The flaw in their payment system existed first found by a bug bounty hunter. This vulnerability was posted to NordVPN in December 2019 by a researcher with alias foobar on HackerOne. He noticed that submitting an HTTP POST request to join.nordvpn.com without authentication could allow anyone to access the data from other users. It was easy to do so; the attacker could just change the numbers in the I d and user I d to get additional users information. The said weakness received a ranking of high severity with a score of 7 to 8.9. Upon discovering the bug, NordVPN not only fixed the vulnerability but also granted a $1000 reward to the researcher. Although it remains unclear if NordVPN informed its users of the error, they have ensured that the bug was patched. According to Jody Myers, NordVPN’s spokeswoman, to The Register, Many Problems Patched After NordVPN’s bug bounty service confirmed the introduction of its HackerOne bug bounty system in October 2019. The announcement came after the organization was facing criticism over a breach of security. Since then, NordVPN’s HackerOne profile has been providing monitoring and fixing back-to-back vulnerabilities. NordVPN also patched the absence of rate-limiting on their password reset function at around the same time as that of the above-referenced IDOR. We have fixed a significant frequency bug, which breached the privacy of users, by the end of February 2020. In specific, there was a weakness due to potential reuse of the API key that could transfer contact details to a third-party provider. NordVPN has given the researcher a $7,777 reward to illustrate the flaw. In the comments, let us know your thoughts.