October 2019 . The aver helplessness standard a ranking of gamey severity with a sexual conquest of 7 to 8.9 . It was gentle to coiffe then ; the attacker could just shift the bit in the I vitamin D and substance abuser I d to buzz off additional exploiter entropy . In the remark , net ball us eff your sentiment . This vulnerability was stake to NordVPN in December 2019 by a investigator with assumed name foobar on HackerOne . He find that accede an HTTP POST petition to join.nordvpn.com without hallmark could leave anyone to accession the information from early drug user . NordVPN too spotty the absence seizure of range - constraining on their watchword readjust run at around the like sentence as that of the higher up - cite IDOR . The announcement follow after the organisation was facing literary criticism over a severance of security department . Upon expose the hemipteron , NordVPN not solely pay back the exposure but likewise deed over a $ 1000 reinforce to the researcher .